Hi Scott
Active Directory uses Kerberos (V5, if I'm not mistaken) for authentication. As Active Directory also offers an LDAP service, you can of course also authenticate using LDAP. As far as I know, the realms provided by Shiro hook up to the Active Directory LDAP service. Therefore the credentials that the user obtained when logging onto the computer are not available. I therefore guess, that you want to "kerberize" your application, which will give you the benefit of SSO (not only Web-SSO), or as Microsoft calls it "Integrated Windows Authentication" (IIRC). If you are developing a client application for the JVM, you'll need to obtain the TGT from the ticket cache. I suggest to search the web for combinations of the keywords "SPNEGO", "GSSAPI", "kerberos", "TGT" (and "Java", of course). If you want to kerberize a web-application instead, I suggest you put your application server behind an Apache web server and kerberize the web server. There are Apache httpd modules available, that do the hevy lifting for you. Your application server and Apache httpd will communicate using HTTP authentication mechanisms. What might be even more appealing, if you have to do this for multiple web applications, is installing a single Web-SSO provider (e.g. CAS), kerberizing that, and hooking the web apps up to the Web-SSO provider. I hope I could help you out a bit. Cheers, DJ
