Parameters for tomcatspnego

Coordinator
Jan 2, 2012 at 5:11 PM
Edited Sep 26, 2012 at 6:10 AM

Parameters for JNA, TCP(Windows Service Negoserver) and CLI (JVM and CLR in the same process)

timelifemaprolesintosids in ms.
Default = -1 (infinite)
The names of the tomcat roles (defined in web.xml) are translated into SIDS.
So the server does not need to do a request to a KDC if Kerberos is used.
If a group is deleted and is rebuild, the Sid is not the same.
So, you could define a value: 1 hour =  3600000 ms and 1 day = 86400000ms

onlyntlm
Not recommanded. Use an very old version of NTLM.

usernamewithoutdomainasprefix:
If you do not defined this parameter, the name is: NAMEOFTHEDOMIAN\samaccountname. If you define the parameter, the name is samaccountname

nogroupsinad
You can not use Windows Groups. Si, you must use a realm. An example is given: in the directory explWithoutWinGroup

commonrole
If you define this parameter with a value, this value will be added as a role to all the authenticated users

choiceoftheaccount
By default, if the authentication fail, SSPAuthenticator send the header WWW-Authenticate.
With this parameter, it send WWW-Authenticate Negotiate
So the browser launch a form to choice another account.

realmsandwindowsgroups
You must define a Realm wich is not WindowsRealm.
The Windows groups and the groups defined in this realm will be used.

bindauthenticationtotcpconnection
Used only with NTLM. With NTLM, there are two exchanges between the server and the client. The link between the client and the server will be set in a Dictionnary with the remote address and the remote port of the client.
If this parameter is not defined, the link will be set in a session

nocreatesessionafterauthentication
The information of the authentication is not set in a session. So, if yous do the same request, another authentication will be needed.

onlykerberos
NTLM will be refused. Reamark:If the server and the client are on the same station, you cannot be authenticated (=> pbs for programmers)

timeoutntlmauthentication
The value defined is 17s by default. The parameter is only used with the parameter bindauthenticationtotcpconnection.
This value must between 17s and 120s

loginauthenticationwithoutad
login/password use the realm defined in context.xml. Do not use the WindowsRealm. Do not use nogroupsinad nor realmsandwindowsgroups.
Use this parameter as a FallBack with users wich are not defined in Active Directory

spnegoandntlm
The user can use SPNEGO (Kerberos or NTLMv2) or NTLM. (added in the trunk-02062012)
The server sends two headers
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM

With tcp you have also these parameters:

serveraddress
name of the server or adress of Negoserver. By default localhost

port
port used by Negoserver: By default 21000


These two parameters as required only when SSL is used between Tomcat and the Windows service.
truststorepath and  truststorepassword
For insntance:
<Parameter name="truststorepath" value="C:\Users\minou\Downloads\makecert\trust_w543118a.jks" override="false" />
<Parameter name="truststorepassword" value="changeit" override="false" />


The parameters of Negoserver are
ipaddress (by default Any address)

port (By defaut 21000)

numberthreadsinpool (By default Min(8, number of cores)

sslservername if you use SSL between Negoserver and tomcat

storelocation_currentuser (By default is not set).
 Used with SSL. Store of the certificate of the server. When not set, the LocalMachine store is used.

onlykerberos
NTLM is refused

with_login_password (By default, not set. If not set, login/password is impossible).
    This parameter is already set in the file Negoserver.exe.config
 
initial_size_poolofstreamsforloginpassword_divided_by_nb_threads
  By default 2; So the pool of streams has 8*2 streams