tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chanchal Kariwala <>
Subject Re: Windows Authentication
Date Fri, 04 Mar 2016 09:11:20 GMT
I tries what you asked and I have observed the following

1. Browser sends a request for the resource
Server replies with HTTP 401 and WWW-Authenticate: Negotiate in Response

2. Browser sends a new request with the following in Request Headers
Authorization: Negotiate YHkGBisGAQUFAqBvMG2gMDAuBgorBg....

Server replies again with HTTP 401 and WWW-Authenticate: Negotiate in
Response Headers

3. At this point the browser shows HTTP Basic Auth form and sends the
following in Headers
Authorization: Negotiate
value, much much longer than the first one*)

Now the Server replies with HTTP 200 and the following in headers
WWW-Authenticate: Negotiate oYHzMIHwoAMKAQChCwYJKoZIhvcSAQICom0....
Set-Cookie: JSESSIONID=541FE2EDD35690BBDE99..; Path=/webapp/; HttpOnly

So yes WIA is failing..
Can you help me out with the next step in debugging?

Chanchal R. Kariwala
Product Engineer
Seclore Technology

On Fri, Mar 4, 2016 at 1:20 PM, André Warnier (tomcat) <>

> On 04.03.2016 07:16, Chanchal Kariwala wrote:
>> I am using Tomcat 8.0.32 and I have followed the guide given at
>>     -
>>     -
>> Windows AD Auth is working i.e. when I access the site, I am asked for
>> credentials and when I enter the correct credentials, the restricted
>> resource is displayed.
>> However my question is why the browser is asking for credentials? Why
>> isn't
>> it accessing TGT Cache in the OS to fetch the user's credentials?
>> I have enabled Integrated Windows Auth in IE Settings. I have added the
>> site in Intranet Sites and set "Logon by Current User" in Custom Level
>> setting for Intranet.
> Hi.
> The real *key* to debugging such issues, is to use some plugin or add-on
> to the browser, to enable the capture and visualisation of the HTTP dialog
> back and forth between the browser and the server.
> Since you are using IE, I suggest "Fiddler2".
> Install it, close your browser, re-open the browser, start Fiddler2 in
> capture mode, and then do an access to the webserver.  When prompted for an
> id/pw, enter them.
> Then stop Fiddler2 and examine the HTTP exchanges, starting with your
> initial request to the webserver.
> You are correct in thinking that, normally, the login should happen
> automatically in the background, and you should never see this browser
> login dialog.
> WIA authentication is a multiple-step process between the browser and the
> webserver, and in the background between the webserver and a Domain
> Controller.
> That the login dialog appears in your case, means :
> 1) that the integrated WIA failed
> 2) that the Domain is configured to allow HTTP Basic authentication in a
> second step, after WIA fails.  That is the login dialog that you see.
> So, something is not working as it should in the WIA step.
> But to know exactly what, requires examining the HTTP exchanges.
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message