-----Message d'origine----- De : André Warnier (tomcat) [mailto:a...@ice-sa.com] Envoyé : lundi, 17 octobre 2016 13:54 À : users@tomcat.apache.org Objet : Re: Mixed authentication
On 17.10.2016 11:51, Brugnerotto Angélique wrote: > Good morning everybody. > > We use Tomcat 6 for an internal web site. > Actually, the authentication is negociate with SSO. It works fine. When we > access the web site, the Windows authentication of the Windows session > Windows is resumed. > > We would like to publish this site in external. > We have problems with negociate authentification. > > We have tried to put the mixed authentication with Form authentification. > > It works but the problem is that when we access the site, we have a page with > a form and 2 choices : > - Put the username/password > - A button to use Windows authentication We have followed this > tutorial : http://code.dblock.org/2010/05/27/to...-w-waffle.html > > What we would like to do is that the web site tries automatically to do a > negociate authentication and only if it can't, to show a form. We don't find > how to do this. Is it possible ? Can you help us ? > Hello Angélique. What you are trying to do may be difficult, even impossible. One problem is that the browser will not even *try* Windows Integrated Authentication, if the workstation where it runs is not part of the same domain as the server (or at least a "trusted" server). (That is for security reasons, as WIA is only deemed "safe" within the same domain). So the browser will then (probably, depending on how the PC and the server are set up) automatically revert to HTTP Basic authentication (meaning that the browser built-in login popup dialog will appear). But that is not "form authentication". Note that one of the comments on the page which you mention above, says pretty much the same thing : see " Atdavie . 4 years ago " (Full link : http://code.dblock.org/2010/05/27/tomcat-single-sign-on-mixed-with-form-authentication-w-waffle.html) The whole issue is fairly complex, and has to do with discrepancies between what the HTTP protocol foresees or not as valid authentication methods (of which "form" is not one), and how the Windows (Microsoft-specific) authentication works. I would suggest that you stay with your current solution, it is the simplest one. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Good morning, Thank you for the answer. Our workstation are on the same domain as the server. In internal, it's not possible to automatticaly do a Windows authentification on Tomcat ? And only in external, show a form to insert username and password ? The actual solution does not satisfies us :-( Thank you so much. Have a nice day. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
