did you look at the jcifs.http.NtlmHttpFilter filter? http://jcifs.samba.org/src/docs/ntlmhttpauth.html
nbtstat -a MYHOSTNAME http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/nbtstat.mspx?mfr=true the IP and the 'ntstat name' *should* be located in /windows/system32/drivers/etc/lmhosts file *you can use the sample /windows/system32/drivers/etc/lmhosts.sam * then put the entry in for IP MYHOSTNAME /windows/system32/drivers/etc/lmhosts file IP MYHOSTNAME #PRE #needed for the include If your Active Directory security policy requires that users only log into the domain from their personal workstations JCIFS will fail to authenticate and the server security log will have entries like "\\JCIFS10_40_4A cannot be authorized". This occurs because the domain controller is failing to resolve the dynamically generated "calling name" submitted by the client during protocol negotiation. To get around this it is necessary to set the jcifs.netbios.hostname property to a valid NetBIOS name that can be resolved by the NetBIOS name service (e.g. WINS) and add that name to the AD security policy as a permitted client. For example, you can set this property using an init-paremeter in the web.xml file for the NTLM HTTP filter as follows: <init-parameter> <parameter-name>jcifs.netbios.hostname</parameter-name> <parameter-value>MYHOSTNAME</parameter-value> </init-parameter> hth Martin ______________________________________________ Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. > Date: Sat, 12 Sep 2009 16:32:17 -0400 > From: ocha...@ncc.edu > Subject: Re: Windwos Integrated Authentication using AD and Tomcat (no prompt > to the users) > To: users@tomcat.apache.org > > Send reply to: Tomcat Users List <users@tomcat.apache.org> > Date sent: Sat, 12 Sep 2009 12:50:41 -0700 (PDT) > From: Derlei Luff <derlei...@yahoo.com> > Subject: Windwos Integrated Authentication using AD and Tomcat (no > prompt to > the users) > To: users@tomcat.apache.org > > > Hi all, > > > > I´m new to Tomcat and normally work in a Microsoft Windows world. > > I´ve stumbled into a problem using Tomcat as a web server, that > > I´m sure there is a simple solution for though I can´t find it. > > I´m sure it works if I use a MS IIS server instead of a Tomcat > > server at least. I hope some of you more experienced users of Tomcat > > can either point me in the right direction or perhaps come up with the > > conclusion J My problem is: I have a running Active Directory which > > holds the users and groups. I have a Windows XP client, which is > > member of the Active Directory domain. If a users logs into the client > > using he´s username and password and then open Internet Explore I > > would like him to gain access to a web page hosted on the Tomcat > > server. The problem is that the Tomcat server shall validate the > > user´s Active Directory credentials and the credentials should be > > sent to Tomcat without user interaction. In other words I want > > "Windows Integrated Authentication" from the MS world, so that > > Internet Explore takes the users credentials and send them to the > > Tomcat server (Kerberos). So far I can only get this to work if > > Internet Explorer prompts the users for he´s credentials (Basic > > Authentication). In other words I want to archive this: > > · Users logs onto the Windows XP computer using > > he´s username and password · User opens Internet > > explorer and write the URL to the page hosted on the Tomcat server > > · Internet Explore sends the users username and > > password automatically to tomcat (Kerberos) · The > > Tomcat validates the user´s credentials and accepts the request. > > This is some form of Single Sign On and I know it works if I use IIS > > instead of Tomcat. I´ve found several guides on the net, but no one > > which tells me if this is possible or not. Hope some of you of you can > > point me in the right direction, but perhaps I have to use a third > > part application to archive this?? Thanks in advance, Derlei > > > > > > > > > http://wiki.apache.org/tomcat/FAQ/Windows#Q4 > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > _________________________________________________________________ Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. http://clk.atdmt.com/GBL/go/171222985/direct/01/
