A few problem of new user

Jul 28, 2009 at 9:08 AM

Hello,

I've just found out your project and I've got big hope it'll help me in solve my issues with kerberos. Currently I try to run your test app and I have a few problems. But firstly I describe by test station:

  • Windows XP SP2
  • Microsoft Domain (Domain Controller on Win2003)
  • Tomcat is NOT running on DC but on my machine with Windows XP which is connected do domain

So here are my problems:

1) Automatic logon works only from browser which is open on my computer (where Tomcat runs). If I try to do it from another computer I get the form login but there doesn't work active directory users and passwords. I read your documentation a few times and I think that I configured everything correctly. How can I make autologon works from all computers in domain? When the form shows on the console there's such information:

2009-07-28 09:56:15 fr.doume.authenticator.SSPAuthenticator getHeaderAuthorizati

onAndSetWWW_Authenticate

FINE: Sending response token: {}Negotiate oWkwZ6ADCgEBomAEXmBcBgkqhkiG9xIBAgIDAH

5NMEugAwIBBaEDAgEepBEYDzIwMDkwNzI4MDc1NjE1WqUFAgMJm+2mAwIBKakIGwZRTlQuUEyqFjAUoA

MCAQGhDTALGwlNTUFURUNLSSQ=

2009-07-28 09:56:15 fr.doume.authenticator.SSPAuthenticator authenticate

FINE: Authentification ni Failed ni Established: Necessite un autre aller-retour

 client-serveur

2) Is there possibilty to change logs language to english?

3) I'm not expert in kerberos, ntlm and I'd like to ask is there any where to force using kerberos or ntlm or simply I have to forget about that and browser, windows and tomcat knows better what shoud be used?

Thanks in advance for answer for my question.

Best regards,

Maciej Matecki

2009-07-28 09:56:15 fr.doume.authenticator.SSPAuthenticator broieoctets
FINE: Encore un cycle de broyage initSecContext/accptSecContext est nÚcessaire!
2009-07-28 09:56:15 fr.doume.authenticator.SSPAuthenticator getHeaderAuthorizati
onAndSetWWW_Authenticate
FINE: Sending response token: {}Negotiate oWkwZ6ADCgEBomAEXmBcBgkqhkiG9xIBAgIDAH
5NMEugAwIBBaEDAgEepBEYDzIwMDkwNzI4MDc1NjE1WqUFAgMJm+2mAwIBKakIGwZRTlQuUEyqFjAUoA
MCAQGhDTALGwlNTUFURUNLSSQ=
2009-07-28 09:56:15 fr.doume.authenticator.SSPAuthenticator authenticate
FINE: Authentification ni Failed ni Established: Necessite un autre aller-retour
 client-serveur

 

Coordinator
Jul 30, 2009 at 5:39 PM
Edited Jul 31, 2009 at 6:33 AM

Did you download the file example0709.zip?  It is very simple. It works. The configuration is full. Test it.

Tomcat can be on a computer from the domain, not necessarily a DC.

To use Kerberos, the client must known the account of the server. The account of your server Tomcat (XP for you) has a Service Principal Name. So,  IE can find the account of your workstationon in AD. Tomcat must be running with the account SYSTEM, or better, Network Service to use the account of your workstation.

And more, you must use the name of your server in the url and not the address ( XP, for you), otherwise  IE can not find the account of your server.

These conditions are required to use Kerberos. Otherwise, you use NTLM.

You can use  ADExplorer from sysinternal to explore Acitive Directory. You will find the attributes like nServicePrincipalName.

If  you have some problems with the example, you can post again. I will respond.

Best regards

Dominique Guerin 

 Remarks

if IE (or Firefox) is running on the same server as the server web (iis or tomcat)

1) you will never authenticated by kerberos (only ntlm)

2) you can have a form

 

Dominique Guerin

Test: A domain AD test.net, a server 2003 (webserver2.test.net), tomlcat as a service (account SYSTEM), an other computer (clientspnego.test.net). If you use the addresse of the server, you will have a form, but if you use the name (webserver2 or webserver2.test.net) there is no form and you will be authenticated by Kerberos  code 200(or not: code 403).

If the server Tomcat is not a service, if you use the address, you will have a form. If you use the name of the server (webserver2 or webserver2.test.net), IE want to use Kerberos with the account of the server, but tomcat is not running with the account SYSTEM or Network service, so IE can not respond.

In this case you will have the code 401.

To resolve this problem, you must configure IE:

You must configure the list of Web sites that are on your organization'intranet.
So, on IE,  menu Tools/internet Options
Tab security
Select local intranet
button sites
Advanced
Add this Web site

If your organization use the private addresses 10.*.*.*.
you must add 10.*.*.*
With an drress like 10.12.34.56, IE do not send a form. NTLM is used.


If you use an another domain with a DNS BIND, you must add also the servers.
If, for instance, you use the domain AD test.net and a domain mycompany.com,
(with a configuration of the redirectors in the AD DNS), you can add *.mycompany.com
You can simulate this situation with the file %windir%\system32\drivers\etc\hosts.

If your server webserver2.test.net has another name like www.intranet.mycompany.com
you can use this name with IE, IE do not send a form, NTLM is used.


If your use the name AD webserver2 (or webserver2.test.net) in IE, Kerberos is required by IE.
So, if tomcat is running as a service with an account SYSTEM or Network Service, you will be authenticated by Kerberos.
But if tomcat is using another account (tomcat as a service or tomcat launched by the bat startup.bat), it does not work.
You have a code 401. IE can not respond: IE use a Service Principal Name and the account's tomcat is not the same.