Links User Guide Reference Apache Tomcat Development | Windows Authentication How-ToOverview |
Integrated Windows authentication is most frequently used within intranet
environments since it requires that the server performing the authentication and
the user being authenticated are part of the same domain. For the user to be
authenticated automatically, the client machine used by the user must also be
part of the domain.
There are several options for implementing integrated Windows authentication
with Apache Tomcat. They are:
- Built-in Tomcat support.
- Use a third party library such as Waffle.
- Use a reverse proxy that supports Windows authentication to perform the
authentication step such as IIS or httpd.
The configuration of each of these options is discussed in the following
sections.
|
Built-in Tomcat support |
This is a work in progress. There are a number of outstanding
questions that require further testing. These include:
- Does the domain name have to be in upper case?
- Does the SPN have to start with HTTP/...?
- Can a port number be appended to the end of the host in the SPN?
- Can the domain be left off the user in the ktpass command?
- What are the limitations on the account that Tomcat can run as? SPN
associated account works, domain admin works, local admin doesn't
work
There are four components to the configuration of the built-in Tomcat
support for Windows authentication. The domain controller, the server hosting
Tomcat, the web application wishing to use Windows authentication and the client
machine. The following sections describe the configuration required for each
component.
The names of the three machines used in the configuration examples below are
win-dc01.dev.local (the domain controller), win-tc01.dev.local (the Tomcat
instance) and win-pc01.dev.local (client). All are members of the DEV.LOCAL
domain.
Note: In order to use the passwords in the steps below, the domain password
policy had to be relaxed. This is not recommended for production environments.
Web application |
The web application needs to be configured to the use Tomcat specific
authentication method of SPNEGO (rather than BASIC etc.) in
web.xml. As with the other authenticators, behaviour can be customised by
explicitly configuring the
authentication valve and setting attributes on the Valve.
|
Client |
The client must be configured to use Kerberos authentication. For Internet
Explorer this means making sure that the Tomcat instance is in the "Local
intranet" security domain and that it is configured (Tools > Internet
Options > Advanced) with integrated Windows authentication enabled. Note that
this will not work if you use the same machine for the client
and the Tomcat instance as Internet Explorer will use the unsupported NTLM
protocol.
|
|
Third party libraries |
Waffle |
Full details of this solution can be found through the
Waffle site. The key features are:
- Drop-in solution
- Simple configuration (no JAAS or Kerberos keytab configuration required)
- Uses a native library
|
|
Reverse proxies |
Microsoft IIS |
There are three steps to configuring IIS to provide Windows authentication.
They are:
- Configure IIS as a reverse proxy for Tomcat (see the
IIS Web Server How-To).
- Configure IIS to use Windows authentication
- Configure Tomcat to use the authentication user information from IIS by
setting the tomcatAuthentication attribute on the
AJP connector to
false .
|
Apache httpd |
Apache httpd does not support Windows authentication out of the box but
there are a number of third-party modules that can be used. These include:
- mod_auth_sspi
for use on Windows platforms.
-
mod_auth_ntlm_winbind for non-Windows platforms. Known to work with httpd
2.0.x on 32-bit platforms. Some users have reported stability issues with both
httpd 2.2.x builds and 64-bit Linux builds.
There are three steps to configuring httpd to provide Windows
authentication. They are:
- Configure httpd as a reverse proxy for Tomcat (see the
Apache httpd Web Server How-To).
- Configure httpd to use Windows authentication
- Configure Tomcat to use the authentication user information from httpd by
setting the tomcatAuthentication attribute on the
AJP connector to
false .
|
|
|