Re: Windwos Integrated Authentication using AD and Tomcat (no prompt to the users)
Nikola Milutinovic-2 wrote: Just to make the picture complete, it can also be done with Apache + mod_auth_kerb + mod_jk. It does require some steps and the most tricky one is getting a proper Kerberos Service key from MS ADS. We've done it, so it is not really a big deal. However, people tend to state that TC is as good at serving static content as Apache and that eliminating one link in the server chain reduces complexity. Which is true. And which is why we need a proper Kerberos realm for these setups. Nix. From: George Sexton geor...@mhsoftware.com To: Tomcat Users List users@tomcat.apache.org Sent: Monday, September 14, 2009 7:47:48 PM Subject: RE: Windwos Integrated Authentication using AD and Tomcat (no prompt to the users) If you're fronting Tomcat w/ IIS using the ISAPI redirector, then this can be done. Here's a link to the instructions for our product that describe how to do it. http://www.mhsoftware.com/caldemo/manual/en/pageFinder.html?page=895.htm Essentially, following steps 2-4 will cause the HttpServletRequest.getRemoteUser() to return the Windows User name (SAMAccountName). George Sexton MH Software, Inc. http://www.mhsoftware.com/ Voice: 303 438 9585 -Original Message- From: Nikola Milutinovic [mailto:alok...@yahoo.com] Sent: Monday, September 14, 2009 11:26 AM To: Tomcat Users List; Tomcat Users List Subject: Re: Windwos Integrated Authentication using AD and Tomcat (no prompt to the users) There is also a module from Quest Software, using Kerberos authentication, but it costs mega $. Has anyone considered writing a TC realm for Kerberos? Before MS ADS came into popular use, Kerberos was a rare beast, but now it is more present. And it much better than NTLM, which is why MS started using it. Just think about it - NTLM sucked so badly that the great Behemoth, Microsoft, decided to use open standard solution. Nix. From: André Warnier a...@ice-sa.com To: Tomcat Users List users@tomcat.apache.org Sent: Sunday, September 13, 2009 1:33:16 PM Subject: Re: Windwos Integrated Authentication using AD and Tomcat (no prompt to the users) To Martin, Steve and others : Samba's JCIFS works fine, but only for NTLMv1 authentication. (It is also no longer maintained, see http://jcifs.samba.org.) It does NOT work for NTLMv2 authentication, which is fast becoming the norm, and the default from Vista onwards. Jespa works with NTLMv2, and is free for up to 25 users. I have no shares in ioplex or Jespa. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org You can see http://tomcatspnego.codeplex.com There is two solutions, one only for tomcat running on Windows and another which also works with tomcat running on unix. The first version uses JNDI with a dll. The second version uses a Windows service running with .net 2.0. Dominique Guerin -- View this message in context: http://www.nabble.com/Windwos-Integrated-Authentication-using-AD-and-Tomcat-%28no-prompt-to-the-users%29-tp25417655p25531285.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Windwos Integrated Authentication using AD and Tomcat (no prompt to the users)
Just to make the picture complete, it can also be done with Apache + mod_auth_kerb + mod_jk. It does require some steps and the most tricky one is getting a proper Kerberos Service key from MS ADS. We've done it, so it is not really a big deal. However, people tend to state that TC is as good at serving static content as Apache and that eliminating one link in the server chain reduces complexity. Which is true. And which is why we need a proper Kerberos realm for these setups. Nix. From: George Sexton geor...@mhsoftware.com To: Tomcat Users List users@tomcat.apache.org Sent: Monday, September 14, 2009 7:47:48 PM Subject: RE: Windwos Integrated Authentication using AD and Tomcat (no prompt to the users) If you're fronting Tomcat w/ IIS using the ISAPI redirector, then this can be done. Here's a link to the instructions for our product that describe how to do it. http://www.mhsoftware.com/caldemo/manual/en/pageFinder.html?page=895.htm Essentially, following steps 2-4 will cause the HttpServletRequest.getRemoteUser() to return the Windows User name (SAMAccountName). George Sexton MH Software, Inc. http://www.mhsoftware.com/ Voice: 303 438 9585 -Original Message- From: Nikola Milutinovic [mailto:alok...@yahoo.com] Sent: Monday, September 14, 2009 11:26 AM To: Tomcat Users List; Tomcat Users List Subject: Re: Windwos Integrated Authentication using AD and Tomcat (no prompt to the users) There is also a module from Quest Software, using Kerberos authentication, but it costs mega $. Has anyone considered writing a TC realm for Kerberos? Before MS ADS came into popular use, Kerberos was a rare beast, but now it is more present. And it much better than NTLM, which is why MS started using it. Just think about it - NTLM sucked so badly that the great Behemoth, Microsoft, decided to use open standard solution. Nix. From: André Warnier a...@ice-sa.com To: Tomcat Users List users@tomcat.apache.org Sent: Sunday, September 13, 2009 1:33:16 PM Subject: Re: Windwos Integrated Authentication using AD and Tomcat (no prompt to the users) To Martin, Steve and others : Samba's JCIFS works fine, but only for NTLMv1 authentication. (It is also no longer maintained, see http://jcifs.samba.org.) It does NOT work for NTLMv2 authentication, which is fast becoming the norm, and the default from Vista onwards. Jespa works with NTLMv2, and is free for up to 25 users. I have no shares in ioplex or Jespa. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Windwos Integrated Authentication using AD and Tomcat (no prompt to the users)
There is also a module from Quest Software, using Kerberos authentication, but it costs mega $. Has anyone considered writing a TC realm for Kerberos? Before MS ADS came into popular use, Kerberos was a rare beast, but now it is more present. And it much better than NTLM, which is why MS started using it. Just think about it - NTLM sucked so badly that the great Behemoth, Microsoft, decided to use open standard solution. Nix. From: André Warnier a...@ice-sa.com To: Tomcat Users List users@tomcat.apache.org Sent: Sunday, September 13, 2009 1:33:16 PM Subject: Re: Windwos Integrated Authentication using AD and Tomcat (no prompt to the users) To Martin, Steve and others : Samba's JCIFS works fine, but only for NTLMv1 authentication. (It is also no longer maintained, see http://jcifs.samba.org.) It does NOT work for NTLMv2 authentication, which is fast becoming the norm, and the default from Vista onwards. Jespa works with NTLMv2, and is free for up to 25 users. I have no shares in ioplex or Jespa. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Windwos Integrated Authentication using AD and Tomcat (no prompt to the users)
If you're fronting Tomcat w/ IIS using the ISAPI redirector, then this can be done. Here's a link to the instructions for our product that describe how to do it. http://www.mhsoftware.com/caldemo/manual/en/pageFinder.html?page=895.htm Essentially, following steps 2-4 will cause the HttpServletRequest.getRemoteUser() to return the Windows User name (SAMAccountName). George Sexton MH Software, Inc. http://www.mhsoftware.com/ Voice: 303 438 9585 -Original Message- From: Nikola Milutinovic [mailto:alok...@yahoo.com] Sent: Monday, September 14, 2009 11:26 AM To: Tomcat Users List; Tomcat Users List Subject: Re: Windwos Integrated Authentication using AD and Tomcat (no prompt to the users) There is also a module from Quest Software, using Kerberos authentication, but it costs mega $. Has anyone considered writing a TC realm for Kerberos? Before MS ADS came into popular use, Kerberos was a rare beast, but now it is more present. And it much better than NTLM, which is why MS started using it. Just think about it - NTLM sucked so badly that the great Behemoth, Microsoft, decided to use open standard solution. Nix. From: André Warnier a...@ice-sa.com To: Tomcat Users List users@tomcat.apache.org Sent: Sunday, September 13, 2009 1:33:16 PM Subject: Re: Windwos Integrated Authentication using AD and Tomcat (no prompt to the users) To Martin, Steve and others : Samba's JCIFS works fine, but only for NTLMv1 authentication. (It is also no longer maintained, see http://jcifs.samba.org.) It does NOT work for NTLMv2 authentication, which is fast becoming the norm, and the default from Vista onwards. Jespa works with NTLMv2, and is free for up to 25 users. I have no shares in ioplex or Jespa. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Windwos Integrated Authentication using AD and Tomcat (no prompt to the users)
Quick answer : Look at http://www.ioplex.com, Jespa. Derlei Luff wrote: Hi all, I’m new to Tomcat and normally work in a Microsoft Windows world. I’ve stumbled into a problem using Tomcat as a web server, that I’m sure there is a simple solution for though I can’t find it. I’m sure it works if I use a MS IIS server instead of a Tomcat server at least. I hope some of you more experienced users of Tomcat can either point me in the right direction or perhaps come up with the conclusion J My problem is: I have a running Active Directory which holds the users and groups. I have a Windows XP client, which is member of the Active Directory domain. If a users logs into the client using he’s username and password and then open Internet Explore I would like him to gain access to a web page hosted on the Tomcat server. The problem is that the Tomcat server shall validate the user’s Active Directory credentials and the credentials should be sent to Tomcat without user interaction. In other words I want “Windows Integrated Authentication” from the MS world, so that Internet Explore takes the users credentials and send them to the Tomcat server (Kerberos). So far I can only get this to work if Internet Explorer prompts the users for he’s credentials (Basic Authentication). In other words I want to archive this: · Users logs onto the Windows XP computer using he’s username and password · User opens Internet explorer and write the URL to the page hosted on the Tomcat server · Internet Explore sends the users username and password automatically to tomcat (Kerberos) · The Tomcat validates the user’s credentials and accepts the request. This is some form of Single Sign On and I know it works if I use IIS instead of Tomcat. I’ve found several guides on the net, but no one which tells me if this is possible or not. Hope some of you of you can point me in the right direction, but perhaps I have to use a third part application to archive this?? Thanks in advance, Derlei - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Windwos Integrated Authentication using AD and Tomcat (no prompt to the users)
To Martin, Steve and others : Samba's JCIFS works fine, but only for NTLMv1 authentication. (It is also no longer maintained, see http://jcifs.samba.org.) It does NOT work for NTLMv2 authentication, which is fast becoming the norm, and the default from Vista onwards. Jespa works with NTLMv2, and is free for up to 25 users. I have no shares in ioplex or Jespa. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Windwos Integrated Authentication using AD and Tomcat (no prompt to the users)
To Martin, Steve and others : Samba's JCIFS works fine, but only for NTLMv1 authentication. (It is also no longer maintained, see http://jcifs.samba.org.) Yes I saw that on the jcifs website. However I left to up to the OP to see that as well, considering the blue important notice is quite attention grabbing. It does NOT work for NTLMv2 authentication, which is fast becoming the norm, and the default from Vista onwards. Jespa works with NTLMv2, and is free for up to 25 users. I have no shares in ioplex or Jespa. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Windwos Integrated Authentication using AD and Tomcat (no prompt to the users)
Hi all, I’m new to Tomcat and normally work in a Microsoft Windows world. I’ve stumbled into a problem using Tomcat as a web server, that I’m sure there is a simple solution for though I can’t find it. I’m sure it works if I use a MS IIS server instead of a Tomcat server at least. I hope some of you more experienced users of Tomcat can either point me in the right direction or perhaps come up with the conclusion J My problem is: I have a running Active Directory which holds the users and groups. I have a Windows XP client, which is member of the Active Directory domain. If a users logs into the client using he’s username and password and then open Internet Explore I would like him to gain access to a web page hosted on the Tomcat server. The problem is that the Tomcat server shall validate the user’s Active Directory credentials and the credentials should be sent to Tomcat without user interaction. In other words I want “Windows Integrated Authentication” from the MS world, so that Internet Explore takes the users credentials and send them to the Tomcat server (Kerberos). So far I can only get this to work if Internet Explorer prompts the users for he’s credentials (Basic Authentication). In other words I want to archive this: · Users logs onto the Windows XP computer using he’s username and password · User opens Internet explorer and write the URL to the page hosted on the Tomcat server · Internet Explore sends the users username and password automatically to tomcat (Kerberos) · The Tomcat validates the user’s credentials and accepts the request. This is some form of Single Sign On and I know it works if I use IIS instead of Tomcat. I’ve found several guides on the net, but no one which tells me if this is possible or not. Hope some of you of you can point me in the right direction, but perhaps I have to use a third part application to archive this?? Thanks in advance, Derlei
Re: Windwos Integrated Authentication using AD and Tomcat (no prompt to the users)
Send reply to: Tomcat Users List users@tomcat.apache.org Date sent: Sat, 12 Sep 2009 12:50:41 -0700 (PDT) From: Derlei Luff derlei...@yahoo.com Subject:Windwos Integrated Authentication using AD and Tomcat (no prompt to the users) To: users@tomcat.apache.org Hi all, I´m new to Tomcat and normally work in a Microsoft Windows world. I´ve stumbled into a problem using Tomcat as a web server, that I´m sure there is a simple solution for though I can´t find it. I´m sure it works if I use a MS IIS server instead of a Tomcat server at least. I hope some of you more experienced users of Tomcat can either point me in the right direction or perhaps come up with the conclusion J My problem is: I have a running Active Directory which holds the users and groups. I have a Windows XP client, which is member of the Active Directory domain. If a users logs into the client using he´s username and password and then open Internet Explore I would like him to gain access to a web page hosted on the Tomcat server. The problem is that the Tomcat server shall validate the user´s Active Directory credentials and the credentials should be sent to Tomcat without user interaction. In other words I want Windows Integrated Authentication from the MS world, so that Internet Explore takes the users credentials and send them to the Tomcat server (Kerberos). So far I can only get this to work if Internet Explorer prompts the users for he´s credentials (Basic Authentication). In other words I want to archive this: · Users logs onto the Windows XP computer using he´s username and password · User opens Internet explorer and write the URL to the page hosted on the Tomcat server · Internet Explore sends the users username and password automatically to tomcat (Kerberos) · The Tomcat validates the user´s credentials and accepts the request. This is some form of Single Sign On and I know it works if I use IIS instead of Tomcat. I´ve found several guides on the net, but no one which tells me if this is possible or not. Hope some of you of you can point me in the right direction, but perhaps I have to use a third part application to archive this?? Thanks in advance, Derlei http://wiki.apache.org/tomcat/FAQ/Windows#Q4 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Windwos Integrated Authentication using AD and Tomcat (no prompt to the users)
did you look at the jcifs.http.NtlmHttpFilter filter? http://jcifs.samba.org/src/docs/ntlmhttpauth.html nbtstat -a MYHOSTNAME http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/nbtstat.mspx?mfr=true the IP and the 'ntstat name' *should* be located in /windows/system32/drivers/etc/lmhosts file *you can use the sample /windows/system32/drivers/etc/lmhosts.sam * then put the entry in for IP MYHOSTNAME /windows/system32/drivers/etc/lmhosts file IPMYHOSTNAME #PRE #needed for the include If your Active Directory security policy requires that users only log into the domain from their personal workstations JCIFS will fail to authenticate and the server security log will have entries like \\JCIFS10_40_4A cannot be authorized. This occurs because the domain controller is failing to resolve the dynamically generated calling name submitted by the client during protocol negotiation. To get around this it is necessary to set the jcifs.netbios.hostname property to a valid NetBIOS name that can be resolved by the NetBIOS name service (e.g. WINS) and add that name to the AD security policy as a permitted client. For example, you can set this property using an init-paremeter in the web.xml file for the NTLM HTTP filter as follows: init-parameter parameter-namejcifs.netbios.hostname/parameter-name parameter-valueMYHOSTNAME/parameter-value /init-parameter hth Martin __ Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. Date: Sat, 12 Sep 2009 16:32:17 -0400 From: ocha...@ncc.edu Subject: Re: Windwos Integrated Authentication using AD and Tomcat (no prompt to the users) To: users@tomcat.apache.org Send reply to:Tomcat Users List users@tomcat.apache.org Date sent:Sat, 12 Sep 2009 12:50:41 -0700 (PDT) From: Derlei Luff derlei...@yahoo.com Subject: Windwos Integrated Authentication using AD and Tomcat (no prompt to the users) To: users@tomcat.apache.org Hi all, I´m new to Tomcat and normally work in a Microsoft Windows world. I´ve stumbled into a problem using Tomcat as a web server, that I´m sure there is a simple solution for though I can´t find it. I´m sure it works if I use a MS IIS server instead of a Tomcat server at least. I hope some of you more experienced users of Tomcat can either point me in the right direction or perhaps come up with the conclusion J My problem is: I have a running Active Directory which holds the users and groups. I have a Windows XP client, which is member of the Active Directory domain. If a users logs into the client using he´s username and password and then open Internet Explore I would like him to gain access to a web page hosted on the Tomcat server. The problem is that the Tomcat server shall validate the user´s Active Directory credentials and the credentials should be sent to Tomcat without user interaction. In other words I want Windows Integrated Authentication from the MS world, so that Internet Explore takes the users credentials and send them to the Tomcat server (Kerberos). So far I can only get this to work if Internet Explorer prompts the users for he´s credentials (Basic Authentication). In other words I want to archive this: · Users logs onto the Windows XP computer using he´s username and password · User opens Internet explorer and write the URL to the page hosted on the Tomcat server · Internet Explore sends the users username and password automatically to tomcat (Kerberos) · The Tomcat validates the user´s credentials and accepts the request. This is some form of Single Sign On and I know it works if I use IIS instead of Tomcat. I´ve found several guides on the net, but no one which tells me if this is possible or not. Hope some of you of you can point me in the right direction, but perhaps I have to use a third part application to archive this?? Thanks in advance, Derlei