It sounds like we should come up with a de facto way of achieving SSO with Tomcat and NTLM (since there is plenty of M$ workstations out there).....Which leads me to believe that a lot of people could very well benefit from this...... I'm required to implement this for our intranet application which I have found to be the most common need for such an implementation..........
--- Maybe I'm falling in from the blue, but isn't ADS offering Kerberos5 (GSS-API) authentication, which is the actual workhorse of ADS single-sign-on? Why wouldn't you implement SPNEGO + GSS-API as an authentication method? I have heard that Tomcat can be a client for SASL mech GSS-API, actually any client using JAAS can do that (take a look at Sun's JNDI tutorial). Couldn't Tomcat act as a server within Kerberos5 scheme, using the same JAAS (sorry, JASS is not my cup of tea)? In other words, write a special authentication module for Tomcat that would let Tomcat act as a kerberized Web server. At first instance it could be a filter, but SPNEGO (present in RFCs) is a HTTP layer authentication scheme and should be implemented alongside Basic and Digest MD5 authentication mechs. There exist modules for Apache which implement this, take a look at these links: https://sourceforge.net/projects/modgssapache/ http://meta.cesnet.cz/software/heimdal/negotiate.en.html http://sourceforge.net/projects/modauthkerb The idea behind all this is to register a web server (Tomcat or Apache) as services under Kerberos (Active Directory, MIT, Heimdal) and let clients authenticate to the Kerberos (Win2k and WinXP do this when you login to ADS) and then let Kerberos "do it's stuff". That way, once a user logs onto ADS, he/she will have a complete SSO - File Sharing, Web (IIS, Apache, Tomcat), any other ADS service. Nix. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
