On Mon, Mar 28, 2011 at 7:26 AM, Stefan Mayr <ste...@mayr-stefan.de> wrote: > Hello everybody, > > as many others before we wanted to do single-sign-on for intranet web > applications using integrated windows authentication (negotiate because IE > sometimes tries NTLM instead of using plain kerberos - breaking all our > kerberos-only experiments). > > We thought that IIS would be the best choice for integrated windows > authentication and we could pass the user via AJP (using mod_jk) to our > tomcat instances. > > Our setup: > - Windows 2008 R2 using IIS 7.5 (64bit) > - mod_jk 1.2.31 > - Oracle Java 1.6 U24 > - Tomcat 6.0.32 > > At first glance using tomcatAuthentication=false worked as expected. We got > the remote user and started deploying an application. End of happiness - the > application complained about a missing user-agent. That header was not > passed to tomcat when authentication was enabled on IIS. > > Some research revealed Bug 47679 - Not all headers get passed to Tomcat > server from isapi_redirect.dll > (https://issues.apache.org/bugzilla/show_bug.cgi?id=47679) > > Today I've found Bug 49318 - add a Negotiate (Kerberos/NTLM) authenticator / > integrate Waffle (https://issues.apache.org/bugzilla/show_bug.cgi?id=49318). > The last comment links a new Windows Authentication How-To from Mark Thomas. > Looks like we have already tried almost all proposed solutions: > > - IIS + mod_jk: > tried but stuck in Bug 47679. Also tried ARR to pass the user name > as a request header from IIS to Tomcat without success > - Apache mod_ntlm: used it and we replaced it by the much more stable > mod_auth_ntlm_winbind. NTLMv1 is also disabled on Windows 7 (default) > - Apache mod_auth_ntlm: in heavy use but stuck to Apache 2.0 and 32bit > plattform - we couldn't get stability problems solved on Apache 2.2 > and 64bit Linux. No ongoing development. > - Apache mod_auth_sspi: till now in internal use for a very small > project (works just fine), not sure about the future. Although > there seems to be some new activity on 1.0.5 beta > - Waffle: found it on thursday and it is on my our todo-list for > testing it next week > > Any chances to get Bug 47679 solved? How can we help (we are admins, no > devs)? > What solutions have you deployed? Recommendations?
I've committed a fix for Bug 47679, which I hope will resolve the issues people have been having using the ISAPI redirector in an extension only mode. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org