You can add info about multiple realms in a single krb5.conf. There is only one default_realm but if the principal name contains the realm part it will be recognized.
BTW, this mail list is about developing the JDK instead of how to use it. --Max > On Nov 1, 2017, at 4:25 AM, Andreas Røsdal <andreas.ros...@gmail.com> wrote: > > Hello! > > I would like some help with setting up Tomcat, SPNEGO and Kerberos against > two Active Directory services. > > At the monent I have a Java webapp running on Tomcat, which uses SPNEGO and > Kerberos to authenticate users (clients in Internet Explorer) against one (1) > Active Directory user database. Currently, there is only one krb5.conf which > is configured against one Active Directory. There is some custom Java code > (Servlet filters) which extend the integrated Tomcat SPNEGO classes, and > authenticate users against the Active Directory. > > However, I now need to authenticate users against two different Active > Directory databases. Some users are found only in > one of the Active Directories, while others are found only in the other > Active Directory, so I now need to authenticate against > both Active Directories. However, the Java configuration only seems to be > able to connect to one Active Directory at a time. > I can't use forest trust between the two Actice Directories. > > I would appreciate any information about best-practices of authenticating > users in two Active Directory databases. > > > Regards, > Andreas R.
