problem in getting remote user

Jul 14, 2010 at 2:44 PM

Hi,

I have configured the step.While accessing the app in IE browser locally(http://localhost:8080/sso) it works fine. But opening in other system (http://servername:8080/sso) it popup for username and password.why? I have granted role name everyone...

Coordinator
Jul 14, 2010 at 4:12 PM
Is your server a member of an active directory domain? Is the account of the remote user defined also in the same active directory Forest than your server?
Did You test with the dll, jna or negoserver?

Dominique Guerin

Le 14 juil. 2010 à 16:44, "babug" <notifications@codeplex.com> a écrit :

From: babug

Hi,

I have configured the step.While accessing the app in IE browser locally(http://localhost:8080/sso) it works fine. But opening in other system (http://servername:8080/sso) it popup for username and password.why? I have granted role name everyone...

Jul 15, 2010 at 7:20 AM

yes,both the severs and users are in same domain active directory.

I have tested with dll.Not jna and negoserver.

My steps:

1. I copied the dll in CATALINA_HOME/bin

2. Copied the frdoumesppitc6.jar in CATALINA_HOME/lib

3. Copied authbysspi example in CATALINA_HOME/webapps

4. Tomcat started via command window (startup.bat)

Issues:

Worked in localserver without pormpting authentication window.But another machine  pormpting authentication window.

 

Thanks

Babu

Coordinator
Jul 15, 2010 at 7:56 AM
Hello,
Is tomcat running as a service?
The client does not know the account used by the server. When the client uses http://servername:8080/sso, he searches a service principal name HTTP/servername. By default, the acounts of the computers have a service principal name HOST/servername and the KDC, if there is no service principal name HTTP/servername, send a ticket to the client, encrypted with the session key of the account of the computer.
When tomcat is running as a service with the account SYSTEM or Network Service, on the network, it is runnig with the account of the computer. So, it can decrypt the ticket sent by the client. Else, it cannt decrypt the ticket.
So, if you do not define a service principal name in active directory, tomcat MUST be runnig as a service with SYSTEM or Network Service.
Network Service is not an administrator. To use this account, You must give permissions to this accont:
RX to the directories tomcat tomcat/bin, tomcat/lib and Modify to the directories and subdirectories tomcat/conf, tomcat/logs, tomcat/webapps and tomcat/work.
You launch tomcat on the command line with the startup.bat or catalina.bat only for tests and the client uses http://addressoftheserver:8080/sso. In this case, NTLM is used, not Kerberos.


Dominique Guerin

Le 14 juil. 2010 à 16:44, "babug" <notifications@codeplex.com> a écrit :

From: babug

Hi,

I have configured the step.While accessing the app in IE browser locally(http://localhost:8080/sso) it works fine. But opening in other system (http://servername:8080/sso) it popup for username and password.why? I have granted role name everyone...

Coordinator
Jul 15, 2010 at 8:14 AM
Hello, To summing up: With tomcat launched with startup.bat, in the query, use the address of the sever. Install a tomcat service with tomcat/bin/service.bat. The cilent can use the address or the name of the server. Dominique
Coordinator
Jul 15, 2010 at 10:01 AM
Hello, When tomcat is runnig in the same computer than the browserb(ie or Firefox), with spnego the browser always chooses NTLM, never Kerberos. Dominique