Author: markt
Date: Fri Nov 29 22:43:29 2013
New Revision: 1546657
URL: http://svn.apache.org/r1546657
Log:
Got Windows auth working with Tomcat running on a Linux server. Add the details
to the docs.
Modified:
tomcat/tc7.0.x/trunk/ (props changed)
tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
tomcat/tc7.0.x/trunk/webapps/docs/windows-auth-howto.xml
Propchange: tomcat/tc7.0.x/trunk/
------------------------------------------------------------------------------
Merged /tomcat/trunk:r1546656
Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1546657&r1=1546656&r2=1546657&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Fri Nov 29 22:43:29 2013
@@ -320,6 +320,10 @@
<add>
Correct the documentation for Cluster manager. (kfujino)
</add>
+ <add>
+ Add information on how to configure integrated Windows authentication
+ when Tomcat is running on a non-Windows host. (markt)
+ </add>
</changelog>
</subsection>
<subsection name="Extras">
Modified: tomcat/tc7.0.x/trunk/webapps/docs/windows-auth-howto.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/windows-auth-howto.xml?rev=1546657&r1=1546656&r2=1546657&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/windows-auth-howto.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/windows-auth-howto.xml Fri Nov 29
22:43:29 2013
@@ -51,10 +51,19 @@ sections.</p>
</section>
<section name="Built-in Tomcat support">
-<p><strong>This documentation is a work in progress. There are a number of
-outstanding questions around the edge cases that require further
-testing.</strong> These include:
-</p>
+<p>Kerberos (the basis for integrated Windows authentication) requires careful
+configuration. If the steps in this guide are followed exactly, then a working
+configuration will result. There may be some flexibility in some of the steps
+below but further testing is required to explore this. From the testing to date
+it is known that:</p>
+<ul>
+<li>The host name of the Tomcat server must match the host name in the SPN
+exactly else authentication will fail. A checksum error may be reported in the
+debug logs in this case.</li>
+<li>The client must be of the view that the server is part of the local trusted
+intranet.</li>
+</ul>
+<p>The areas where further testing is required include:</p>
<ul>
<li>Does the domain name have to be in upper case?</li>
<li>Does the SPN have to start with HTTP/...?</li>
@@ -110,7 +119,7 @@ policy had to be relaxed. This is not re
</p>
</subsection>
- <subsection name="Tomcat instance">
+ <subsection name="Tomcat instance (Windows server)">
<p>These steps assume that Tomcat and a Java 6 JDK/JRE have already been
installed and configured and that Tomcat is running as the [email protected]
user. The steps to configure the Tomcat instance for Windows authentication
@@ -175,6 +184,25 @@ com.sun.security.jgss.krb5.accept {
2008 R2 64-bit Standard with an Oracle 1.6.0_24 64-bit JDK.</p>
</subsection>
+ <subsection name="Tomcat instance (Linux server)">
+ <p>This was tested with:</p>
+ <ul>
+ <li>Java 1.7.0, update 45, 64-bit</li>
+ <li>Ubuntu Server 12.04.3 LTS 64-bit</li>
+ <li>Tomcat 8.0.x (r1546570)</li>
+ </ul>
+ <p>It should work with any Tomcat 7 release from 7.0.12 onwards although it
is
+ recommended that the latest stable release is used.</p>
+ <p>The configuration is the same as for Windows but with the following
+ changes:</p>
+ <ul>
+ <li>The Linux server does not have to be part of the Windows domain.</li>
+ <li>The path to the keytab file in krb5.ini and jass.conf should be updated
+ to reflect the path to the keytab file on the Linux server using Linux
+ style file paths (e.g. /usr/local/tomcat/...).</li>
+ </ul>
+ </subsection>
+
<subsection name="Web application">
<p>The web application needs to be configured to the use Tomcat specific
authentication method of <code>SPNEGO</code> (rather than BASIC etc.) in
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
