This is an automated email from the ASF dual-hosted git repository.
markt-asf pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new f0c0d3e168 Update Windows Authentication documentation
f0c0d3e168 is described below
commit f0c0d3e1685f7f999feb97429f11fec9ec6f74b3
Author: Mark Thomas <[email protected]>
AuthorDate: Wed Apr 29 13:47:02 2026 +0100
Update Windows Authentication documentation
---
webapps/docs/changelog.xml | 5 +++++
webapps/docs/windows-auth-howto.xml | 17 ++++++++++++-----
2 files changed, 17 insertions(+), 5 deletions(-)
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index bd1d3f21a0..755bc7e291 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -224,6 +224,11 @@
ensure only one <code>ApplicationContext</code> instance is created.
(dsoumis)
</fix>
+ <fix>
+ Update the Windows authentication (kerberos) documentation to reflect
+ that both Java and Windows are removing / have removed support for
+ RC4-HMAC. The guide now uses AES256-SHA1. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Coyote">
diff --git a/webapps/docs/windows-auth-howto.xml
b/webapps/docs/windows-auth-howto.xml
index 160bb0e43f..76ffee77b3 100644
--- a/webapps/docs/windows-auth-howto.xml
+++ b/webapps/docs/windows-auth-howto.xml
@@ -98,6 +98,8 @@ policy had to be relaxed. This is not recommended for
production environments.
<li>Create a domain user that will be mapped to the service name used by the
Tomcat server. In this how-to, this user is called <code>tc01</code> and has
a
password of <code>tc01pass</code>.</li>
+ <li>Enable AES256 encryption for this user (via Active Directory Users and
+ Computers)</li>
<li>Map the service principal name (SPN) to the user account. SPNs take the
form <code>
<service class>/<host>:<port>/<service name></code>.
@@ -109,9 +111,12 @@ policy had to be relaxed. This is not recommended for
production environments.
itself to the domain controller. This file contains the Tomcat private key
for
the service provider account and should be protected accordingly. To generate
the file, run the following command (all on a single line):
- <source>ktpass /out c:\tomcat.keytab /mapuser [email protected]
+ <source>ktpass /out c:\tomcat.keytab
+ /mapuser [email protected]
/princ HTTP/[email protected]
- /pass tc01pass /kvno 0</source></li>
+ /pass tc01pass
+ /kvno 0
+ /crypto AES256-SHA1</source></li>
<li>Create a domain user to be used on the client. In this how-to the domain
user is <code>test</code> with a password of <code>testpass</code>.</li>
</ul>
@@ -135,8 +140,9 @@ policy had to be relaxed. This is not recommended for
production environments.
contained:<source>[libdefaults]
default_realm = DEV.LOCAL
default_keytab_name =
FILE:c:\apache-tomcat-<version-major-minor/>.x\conf\tomcat.keytab
-default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
-default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
+default_tkt_enctypes = aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
+default_tgs_enctypes = aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
+permitted_enctypes = aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
forwardable=true
[realms]
@@ -182,7 +188,8 @@ com.sun.security.jgss.krb5.accept {
may be used that will simply return a Principal based on the authenticated
user name that does not have any roles.</p>
<p>The above steps have been tested on a Tomcat server running Windows Server
- 2019 Standard with AdoptOpenJDK 8u232-b09 (64-bit).</p>
+ 2019 Standard with Temurin Java versions 8u482-b08, 11.0.31+11, 17.0.18+8,
+ 21.0.11+10 and 25.0.3+9 (all 64-bit).</p>
</subsection>
<subsection name="Tomcat instance (Linux server)">
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
