NTLM VS Kerberos

Oct 19, 2009 at 12:18 PM

Hi,

Using your tool with Kerberos seems to work fine however when I try to use NTLM (ie Google Chrome or Firefox with Kerberos turned off and NTLM turned on), i recieve a 401 error. As far as i understand it NTLM should be used if Kerberos cannot.

Tomcat is running under the service account and I believe creating an SPN is only useful for Kerberos.

I have included a log extract below, what you see is everything. It does not show a token being received.

 

Any ideas what could be going wrong?

 

Many thanks for your help.

 

Neil Musgrove

 

FINE: Entry in  authenticate: Principal does not exist and authentication is required

19-Oct-2009 11:58:28 fr.doume.authenticator.SSPAuthenticator authenticate

FINE: realm : fr.doume.realm.WindowsRealm@1ad9b0f

19-Oct-2009 11:58:28 fr.doume.authenticator.SSPAuthenticator appelTraduire

FINE: A new TraductionNomsEnSids is required

19-Oct-2009 11:58:28 fr.doume.authenticator.SSPAuthenticator traduire

FINE: Count of groups defined in the context : 1

19-Oct-2009 11:58:28 fr.doume.authenticator.SSPAuthenticator traduire

FINE: everyone

19-Oct-2009 11:58:29 fr.doume.authenticator.SSPAuthenticator traduire

FINE: Count of found sids : 1

19-Oct-2009 11:58:29 fr.doume.authenticator.SSPAuthenticator traduire

FINE: Count of nul sids (or count of roles without map in the groups) : 0

FINE: Entry in  authenticate: Principal does not exist and authentication is required
19-Oct-2009 11:58:28 fr.doume.authenticator.SSPAuthenticator authenticate
FINE: realm : fr.doume.realm.WindowsRealm@1ad9b0f
19-Oct-2009 11:58:28 fr.doume.authenticator.SSPAuthenticator appelTraduire
FINE: A new TraductionNomsEnSids is required
19-Oct-2009 11:58:28 fr.doume.authenticator.SSPAuthenticator traduire
FINE: Count of groups defined in the context : 1
19-Oct-2009 11:58:28 fr.doume.authenticator.SSPAuthenticator traduire
FINE: everyone
19-Oct-2009 11:58:29 fr.doume.authenticator.SSPAuthenticator traduire
FINE: Count of found sids : 1
19-Oct-2009 11:58:29 fr.doume.authenticator.SSPAuthenticator traduire
FINE: Count of nul sids (or count of roles without map in the groups) : 

 

Coordinator
Oct 19, 2009 at 5:43 PM

Hello,

The configuration of Firefox is the same with ntlm or Kerberos via SPNEGO. You use only network.negotiate-auth.trusted-uris, not  network.automatic-ntlm-auth.trusted-uris.

To log the headers, you uncomment the lines with ValveRequestDumper in server.xml. After that, send me the file catalina.log, and the parameter network.negotiate-auth.trusted-uris.

Dominique Guerin

 

 

 

Oct 20, 2009 at 8:50 AM

Hi,

Thanks again for you help. I think I understand better how it works. Does this mean that a browser such as Google Chrome which supports NTLM but not SPNEGO will not work until they add support for SPNEGO (I believe they are planning this)?

Thanks

Neil Musgrove

Coordinator
Oct 20, 2009 at 7:21 PM

Hello,

If you use the version with the service windows negoserver, you can replace Negotiate by NTLM.  Test the example and add the line

Use the example and add tis line in the context.xml  (cf the file configure.txt in the file trunk-tcp-140909.zip)

<Parameter name="onlyntlm" value="" override="false"/>

Dominique

 

Oct 21, 2009 at 10:50 AM

Ok thanks for your help.

 

Neil Musgrove