On 07.03.2016 11:39, André Warnier (tomcat) wrote:
On 07.03.2016 06:10, Chanchal Kariwala wrote:
The article which suggested that NTLM is being used by Winlogon instead of
Kerberos :

http://stackoverflow.com/questions/5597573/how-to-find-if-ntlm-or-kerberos-is-used-from-www-authenticate-negotiate-header


So the token browser sends on first 401 starts from YHkG...
And the second token begins with YIIK1QYG....


Check also this one :
https://blogs.msdn.microsoft.com/friis/2009/12/31/things-to-check-when-kerberos-authentication-fails-using-iisie/


As you see, there are a lot of things to check, one by one. That is because WIA (and Kerberos) are very fiddly, and even one little setting or circumstance can result in the thing not working (as in your case).

P.S. The mere volume of articles on this subject in Google (e.g. "kerberos and wia" or "kerberos and IE")
1) by itself makes it difficult to know which one to read and believe
2) indicates that this is a complex subject, with which a lot of people have 
problems

This list here is about Tomcat issues. There is an SPNEGO authentication Valve in Tomcat, and there are certainly some people on this list with some knowledge of WIA/Kerberos, but such issues are probably not their main focus, or their main area of expertise. You may have a bit more luck (or at least find more people focused on Windows authentication) on the Samba list for example.
Maybe try here : https://lists.samba.org/mailman/listinfo/samba
and supply all your previous information again, including the captured headers.
That would definitely increase your chances of receiving a helpful response.

It is not that we don't /want/ to help, but there are just too many external factors and settings which can play a role, that it is a bit overwhelming to try this one step remote from the problem. If you do in the end identify a specific problem with the Tomcat SPNEGO Valve, don't hesitate to come back and ask for help here again. Also, if you do find the solution, please post a short message to this list, so that maybe other people here with a similar issue could in the future find the solution in the list archives.
(I presume you have already searched these archives for similar issues ?)

Another thing, at a different level : if your main aim is to solve this issue quickly, then have a look at Jespa (https://www.ioplex.com/).
I can testify that Jespa works fautlessly in several installations which I did.
And just reading the User Manual may already give you some useful tips.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to