Samuel Penn wrote:
Hi all,
I'm trying to get Tomcat to authenticate against Active Directory, but
failing
...
Not directly related to what your current issue is, but just as
information :
http://www.ioplex.com/jespa.html
I am using that in Windows environments, and it really works out of the
box, for thousands of users.
A bit of explanatory philosophy, because this subject comes up so often :
I have found that in the practice, there is a certain amount of
confusion at the interface between the Java/Open Source world, and the
corporate Windows-centric world.
When a Unix/Linux/Open Source developer type asks the corporate
MS-Windows sysadmin type what the "network user authentication method"
is, very often the answer will be "Active Directory".
In fact, it isn't.
AD is just the database back-end used by Windows Domain Controllers,
which are, for all the Windows workstations, the real authenticators.
The real authentication which happens is the Microsoft "NTLM"
authentication, which is a complicated and sometimes annoying multi-pass
exchange between browsers and Windows domain Controllers. Workstations
never talk directly to the AD server, they talk to the DCs.
Workstations do not talk LDAP protocol, they talk NTLM protocol.
Similarly, IIS webservers, and MS proxy servers, talk to a DC to
authenticate the users accessing them from their browsers. They do not
talk directly to the AD server.
That the Windows DCs themselves use a back-end AD server is pretty much
irrelevant in the end.
Jespa is a servlet filter, which you install like any servlet filter,
"around" a webapp. It automatically authenticates a Windows workstation
user accessing the webapp, on the base of his network domain login-id,
which he entered when he turned on his PC this morning and logged in to
the Windows domain.
Jespa does that by talking to the DC, just like IIS would do.
If it gets a valid domain user-id from the browser, it passes this
user-id to Tomcat. A webapp can then retrieve it in the normal way, via
calls such as getRemoteUser(). The Jespa module, in its later
incantations, can also "translate" Windows user's group membership in
the Tomcat concept of "user role".
The additional benefit is that in most cases, all this happens
transparently to the user, who never even sees a login dialog.
So basically, you also get SSO for free.
There used to be an open source similar solution available, made by the
same people who make jCIFS (at samba.org). It was called the "jCIFS
HTTP NTLM authentication filter" or similar. But that software is no
longer developed or maintained, and does not work with recent revisions
of the Windows NTLM protocol (v2, as standard since Vista and beyond).
Jespa works with all NTLM versions.
Allthat I am saying in the paragraphs above, applies totally only if all
the Tomcat users which you wish to authenticate, are first logged-in in
a Windows domain, before they call up a Tomcat-based application.
If you also have users who contact the Tomcat servers from outside a
Windows domain (such as from the Internet without a corporate VPN e.g.),
then you are out of luck, and you will have to do another kind of
authentication, such as presenting users with a login screen and using a
direct interface to the AD server.
But in 99% of the corporate cases, what I describe above is the easiest
solution. (and it also works with Firefox, not just with IE).
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
