Re: Single Sign-On problems

[André Warnier]

Carlton Whitmore wrote:
Andre,
The only reason I think it's Tomcat because when we change the Tomcat version 
it seems to affect the speed of the application (Tomcat 7 runs very slow, but 
no SSO errors; Tomcat 6 runs fast, but SSO errors). We're using Active 
Directory to authenticate. I guess it could be SSL as well. I've change the 
domain controller, but that didn't affect the issue. Here is the code we 
changed in the conf\web.xml file:
 
 <welcome-file-list>
        <welcome-file>index.html</welcome-file>
        <welcome-file>index.htm</welcome-file>
        <welcome-file>index.jsp</welcome-file>
    </welcome-file-list>
 
   <filter>
     <filter-name>NtlmHttpFilter</filter-name>
     <filter-class>jcifs.http.NtlmHttpFilter</filter-class>
     <init-param>
         <param-name>jcifs.http.domainController</param-name>
         <param-value>192.168.100.6</param-value>
     </init-param>
     <init-param>
         <param-name>jcifs.smb.client.domain</param-name>
         <param-value>advocacyinc</param-value>
     </init-param>
     <init-param>
         <param-name>jcifs.smb.client.username</param-name>
         <param-value>SQL_LegalFiles</param-value>
     </init-param>
     <init-param>
         <param-name>jcifs.smb.client.password</param-name>
         <param-value>>password</param-value>
     </init-param>
     <init-param>
         <param-name>jcifs.smb.lmCompatibility</param-name>
         <param-value>3</param-value>
     </init-param>
    <!-- ** needs reviewed to avoid domain Preauth check
    init-param>
        <param-name>jcifs.smb.client.ssnLimit</param-name>
        <param-value>1</param-value>
    </init-param>
    -->
</filter>
<filter-mapping>
    <filter-name>NtlmHttpFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>
 

1) you do know that this NtlmHttpFilter is no longer developed or supported, and that it 
will never support NTLM v2 (as is standard with Windows Vista, 7 and later), right ?
You should be thinking about switching to Jespa or Waffle.

2) anyway, the jCIFS filter can do quite extensive logs of what it does (see 
jcifs.util.loglevel).  You could try using that and check what it is telling you about the 
failures.

3) when you mention "SSO failures", what do you mean exactly ? the browser popping up a 
builtin authentication dialog ? or something else ?
And is the above your standard operational configuration, or a simplified one you are just 
using for this test ?



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org