Re: Implementing JAAS with Geronimo LDAPPlugin

Mon, 27 Jan 2014 04:22:04 -0800 

On this list, please do not top-post.  Read the list rules.
Reply below the question, it is easier for everyone to figure out what you are responding to. See below. 



On Mon, Jan 27, 2014 at 10:47 AM, Mark Thomas <ma...@apache.org> wrote:

On 27/01/2014 09:43, Marco Pizzoli wrote:

Hi all,
I'm fairly new to Tomcat and to this mailing list, so apologies in
advance if not being clear in explaining my problem.

I'm tasked with the implementation of JAAS for a web application by
leveraging the existing LDAP server (MSAD) present at our company.

Do you have to use JAAS? If you used the JNDI Realm you could take
advantage of SPNEGO support.


Marco Pizzoli wrote:
> Hi Mark,
> Thanks for your reply.
>
> Yes I expressly need JAAS. This is a requirement coming from the
> provider of an external software vendor. It leverages "principals".
>

For info :


Quite apart from which solution you are using, there are a number of reasons why a 
Windows-domain like authentication may not be working.
- the workstation has to be in the domain (seems evident, but for example that it will not 
work if the workstation accesses this server from the Internet; in some VPN cases, it may 
also not work)
- the Tomcat server itself has to be recognised as being a member of the same Domain, or a 
trusted Domain

- Windows on the workstation must consider the Tomcat server as at least a 
"trusted" host

- the browser used may also have restrictions as to what host it will even attempt to do a 
WIA authentication with.  (WIA = Windows Integrated Authentication)



In other words : even if the add-on modules server-side should work and even if your 
configuration server-side seems to be ok, there might be workstation-side reasons why this 
is not working, and you must make sure that these possible reasons are also eliminated. 
If the brower, for whatever reason, is not even trying a WIA, then the server side will 
not show any attempt to do the corresponding authentication.

Which seems to be your case, as you describe it.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org























					Reply via email to