Just to make the picture complete, it can also be done with Apache + mod_auth_kerb + mod_jk. It does require some steps and the most tricky one is getting a proper Kerberos Service key from MS ADS. We've done it, so it is not really a big deal. However, people tend to state that TC is as good at serving static content as Apache and that eliminating one link in the server chain reduces complexity. Which is true. And which is why we need a proper Kerberos realm for these setups.
Nix. ________________________________ From: George Sexton <geor...@mhsoftware.com> To: Tomcat Users List <users@tomcat.apache.org> Sent: Monday, September 14, 2009 7:47:48 PM Subject: RE: Windwos Integrated Authentication using AD and Tomcat (no prompt to the users) If you're fronting Tomcat w/ IIS using the ISAPI redirector, then this can be done. Here's a link to the instructions for our product that describe how to do it. http://www.mhsoftware.com/caldemo/manual/en/pageFinder.html?page=895.htm Essentially, following steps 2-4 will cause the HttpServletRequest.getRemoteUser() to return the Windows User name (SAMAccountName). George Sexton MH Software, Inc. http://www.mhsoftware.com/ Voice: 303 438 9585 > -----Original Message----- > From: Nikola Milutinovic [mailto:alok...@yahoo.com] > Sent: Monday, September 14, 2009 11:26 AM > To: Tomcat Users List; Tomcat Users List > Subject: Re: Windwos Integrated Authentication using AD and Tomcat (no > prompt to the users) > > There is also a module from Quest Software, using Kerberos > authentication, but it costs mega $. > > Has anyone considered writing a TC realm for Kerberos? > > Before MS ADS came into popular use, Kerberos was a rare beast, but now > it is more present. And it much better than NTLM, which is why MS > started using it. Just think about it - NTLM sucked so badly that the > great Behemoth, Microsoft, decided to use open standard solution. > > Nix. > > > > > ________________________________ > From: André Warnier <a...@ice-sa.com> > To: Tomcat Users List <users@tomcat.apache.org> > Sent: Sunday, September 13, 2009 1:33:16 PM > Subject: Re: Windwos Integrated Authentication using AD and Tomcat (no > prompt to the users) > > To Martin, Steve and others : > > Samba's JCIFS works fine, but only for NTLMv1 authentication. > (It is also no longer maintained, see http://jcifs.samba.org.) > It does NOT work for NTLMv2 authentication, which is fast becoming the > norm, and the default from Vista onwards. > Jespa works with NTLMv2, and is free for up to 25 users. > > I have no shares in ioplex or Jespa. > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
