Hey I wanted to thank everyone for their suggestions and input. I just got my keytab file from the windows administrators yesterday and am ready to fiddle with tomcat and Kerberos on the unix side to start testing. I like what Mark wrote below about using VMs to set things up, learn the environment and then tweak for AIX. However, I don't have that option, I have one AIX box and that is it to test with. I got a lot of great suggestions and think I can wrap my mind around it, yesterday I compiled a full version of Kerberos on my AIX server so I could test out kinit and make sure communication is flowing before I start setting up the tomcat server. I think that most people are going to be coming in on Windows Explorer so I will set that up as well as Firefox. I feel 50/50 about getting it running but certainly more ready than I was before I got responses from this group. Thanks again, Jen
-----Original Message----- From: Mark Thomas [mailto:ma...@apache.org] Sent: Thursday, September 20, 2012 3:05 PM To: Tomcat Users List Subject: RE: very basic question about apache and tomcat "Mead, Jen L" <mead....@con-way.com> wrote: >Thanks. I am in the process of testing. The earlier answer from Chris >suggested that I might need some additional modules / libraries. I am >following it step by step and I do see the unix part. > >I have sent my windows domain people a request to create a Kerberos key >and an account I can test with. However, they provided one on a box I >did not have root on and it was way too frustrating trying to get unix >admin in India to understand what to do. I now have a sandbox >environment with root and am trying different things, it has not worked >so far. Setting up this for the first time is rather like setting up SSL CLIENT-AUTH for the first time. There are lots of moving parts and if you get just one thing wrong the whole lot fails. The error messages may not be too helpful when this happens. Posting the full error message, associated stack trace and exactly what you did to get to that point well help us to help you. Without those specifics, there is little the folks here can do to help and so far you have not provided any details apart from "it has not worked". You will find this a whole lot easier if you can start from a known working configuration and take little steps towards the configuration you want. There are so many things that can go wrong that going directly to the configuration you want is going to be very high risk. I'd strongly recommend that you following something like the following approach: Part one 1. Create a three local Windows VMs (domain controller, server, client) and do a clean install of the OS. 2. Snapshot the VMs. 3. Configure them as per the Tomcat docs so Windows auth works. The Tomcat docs should take you through this step by step (although they do not try and are not intended to teach Windows administration). 4. Make notes as you go so you can repeat this. If you spot any errors or omissions in the Tomcat docs, report them. 5. Snapshot the working configuration. 6. Revert to the clean VMs and make sure you can repeat the configuration. Part two Repeat part one but in your dev environment but use the domain controller from the dev environment rather than your VM (so you only have two VMs). You'll need co-operation from the domain admins but since you'll have your notes from part one you'll be able to tell them exactly what to do (which unfortunately it sounds like they need). Part three Repeat part one but with all machines in the dev environment rather than VMs. Part 4 Repeat part one but with Tomcat on an AIX machine. By this point, you should be familiar enough with the process that any problems will be because of running on AIX. Again, report any issues here and we'll do what we can to help. My best guess at this point is that it will either just work or you'll need to install samba, add the machine to the domain and do some additional (currently unknown) configuration. I'm leaning towards the just work option since I can't see why the Tomcat server needs to be part of the domain if it has it's own service account. On the other hand, I'm not that familiar wth the details of the Kerberos protocol and it is a while since I looked at all of this so I could easily be wrong. Part 5 Repeat part 4 on your live environment. Thinking about this, you might want to move Tomcat to AIX as part 2 since at that point (assuming you have root access to an AIX dev machine) you'll still be in full control and a fair amount of tweaking may be required. >Have you tried using this documentation? Actually no, I haven't tried using that documentation. On the other hand I implemented that feature. I figured out how to make built-in Windows authentication work (the JVM does the hard work) from the references linked in the documentation and then I implemented Tomcat's built-in support for Windows authentication and also wrote the documentation. And I have a working configuration in a series of VMs on the machine in front of me. The documentation very deliberately provides detailed step-by-step instructions that are known to work. If you find any errors or omissions let us know. > If not then please don't >comment on how easy it is and straight forward. I am doing my best and >have been in computing, unix in particular, for over 30yrs. Given that intended tone is not something that comes across well in e-mail communication, your final paragraph reads as arrogant rather than the tone you intended (I'm assuming you weren't aiming for arrogance). That is unlikely to encourage anyone here to help. That is particularly unfortunate when the person you are directing your comments at implemented the feature you are trying to use and could be the person best placed to help you. Mark > >Regards, >Jen > >-----Original Message----- >From: Mark Thomas [mailto:ma...@apache.org] >Sent: Thursday, September 20, 2012 10:09 AM >To: Tomcat Users List >Subject: RE: very basic question about apache and tomcat > > > >"Mead, Jen L" <mead....@con-way.com> wrote: > >>Yes, I did not find that useful. It is very vague to say the least. > >You are the one being vague. You are not being very forthcoming. That >page provides detailed, step-by-step configuration instructions. As I >said, the page assumes Tomcat is running on a Windows machine but that >may be necessary for Windows authentication to work. I haven't tested >it and performing that testing is at the end of a long to do list. >There is nothing stopping you from testing this. > >>If I am missing something please let me know. I want to use Built-in >>Tomcat support. > >You appear to have missed the section entitled "built-in Tomcat >support" which is an exact match for what you are looking for. > >Mark > > >> >>Jen >> >>-----Original Message----- >>From: Mark Thomas [mailto:ma...@apache.org] >>Sent: Thursday, September 20, 2012 9:20 AM >>To: Tomcat Users List >>Subject: RE: very basic question about apache and tomcat >> >>"Mead, Jen L" <mead....@con-way.com> wrote: >> >>>Hi Chris, >>> >>>I met you at a PERL conference years and years ago along with a bunch > >>>of other people you met. Anyways. Exactly what I am trying to do is > >>>allow folks to use their web browser (I would like to stick with >>tomcat >>>7.0.27 on aix 6.1) from their windows workstation and authenticate >>>against the windows domain. I am hoping this can be accomplished >>>without creating unix accounts. The permissions for it, page access >>or >>>run the tool would reside in the tomcat configuration side, but all >>>authentification would be from the windows side. If you can tell me >>>how to do that I would be pretty happy. I cannot find documentation >>on >>>how to do it >> >>Did you find this? >> >>http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html >> >>I haven't tested this when Tomcat is on a non-Windows platform. It is >>certainly possible for this to work although whether any other pieces >>(such as samba) are required and what their configuration might be I >>don't know. OTOH, it might just work. >> >>I'll add looking at this to my to do list but it is a long list... >> >>Mark >> >>--------------------------------------------------------------------- >>To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>For additional commands, e-mail: users-h...@tomcat.apache.org > > >--------------------------------------------------------------------- >To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
