This is an automated email from the ASF dual-hosted git repository.
markt-asf pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new 2a1f7c321f Update Windows Authentication documentation
2a1f7c321f is described below
commit 2a1f7c321fdf473d2fce002bad0342b81c44173d
Author: Mark Thomas <[email protected]>
AuthorDate: Wed Apr 29 13:47:02 2026 +0100
Update Windows Authentication documentation
---
webapps/docs/changelog.xml | 5 +++++
webapps/docs/windows-auth-howto.xml | 17 ++++++++++++-----
2 files changed, 17 insertions(+), 5 deletions(-)
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 92d45fb44f..c21512a0d9 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -145,6 +145,11 @@
ensure only one <code>ApplicationContext</code> instance is created.
(dsoumis)
</fix>
+ <fix>
+ Update the Windows authentication (kerberos) documentation to reflect
+ that both Java and Windows are removing / have removed support for
+ RC4-HMAC. The guide now uses AES256-SHA1. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Coyote">
diff --git a/webapps/docs/windows-auth-howto.xml
b/webapps/docs/windows-auth-howto.xml
index 160bb0e43f..76ffee77b3 100644
--- a/webapps/docs/windows-auth-howto.xml
+++ b/webapps/docs/windows-auth-howto.xml
@@ -98,6 +98,8 @@ policy had to be relaxed. This is not recommended for
production environments.
<li>Create a domain user that will be mapped to the service name used by the
Tomcat server. In this how-to, this user is called <code>tc01</code> and has
a
password of <code>tc01pass</code>.</li>
+ <li>Enable AES256 encryption for this user (via Active Directory Users and
+ Computers)</li>
<li>Map the service principal name (SPN) to the user account. SPNs take the
form <code>
<service class>/<host>:<port>/<service name></code>.
@@ -109,9 +111,12 @@ policy had to be relaxed. This is not recommended for
production environments.
itself to the domain controller. This file contains the Tomcat private key
for
the service provider account and should be protected accordingly. To generate
the file, run the following command (all on a single line):
- <source>ktpass /out c:\tomcat.keytab /mapuser [email protected]
+ <source>ktpass /out c:\tomcat.keytab
+ /mapuser [email protected]
/princ HTTP/[email protected]
- /pass tc01pass /kvno 0</source></li>
+ /pass tc01pass
+ /kvno 0
+ /crypto AES256-SHA1</source></li>
<li>Create a domain user to be used on the client. In this how-to the domain
user is <code>test</code> with a password of <code>testpass</code>.</li>
</ul>
@@ -135,8 +140,9 @@ policy had to be relaxed. This is not recommended for
production environments.
contained:<source>[libdefaults]
default_realm = DEV.LOCAL
default_keytab_name =
FILE:c:\apache-tomcat-<version-major-minor/>.x\conf\tomcat.keytab
-default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
-default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
+default_tkt_enctypes = aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
+default_tgs_enctypes = aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
+permitted_enctypes = aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
forwardable=true
[realms]
@@ -182,7 +188,8 @@ com.sun.security.jgss.krb5.accept {
may be used that will simply return a Principal based on the authenticated
user name that does not have any roles.</p>
<p>The above steps have been tested on a Tomcat server running Windows Server
- 2019 Standard with AdoptOpenJDK 8u232-b09 (64-bit).</p>
+ 2019 Standard with Temurin Java versions 8u482-b08, 11.0.31+11, 17.0.18+8,
+ 21.0.11+10 and 25.0.3+9 (all 64-bit).</p>
</subsection>
<subsection name="Tomcat instance (Linux server)">
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
