I tries what you asked and I have observed the following 1. Browser sends a request for the resource Server replies with HTTP 401 and WWW-Authenticate: Negotiate in Response Headers
2. Browser sends a new request with the following in Request Headers Authorization: Negotiate YHkGBisGAQUFAqBvMG2gMDAuBgorBg.... Server replies again with HTTP 401 and WWW-Authenticate: Negotiate in Response Headers 3. At this point the browser shows HTTP Basic Auth form and sends the following in Headers Authorization: Negotiate YIIK1QYGKwYBBQUCoIIKyTCCCsWgMDAuBgkqhkiC9xIBAgIGCSqGS.... (*Really huge value, much much longer than the first one*) Now the Server replies with HTTP 200 and the following in headers WWW-Authenticate: Negotiate oYHzMIHwoAMKAQChCwYJKoZIhvcSAQICom0.... Set-Cookie: JSESSIONID=541FE2EDD35690BBDE99..; Path=/webapp/; HttpOnly So yes WIA is failing.. Can you help me out with the next step in debugging? Thanks, Chanchal R. Kariwala Product Engineer Seclore Technology chanchal.kariw...@seclore.com www.seclore.com On Fri, Mar 4, 2016 at 1:20 PM, André Warnier (tomcat) <a...@ice-sa.com> wrote: > On 04.03.2016 07:16, Chanchal Kariwala wrote: > >> I am using Tomcat 8.0.32 and I have followed the guide given at >> >> - >> >> https://tomcat.apache.org/tomcat-8.0-doc/windows-auth-howto.html#Tomcat_instance_(Windows_server) >> - >> >> https://dzone.com/articles/do-not-publish-configuring-tomcat-single-sign-on-w >> >> Windows AD Auth is working i.e. when I access the site, I am asked for >> credentials and when I enter the correct credentials, the restricted >> resource is displayed. >> >> However my question is why the browser is asking for credentials? Why >> isn't >> it accessing TGT Cache in the OS to fetch the user's credentials? >> >> I have enabled Integrated Windows Auth in IE Settings. I have added the >> site in Intranet Sites and set "Logon by Current User" in Custom Level >> setting for Intranet. >> >> >> > Hi. > > The real *key* to debugging such issues, is to use some plugin or add-on > to the browser, to enable the capture and visualisation of the HTTP dialog > back and forth between the browser and the server. > Since you are using IE, I suggest "Fiddler2". > Install it, close your browser, re-open the browser, start Fiddler2 in > capture mode, and then do an access to the webserver. When prompted for an > id/pw, enter them. > Then stop Fiddler2 and examine the HTTP exchanges, starting with your > initial request to the webserver. > > You are correct in thinking that, normally, the login should happen > automatically in the background, and you should never see this browser > login dialog. > WIA authentication is a multiple-step process between the browser and the > webserver, and in the background between the webserver and a Domain > Controller. > That the login dialog appears in your case, means : > 1) that the integrated WIA failed > 2) that the Domain is configured to allow HTTP Basic authentication in a > second step, after WIA fails. That is the login dialog that you see. > > So, something is not working as it should in the WIA step. > But to know exactly what, requires examining the HTTP exchanges. > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
