tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: Implementing JAAS with Geronimo LDAPPlugin
Date Mon, 27 Jan 2014 12:20:56 GMT
On this list, please do not top-post.  Read the list rules.
Reply below the question, it is easier for everyone to figure out what you are responding

to. See below.

> On Mon, Jan 27, 2014 at 10:47 AM, Mark Thomas <> wrote:
>> On 27/01/2014 09:43, Marco Pizzoli wrote:
>>> Hi all,
>>> I'm fairly new to Tomcat and to this mailing list, so apologies in
>>> advance if not being clear in explaining my problem.
>>> I'm tasked with the implementation of JAAS for a web application by
>>> leveraging the existing LDAP server (MSAD) present at our company.
>> Do you have to use JAAS? If you used the JNDI Realm you could take
>> advantage of SPNEGO support.
Marco Pizzoli wrote:
 > Hi Mark,
 > Thanks for your reply.
 > Yes I expressly need JAAS. This is a requirement coming from the
 > provider of an external software vendor. It leverages "principals".

For info :

Quite apart from which solution you are using, there are a number of reasons why a 
Windows-domain like authentication may not be working.
- the workstation has to be in the domain (seems evident, but for example that it will not

work if the workstation accesses this server from the Internet; in some VPN cases, it may

also not work)
- the Tomcat server itself has to be recognised as being a member of the same Domain, or a

trusted Domain
- Windows on the workstation must consider the Tomcat server as at least a "trusted" host
- the browser used may also have restrictions as to what host it will even attempt to do a

WIA authentication with.  (WIA = Windows Integrated Authentication)

In other words : even if the add-on modules server-side should work and even if your 
configuration server-side seems to be ok, there might be workstation-side reasons why this

is not working, and you must make sure that these possible reasons are also eliminated. 
If the brower, for whatever reason, is not even trying a WIA, then the server side will 
not show any attempt to do the corresponding authentication.
Which seems to be your case, as you describe it.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message