>> >> One thing to watch for is that the client must use Kerberos and not >> NTLM (it's a guess but it seems logical) . > > > Sorry to burst in, but can you elaborate on that ? > Why does it seem logical ? To my own (admittedly limited) knowledge, > Kerberos is not the most widely implemented solution in Windows networks, > NTLMv2 is. Does the SPNEGO implementation in Tomcat not work with NTLMv2 > then ? > Only on a linux box. In my mind, NTLM being a Microsoft protocol, the chance of it working on a linux box was small.
That is what I observed. When the tomcat on my linux was configured with the SPNEGO valve, at first my browser was talking NTLM (apparently, you can see that when the first reponse to the negotiate challenge begins with NTRLM...), and I got an error in tomcat log saying can't validate client ticket. Once i declared the box in the active directory dns, my browser stopped using NTLM for Kerberos and everything works as expected. It should be apparent I'm really not an expert on that, so all that is just some guesses. I'm still studying all that. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org