On 20 September 2012 17:20, Mark Thomas <ma...@apache.org> wrote: > "Mead, Jen L" <mead....@con-way.com> wrote: > >>Hi Chris, >> >>I met you at a PERL conference years and years ago along with a bunch >>of other people you met. Anyways. Exactly what I am trying to do is >>allow folks to use their web browser (I would like to stick with tomcat >>7.0.27 on aix 6.1) from their windows workstation and authenticate >>against the windows domain. I am hoping this can be accomplished >>without creating unix accounts. The permissions for it, page access or >>run the tool would reside in the tomcat configuration side, but all >>authentification would be from the windows side. If you can tell me >>how to do that I would be pretty happy. I cannot find documentation on >>how to do it > > Did you find this? > > http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html > > I haven't tested this when Tomcat is on a non-Windows platform. It is > certainly possible for this to work although whether any other pieces > (such as samba) are required and what their configuration might be I > don't know. OTOH, it might just work. >
Samba is one way, in that context the AIX box becomes a member of the Windows AD. If that isn't possible: Another alternative is bi or uni-directional cross-realm trusts. That's where there is a Unix Kerberos realm and the Windows AD realm and there is a trust either between each realm or in one direction only. Cross-realm keys are quite easy to create in the more recent versions of Windows Server (2008+) In this situation, the authentication trust could be configured only one way (i.e. Windows AD users are trusted for authentication purposes to the AIX Tomcat service). I'm a bit fuzzy on the details since I last looked at this several years ago. From what I remember the following is needed: (a) cross-realm keys in one or both directions (i.e. resulting in one or two sets of keys) - getting this right on the Windows side was quite difficult due to different encryption standards in use, different 'versions' of keys etc. modern versions of Windows Server do make this easier. (b) a key on the AIX box representing the service (Tomcat) but in this case the service key is for the local Unix Kerberos realm, not the Windows AD realm (c) A browser that permits Kerberos based authentication (e.g. Firefox, or IE with the site added to the trusted sites area). (d) Patience, luck and lots of log perusal. I've used this in a managed service environment but its complicated and error prone to configure. > I'll add looking at this to my to do list but it is a long list... > > Mark > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
