Thanks Allistair. Your blog was very interesting I had in fact already found it. I think we should probably upgrade here so I will be sure to read it when we do.
Since posting this query I have in fact found a fix, typical! I explored the contents of the Authorisation header and noted that rather than the auth String starting with 'NTLM' it starts with 'Negotiate' in the scenarios that didn't work! The encoded Domain and Username where still there, so I just retrieved them as well. Thanks for your reply Regards Sue -----Original Message----- From: Allistair Crossley [mailto:[EMAIL PROTECTED] Sent: 27 January 2005 11:30 To: Tomcat Users List Subject: RE: IIS, Tomcat and NTLM Authentication Sorry! just noticed you are not moving to TC 5. Perhaps this does not solve your problem afterall. > -----Original Message----- > From: Allistair Crossley > Sent: 27 January 2005 11:28 > To: Tomcat Users List > Subject: RE: IIS, Tomcat and NTLM Authentication > > > Hi, > > Sounds like you need to set tomcatAuthentication="false" for JK. > > Have a look at my blog on upgrading issues here > > http://www.adcworks.com/blog/ > > Allistair. > > > -----Original Message----- > > From: Sue Roe [mailto:[EMAIL PROTECTED] > > Sent: 27 January 2005 11:09 > > To: [EMAIL PROTECTED] Apache. Org > (tomcat-user@jakarta.apache.org) > > Subject: IIS, Tomcat and NTLM Authentication > > > > > > Hi > > > > > > > > We have just upgraded our server software, running a Java > > application, as > > follows: > > > > > > > > From: > > > > IIS 4, Tomcat 4.1 - both running on same server - NT4 > > > > To: > > > > IIS 5, Tomcat 4.1 - both running on same server - Windows 2000 > > > > > > > > The application is to be available to all staff, either over > > the Intranet > > or the Internet. > > > > > > > > An issue has arisen with NTLM authentication. We extract a users > > domain\username details using NTLM Authentication, the code > > is listed at the > > bottom of this e-mail. This mechanism worked 100% on the old > > configuration. > > Unfortunately with the IIS server upgrade and change in OS the > > authentication details do not seem to be being picked up in > > two scenarios. > > > > > > > > 1. IE 6, unless Enable Integrated Windows Authentication > > is disabled. > > We don't really want Browser settings to affect access. > > 2. IE 5! (We are trying to force client sites to upgrade > > to IE6, but > > still why does the NTLM Authentication break down here?) > > > > > > > > The IIS settings are as follow: > > > > Default Web Site: > > > > Anonymous Access - OFF > > > > Basic Authentication - ON > > > > Integrated Windows > > Authentication - ON > > > > Jakarta Virtual Directory: > > > > Anonymous Access - ON > > > > Basic Authentication - ON > > > > Integrated Windows > > Authentication - ON > > > > > > > > If anyone has had any similar experiences or knows of any > > other mechanism to > > retrieve domain/username, it would be great to hear. > > > > > > > > Thanks > > > > Sue > > > > > > > > > > > > Code to Extract domain/user Details > > > > ************************************************************** > > ************** > > *********** > > > > String auth = request.getHeader("Authorization"); > > > > if (auth == null) { > > > > response.setStatus(response.SC_UNAUTHORIZED); > > > > response.setHeader("WWW-Authenticate", "NTLM"); > > > > return; > > > > } > > > > String domain = ""; > > > > String username = ""; > > > > if (auth.startsWith("NTLM ")) { > > > > byte[] msg = new > > sun.misc.BASE64Decoder().decodeBuffer(auth.substring(5)); > > > > int off = 0, length, offset; > > > > if (msg[8] == 1){ > > > > byte z = 0; > > > > byte[] msg1 = {(byte)'N', (byte)'T', (byte)'L', > > (byte)'M', (byte)'S', (byte)'S', (byte)'P', > > > > z,(byte)2, z, z, z, z, z, z, > > z,(byte)40, z, z, z, > > > > (byte)1, (byte)130, z, z,z, > (byte)2, (byte)2, > > > > (byte)2, z, z, z, z, z, z, z, z, z, > z, z, z}; > > > > response.setHeader("WWW-Authenticate", "NTLM " + > > > > new > > sun.misc.BASE64Encoder().encodeBuffer(msg1)); > > > > response.sendError(response.SC_UNAUTHORIZED); > > > > return; > > > > } else if (msg[8] == 3) { > > > > off = 30; > > > > length = msg[off+17]*256 + msg[off+16]; > > > > offset = msg[off+19]*256 + msg[off+18]; > > > > String remoteHost = new String(msg, > > offset, length); > > > > length = msg[off+1]*256 + msg[off]; > > > > offset = msg[off+3]*256 + msg[off+2]; > > > > domain = new String(msg, offset, length); > > > > length = msg[off+9]*256 + msg[off+8]; > > > > offset = msg[off+11]*256 + msg[off+10]; > > > > username = new String(msg, offset, length); > > > > String employeeNTLogin = domain + "\\" > + username; > > > > context.log("User NT Login: "+ > > employeeNTLogin + ":: " + > > new Date(System.currentTimeMillis())); > > > > session.setAttribute (Constants.DATABASE, > > context.getAttribute(Constants.DATABASE)); > > > > Employee userEmployee=null; > > > > // 1. Get Employee Object for NT Login of > > User & Roles > > > > try { > > > > userEmployee = > > myEmployeeDAO_Pool.getDetailsByNTLogin(employeeNTLogin); > > > > } catch (DAOException daoex){ > > > > } > > > > session.setAttribute(Constants.USER_EMPLOYEE, > > userEmployee); > > > > etc etc > > > > > > > > ************************************************************** > > ************** > > ************************ > > > > > > > > > ********************************************************************** > > ***Disclaimer*** > > > > The contents of this Email may be privileged and are > > confidential. If you are not the intended recipient, any > > disclosure, copying, distribution or any action taken or > > omitted to be taken in reliance on it, is prohibited and may > > be unlawful. > > > > Should you wish to use Email as a mode of communication, CMi > > plc and its subsidiaries are unable to guarantee the security > > of Email content outside of our own computer systems. > > > > This footnote also confirms that this e-mail message has been > > swept by Mimesweeper for the presence of computer viruses. > > Whilst we run anti-virus software, you are solely responsible > > for ensuring that any e-mail or attachment you receive is > > virus free. We disclaim any liability for any damage you > > suffer as a consequence of receiving any virus. > > > > Checkmate International plc (CMi) > > Registered in England No 1899857 > > Registered Office 4th Floor, 35 New Bridge Street, London, EC4V 6BW > > Head Office Tele + 44 (0) 1993 885600 > > Head Office Fax + 44 (0) 1993 885603 > > Web Site : www.cmi-plc.com > > > ********************************************************************** > > > > > > > <FONT SIZE=1 FACE="VERDANA,ARIAL" COLOR=BLUE> > ------------------------------------------------------- > QAS Ltd. > Developers of QuickAddress Software > <a href="http://www.qas.com";>www.qas.com</a> > Registered in England: No 2582055 > Registered in Australia: No 082 851 474 > ------------------------------------------------------- > </FONT> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] ********************************************************************** ***Disclaimer*** The contents of this Email may be privileged and are confidential. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Should you wish to use Email as a mode of communication, CMi plc and its subsidiaries are unable to guarantee the security of Email content outside of our own computer systems. This footnote also confirms that this e-mail message has been swept by Mimesweeper for the presence of computer viruses. Whilst we run anti-virus software, you are solely responsible for ensuring that any e-mail or attachment you receive is virus free. We disclaim any liability for any damage you suffer as a consequence of receiving any virus. Checkmate International plc (CMi) Registered in England No 1899857 Registered Office 4th Floor, 35 New Bridge Street, London, EC4V 6BW Head Office Tele + 44 (0) 1993 885600 Head Office Fax + 44 (0) 1993 885603 Web Site : www.cmi-plc.com ********************************************************************** --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
