Nikola Milutinovic-2 wrote: > > Just to make the picture complete, it can also be done with Apache + > mod_auth_kerb + mod_jk. It does require some steps and the most tricky one > is getting a proper Kerberos Service key from MS ADS. We've done it, so it > is not really a big deal. However, people tend to state that TC is as good > at serving static content as Apache and that eliminating one link in the > server chain reduces complexity. Which is true. And which is why we need a > proper Kerberos realm for these setups. > > Nix. > > > > > ________________________________ > From: George Sexton <geor...@mhsoftware.com> > To: Tomcat Users List <users@tomcat.apache.org> > Sent: Monday, September 14, 2009 7:47:48 PM > Subject: RE: Windwos Integrated Authentication using AD and Tomcat (no > prompt to the users) > > If you're fronting Tomcat w/ IIS using the ISAPI redirector, then this can > be done. Here's a link to the instructions for our product that describe > how > to do it. > > http://www.mhsoftware.com/caldemo/manual/en/pageFinder.html?page=895.htm > > Essentially, following steps 2-4 will cause the > HttpServletRequest.getRemoteUser() to return the Windows User name > (SAMAccountName). > > > George Sexton > MH Software, Inc. > http://www.mhsoftware.com/ > Voice: 303 438 9585 > > >> -----Original Message----- >> From: Nikola Milutinovic [mailto:alok...@yahoo.com] >> Sent: Monday, September 14, 2009 11:26 AM >> To: Tomcat Users List; Tomcat Users List >> Subject: Re: Windwos Integrated Authentication using AD and Tomcat (no >> prompt to the users) >> >> There is also a module from Quest Software, using Kerberos >> authentication, but it costs mega $. >> >> Has anyone considered writing a TC realm for Kerberos? >> >> Before MS ADS came into popular use, Kerberos was a rare beast, but now >> it is more present. And it much better than NTLM, which is why MS >> started using it. Just think about it - NTLM sucked so badly that the >> great Behemoth, Microsoft, decided to use open standard solution. >> >> Nix. >> >> >> >> >> ________________________________ >> From: André Warnier <a...@ice-sa.com> >> To: Tomcat Users List <users@tomcat.apache.org> >> Sent: Sunday, September 13, 2009 1:33:16 PM >> Subject: Re: Windwos Integrated Authentication using AD and Tomcat (no >> prompt to the users) >> >> To Martin, Steve and others : >> >> Samba's JCIFS works fine, but only for NTLMv1 authentication. >> (It is also no longer maintained, see http://jcifs.samba.org.) >> It does NOT work for NTLMv2 authentication, which is fast becoming the >> norm, and the default from Vista onwards. >> Jespa works with NTLMv2, and is free for up to 25 users. >> >> I have no shares in ioplex or Jespa. >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > >
You can see http://tomcatspnego.codeplex.com There is two solutions, one only for tomcat running on Windows and another which also works with tomcat running on unix. The first version uses JNDI with a dll. The second version uses a Windows service running with .net 2.0. Dominique Guerin -- View this message in context: http://www.nabble.com/Windwos-Integrated-Authentication-using-AD-and-Tomcat-%28no-prompt-to-the-users%29-tp25417655p25531285.html Sent from the Tomcat - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
