I have a Kerberos delegation issue caused by the separation of IIS worker processes and the Tomcat web server process on Windows.
Specifically, I have a customer running Tomcat through ISAPI on Windows with ISS using Integrated Windows Authentication (Kerberos). Authentication is working. The getRemoteUser method returns the user's expected identity. Delegation is working. An ASP can use the clients credentials to request another protected page on a second IIS server. Note, impersonation is not used in any way shape or form (nor would it work). I put together a Kerberos capable HTTP client and tried to invoke it through the IIS authenticated Servlet. This does not work. The JGSS routines cannot find the delegated ticket (TGT). Can anyone guess as to why this is? My thinking is that even though the Tomcat process and IIS workers are running under the same service account Tomcat servlets do not have access to the IIS worker's credential cache because the credential cache is per-logon session and IIS creates a new logon session with each authentication. Does this sound right? I can't find any documentation about this scenario. My next thought was to export the security context but someone just posted a message that indicated Sun's Java doesn't support exporting the credential. If that's true I guess I'm toast? It would be a nice feature if Tomcat's ISAPI dll used LsaGetLogonSessionData and similar in the IIS worker to get any TGT present and ship it over to the Tomcat worker so Java can get to it. A lot of shops are MS SSO only and don't want a separate container for Java. Mike -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
