401 Http Authentication required for remote user with a non matching pwd

Jun 1, 2011 at 4:04 PM

We have an existing application with JICFS authentication implementation using a filter and we are enhancing it to support NTLMv2.
I'm using JNA version of tomcatspnego to authenticate on a windows 2008 server without any domains and using our own authorization.

If remote username/password matches with username/password configured on the server, it works fine.
When a remote user with a different password other than the password for that user on server box connects we are getting a 401 requires HTTP authentication error.
(with JCIFS we used to get a windows login prompt which used to authenticate if we provide password that matches on the server)

we dont want to redirect a login page to provide user name and password and authenticate the username/pwd. 

Jun 1, 2011 at 7:41 PM
Edited Jun 1, 2011 at 7:44 PM


If I understand, you are using the example for the version 7 of tomcat (directory exampletc7).  This example is given because some people wanted to have a fall back to a login page.

You want to have two authentications, first with an account defined on your server and after with an other authentication. Use the example for the version 6 (directory example). There is no redirect to a login page when you are not authenticated by the server. To use this example with tomcat 7, take the jar from exampletc7 (frdoumesspitc7v3.jar).

If I do not understand your request, you can send a message.


Jun 2, 2011 at 3:52 PM

Hi Dominique,

we are having Tomcat 6  and i am using Spnego JNA version.

Here is our environment details:

We have windows 2008 server and our web application runs on tomcat 6 on the server. we dont have any active directory or domain environment.

Assume we have a server and client computer and client acess the application using IE browser.

Details on the scenario which was failing:

Lets assume On the server we have a windows local user 'user1' with password 'pass1'.

Client has a windows local user 'user1' and password 'pass2' and user1 is logged into windows. If he open a IE browser and access the application on the server we ger a 401 requires http authentication.

In this case where password doesnt match for user1, we want a windows popup to ask for username and password and if user1 provides 'user1' and 'pass1' he should be authenticated to the application.






Jun 3, 2011 at 2:47 PM


You can test with tomcat 7. The directory exampletc7 give this possibility. I sent a new version. The jars, dll, and negoserver are the same. But I rewrite some examples. The example in the directry explOnlyT7FallbckUsrPwd is like exampletc7. I developped this on tomcat 7 because there is a new method HttpServletRequest.login(name, pwd). Can you use Tomcat 7. With this version of tomcat, you mist use the jdk 6, not the jdk5.

If your application does not work with tomcat 7, I could add this possiblity to tomcat 6. But, to add this feature, I must write java code and add some classes.



Jun 3, 2011 at 3:33 PM

Hi Dominique,

Unfortunately we cannot change tomcat from version 6 to 7. I am using DLL version of tomcatspnego for tomcat 6. (frdoumesppitc6.jar and SSPAuthentification.dll and SSPAuthentificationx64.dll)

Could you please try to implement the change to support tomcat6? and also how much time it might take to get this change?






Jun 3, 2011 at 4:37 PM
Edited Jun 3, 2011 at 4:41 PM


I could add that to the versions v3( with jna) an V2 (with TCP and Negoserver). The backend is already written (LogonUser with jna and an exchange between the client and the server with SSPI via the classses NegotiateStream and PipeStream in dotnet). 

It is not my principal work. But I think I could do that in two weeks.


Jun 3, 2011 at 6:49 PM

That will work for us. Thanks Dominique!