>> >> Well-founded guidance, clues, and even good guesses are all welcome. >> > > Answering in the spirit of your last phrase above (because I really know > nothing about the > Tomcat SPNEGO Valve, and very little about Kerberos) : > > The error message : > > javax.security.auth.login.LoginException: Unable to obtain password from user > at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Unknown Source) > > would tend to indicate that something is trying to prompt the user for a > password. > That should not really happen, in a Windows SSO mechanism, unless the Windows > Domain > Controller (to which the SPNEGO Valve is ultimately talking) is configured to > accept HTTP > Basic authentication as a fall-back for a Windows Integrated Authentication > that doesn't work. > > One reason for which WIA could possibly not work, would be if your Windows > workstation > does not consider the Tomcat server to which it is connecting, as at least a > "trusted" > server. In such a case, the *browser* will even refuse to start a WIA dialog > with the server. > So, first thing : are you sure that the workstation and the Tomcat server, > from a Windows > authentication point of view, are part of the same Windows Domain ? > (And if you are not sure, and you are allowed to do this, what happens if you > go into the > IE settings, and add the tomcat hostname explicitly into the list of > "trusted" servers ?).
André, Thanks for the good guess. The server, DC and workstation are all virtual hosts in an isolated lab context. So tinkering around with configurations isn't a problem. I've added the http:// and https:// for the FQDN and IP address of the server on the list. This didn't change anything in the result. Thanks, Edward --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
