Greetings, I could use some help with getting tomcat to use Kerberos against Active Directory.
I have been using Ethereal to sniff the packets going back and forth from tomcat and I verified that with a normal server.xml entry (remove the authentication attribute keyword from below), it uses 'simple' authentication (clear text passwords). Now the above works just fine but now I'm trying to take it to next level and I found (jdk-1_5_0-doc.zip\docs\guide\jndi\jndi-ldap.html) specifies that there are the following values: - EXTERNAL (RFC 2222). This mechanism obtains authentication information from an external source (such as SSL/TLS or IPsec). - DIGEST-MD5 (RFC 2831) is for Digest Authentication. - GSSAPI (RFC 2222) is for Kerberos V5 authentication. ------ I wish to use GSSAPI to talk with Active Directory so I setup my server.xml with the following : <Realm className="org.apache.catalina.realm.JNDIRealm" debug="4" authentication="GSSAPI" connectionName="CN=Klotz\, Dennis,OU=myou,DC=company,DC=com" connectionPassword="myPassword" connectionURL="ldap://10.16.0.xx:389" alternateURL="ldap://10.16.0.xx:389" userBase="OU= myou,DC=company,DC=com" userSearch="(sAMAccountName={0})" userSubtree="true" userRoleName="memberOf" /> And now I get a different type of error from Catalina.out: Oct 28, 2005 2:28:47 PM org.apache.catalina.core.StandardHost start INFO: XML validation disabled GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos Ticket) at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential .java:133) ..... At least the GSSAPI is being recognized! Yes !! ------ My next step was talking with IT; they suggested a c:\winnt\krb5.ini with the following: [libdefaults] default_realm = COMPANY.COM default_tgs_enctypes = des-cbc-crc default_tkt_enctypes = des-cbc-crc [realms] COMPANY.COM = { kdc = addy.mycompany.com:88 admin_server = addy. mycompany.com:88 kpasswd_server = addy. mycompany.com:464 default_domain = COMPANY.COM } And that I then execute: $ kinit DKlotz Password for [EMAIL PROTECTED]:mypassword New ticket is stored in cache file C:\Documents and Settings\DKlotz\krb5cc_dklotz ------ But as you can see from the tomcat error log that something is still missing. Do I need to move the cache file or do other commands so that the code within ldap.jar can use it? At this time tomcat never tries connecting to the LDAP server as it can't get out of the starting gate. I've got something wrong / missing from the Kerberos setup. Any help is greatly appreciated!! -Dennis Klotz --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]