Jul 30, 2009 at 4:39 PM
Edited Jul 31, 2009 at 5:33 AM
Did you download the file example0709.zip? It is very simple. It works. The configuration is full. Test it.
Tomcat can be on a computer from the domain, not necessarily a DC.
To use Kerberos, the client must known the account of the server. The account of your server Tomcat (XP for you) has a Service Principal Name. So, IE can find the account of your workstationon in AD. Tomcat must be running with the account SYSTEM,
or better, Network Service to use the account of your workstation.
And more, you must use the name of your server in the url and not the address ( XP, for you), otherwise IE can not find the account of your server.
These conditions are required to use Kerberos. Otherwise, you use NTLM.
You can use ADExplorer from sysinternal to explore Acitive Directory. You will find the attributes like nServicePrincipalName.
If you have some problems with the example, you can post again. I will respond.
if IE (or Firefox) is running on the same server as the server web (iis or tomcat)
1) you will never authenticated by kerberos (only ntlm)
2) you can have a form
Test: A domain AD test.net, a server 2003 (webserver2.test.net), tomlcat as a service (account SYSTEM), an other computer (clientspnego.test.net). If you use the addresse of the server, you will have a form, but if you use the name (webserver2 or webserver2.test.net)
there is no form and you will be authenticated by Kerberos code 200(or not: code 403).
If the server Tomcat is not a service, if you use the address, you will have a form. If you use the name of the server (webserver2 or webserver2.test.net), IE want to use Kerberos with the account of the server, but tomcat is not running with the account
SYSTEM or Network service, so IE can not respond.
In this case you will have the code 401.
To resolve this problem, you must configure IE:
You must configure the list of Web sites that are on your organization'intranet.
So, on IE, menu Tools/internet Options
Select local intranet
Add this Web site
If your organization use the private addresses 10.*.*.*.
you must add 10.*.*.*
With an drress like 10.12.34.56, IE do not send a form. NTLM is used.
If you use an another domain with a DNS BIND, you must add also the servers.
If, for instance, you use the domain AD test.net and a domain mycompany.com,
(with a configuration of the redirectors in the AD DNS), you can add *.mycompany.com
You can simulate this situation with the file %windir%\system32\drivers\etc\hosts.
If your server webserver2.test.net has another name like
you can use this name with IE, IE do not send a form, NTLM is used.
If your use the name AD webserver2 (or webserver2.test.net) in IE, Kerberos is required by IE.
So, if tomcat is running as a service with an account SYSTEM or Network Service, you will be authenticated by Kerberos.
But if tomcat is using another account (tomcat as a service or tomcat launched by the bat startup.bat), it does not work.
You have a code 401. IE can not respond: IE use a Service Principal Name and the account's tomcat is not the same.