IWA username using JSP for Already authenticated Window system

["N.s.Karthik" <ns...@gmail.com>]

Hi

spec : O/s Linux -Oracle
            Jdk =1.6
            Tomcat  = 7.0.30
            Browsers = IE8 Only
            
         * Pre authenticated Windows Clients via Active directory * 
          Would use Integrated Window Authentication settings for Browsers

  

Question :  Since All the Systems are pre authenticated in Window domain via
Active Directory during bootup process, and On request of a URL of web
application ( Tomcat7 served from linux) need to pass the username of the
system ?


Can some body help me for the solutions .....

with regards karthik




--
View this message in context: http://tomcat.10.n6.nabble.com/IWA-username-using-JSP-for-Already-authenticated-Window-system-tp4996846.html
Sent from the Tomcat - User mailing list archive at Nabble.com.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: IWA username using JSP for Already authenticated Window system

[Daniel Mikusa <dm...@vmware.com>]

On Mar 25, 2013, at 10:47 AM, N.s.Karthik wrote:

> Hi
> 
> Thx for the Quick Reply
> 
>>> https://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html
> 
> I have already tried this and found the same to Work only on Windows Environment

Tried what specifically?  There are several suggestions for making this work at the above link.  

> 
> but my Tomcat servers are on  Oracle Linux Systems...
> 
> Will this configurations work with "Tomcat 7.0.30 on Linux"  with Clients
> using IE8 from Windows ???

Again, you are going to need to be more specific on what configuration you are referring to.

Dan


> 
> 
> with regards
> Karthik 
> 
> 
> 
> 
> --
> View this message in context: http://tomcat.10.n6.nabble.com/IWA-username-using-JSP-for-Already-authenticated-Window-system-tp4996846p4996896.html
> Sent from the Tomcat - User mailing list archive at Nabble.com.
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: IWA username using JSP for Already authenticated Window system

[Cédric Couralet <ce...@gmail.com>]

>>
>> One thing to watch for is that the client must use Kerberos and not
>> NTLM (it's a guess but it seems logical) .
>
>
> Sorry to burst in, but can you elaborate on that ?
> Why does it seem logical ?  To my own (admittedly limited) knowledge,
> Kerberos is not the most widely implemented solution in Windows networks,
> NTLMv2 is.  Does the SPNEGO implementation in Tomcat not work with NTLMv2
> then ?
>
Only on a linux box.
In my mind, NTLM being a Microsoft protocol, the chance of it working
on a linux box was small.

That is what I observed. When the tomcat on my linux was configured
with the SPNEGO valve, at first my browser was talking NTLM
(apparently, you can see that when the first reponse to the negotiate
challenge begins with NTRLM...), and I got an error in tomcat log
saying can't validate client ticket.

Once i declared the box in the active directory dns, my browser
stopped using NTLM for Kerberos and everything works as expected.

It should be apparent I'm really not an expert on that, so all that is
just some guesses. I'm still studying all that.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: IWA username using JSP for Already authenticated Window system

[André Warnier <aw...@ice-sa.com>]

Cédric Couralet wrote:
> 2013/3/25 N.s.Karthik <ns...@gmail.com>:
>> Hi
> 
> Hello
> 
>>>> https://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html
>> I have already tried this and found the same to Work only on Windows
>> Environment
>>
>> but my Tomcat servers are on  Oracle Linux Systems...
>>
>> Will this configurations work with "Tomcat 7.0.30 on Linux"  with Clients
>> using IE8 from Windows ???
>>
> 
> I will assume you talk about the SPNEGO Authenticator from tomcat.
> If that is the case, then I can confirm it works on Linux (Debian SID  here).
> 
> One thing to watch for is that the client must use Kerberos and not
> NTLM (it's a guess but it seems logical) .

Sorry to burst in, but can you elaborate on that ?
Why does it seem logical ?  To my own (admittedly limited) knowledge, Kerberos is not the 
most widely implemented solution in Windows networks, NTLMv2 is.  Does the SPNEGO 
implementation in Tomcat not work with NTLMv2 then ?

> For this, you must have AD knowing your tomcat server ie : nslookup
> your.url must return your IP adress .
> 
> For the rest the documentation on the tomcat website is basically all I needed.
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: IWA username using JSP for Already authenticated Window system

[Cédric Couralet <ce...@gmail.com>]

2013/3/25 N.s.Karthik <ns...@gmail.com>:
> Hi

Hello

>>>https://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html
>
> I have already tried this and found the same to Work only on Windows
> Environment
>
> but my Tomcat servers are on  Oracle Linux Systems...
>
> Will this configurations work with "Tomcat 7.0.30 on Linux"  with Clients
> using IE8 from Windows ???
>

I will assume you talk about the SPNEGO Authenticator from tomcat.
If that is the case, then I can confirm it works on Linux (Debian SID  here).

One thing to watch for is that the client must use Kerberos and not
NTLM (it's a guess but it seems logical) .
For this, you must have AD knowing your tomcat server ie : nslookup
your.url must return your IP adress .

For the rest the documentation on the tomcat website is basically all I needed.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: IWA username using JSP for Already authenticated Window system

["N.s.Karthik" <ns...@gmail.com>]

Hi

Thx for the Quick Reply

>>https://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html

I have already tried this and found the same to Work only on Windows
Environment

but my Tomcat servers are on  Oracle Linux Systems...

Will this configurations work with "Tomcat 7.0.30 on Linux"  with Clients
using IE8 from Windows ???


with regards
Karthik 




--
View this message in context: http://tomcat.10.n6.nabble.com/IWA-username-using-JSP-for-Already-authenticated-Window-system-tp4996846p4996896.html
Sent from the Tomcat - User mailing list archive at Nabble.com.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: IWA username using JSP for Already authenticated Window system

[Daniel Mikusa <dm...@vmware.com>]

On Mar 24, 2013, at 11:30 PM, N.s.Karthik wrote:

> Hi
> 
> spec : O/s Linux -Oracle
>            Jdk =1.6
>            Tomcat  = 7.0.30
>            Browsers = IE8 Only
> 
>         * Pre authenticated Windows Clients via Active directory * 
>          Would use Integrated Window Authentication settings for Browsers
> 
> 
> 
> Question :  Since All the Systems are pre authenticated in Window domain via
> Active Directory during bootup process, and On request of a URL of web
> application ( Tomcat7 served from linux) need to pass the username of the
> system ?

Have you read...

https://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html

Dan


> 
> Can some body help me for the solutions .....
> 
> with regards karthik
> 
> 
> 
> 
> --
> View this message in context: http://tomcat.10.n6.nabble.com/IWA-username-using-JSP-for-Already-authenticated-Window-system-tp4996846.html
> Sent from the Tomcat - User mailing list archive at Nabble.com.
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org