Here is more detail into what I went through for setting up Apache Tomcat.: I configured each Apache Tomcat instance using this bit of documentation: SPNEGO http://spnego.sourceforge.net/
I also used this documentation in order to get my workstation to accept Kerberos authentication and not default to NTLM. https://ping.force.com/Support/PingFederate/Integrations/How-to-configure-supported-browsers-for-Kerberos-NTLM *I created/configured the following based on what was outlined from the SPNEGO doc:* login.conf krb.conf HelloKDC.java successfully connected when testing The SPNEGO filter in Apache Tomcat's web.xml Took the source code for spnego.jar and placed it in Apache Tomcat's library hello_spnego.jsp successfully displayed the correct remote user on the web page hello_delegate.jsp successfully displayed the correct delegated credentials on the webpage. Once I was able to verify that the above steps worked on Apache Tomcat. I tested the same web pages on Apache HTTPD. I ran into issues when testing hello_spnego.jsp and hello_delegate.jsp. Here have been my results: hello_spnego.jsp -> "hello root !" (root being a unix user and not the AD/Windows user signed onto the domain). hello_delegate.jsp -> "No delegated creds." *Here is the section of the SPNEGO doc source on how to setup hello_delegation.jsp and create hello_spnego.jsp:* http://spnego.sourceforge.net/credential_delegation.html *Here is how I have Apache HTTPD forwarding requests to Tomcat. * Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/" env=BALANCER_ROUTE_CHANGED <Proxy balancer://application> BalancerMember "http://localhost:8081/application"; route=node1 BalancerMember "http://localhost:8082/application"; route=node2 BalancerMember "http://localhost:8083/application"; route=node3 ProxySet lbmethod=byrequests stickysession=ROUTEID </Proxy> ProxyPass /application balancer://application/ ProxyPassReverse /application balancer://application/ On Wed, Sep 19, 2018 at 7:57 AM André Warnier (tomcat) <a...@ice-sa.com> wrote: > On 18.09.2018 23:24, Thomas Delaney wrote: > > Hello All, > > > > I have recently configured Apache Tomcat on a SuSe Enterprise 12 SP3 > server > > to get Kerberos SSO working with a web client application. I have also in > > addition configured Apache HTTPD 2.4.29 on the same machine.When I reach > > that website I am failing to get SSO working. The web server is not > passing > > off the delegation credentials to Apache Tomcat server. I have the web > > server load balance proxying it's request to multiple Apache Tomcat > > instances. I have tried applying mody_proxy_http environment variables, > but > > the site continues to fail SSO. Is there a guide or configuration that > > HTTPD and Apache Tomcat both use to involve Apache HTTPD passing off > > delegation credentials to Apache Tomcat? > > > > If you would like someone here to be able to help you, you would need to > be much more > precise than that. You write "I have done this" and "I have done that", > but without > giving any clue as to /how/ you did this or that. > You are not even saying /where/ you have configured the Kerberos SSO. > Under the Apache > httpd front-end ? or under Tomcat ? > > To point you nevertheless in a possible direction, read this : > > https://tomcat.apache.org/tomcat-8.0-doc/windows-auth-howto.html#Apache_httpd > (and, in your mind, substitute "Windows authentication" by "Kerberos > authentication") > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
