You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by André Warnier <aw...@ice-sa.com> on 2009/02/07 17:23:33 UTC
Windows Domain authentication with Vista (and Tomcat)
Hi.
I have an issue with Windows Domain authentication, Vista and (probably)
NTLMv2. It is under Tomcat too. ;-)
I was browsing Google and the various lists at marc.info, and happened
to find what looks like a promising link as follows :
https://issues.apache.org/bugzilla/show_bug.cgi?id=46323
This would seem to indicate that there is something going on at the
Tomcat level about NTLM/AD authentication. But I have no clue about how
to follow the above.. clue.
Basically, I'm picking at straws and trying to gather information and
find someone, or some place, which can provide more.
Can anyone provide ideas as to where I should go, whom to get in touch
with, anything ?
Thanks in advance.
P.S.
Short description : For a Tomcat application, I use an
authentication/SSO mechanism partly composed of jCIFS (jcifs.samba.org),
partly self-built. It has worked nicely so far, but appears to have
problems at one customer, with Vista workstations recently introduced.
I'm trying to solve this.
The application also uses Apache httpd 2.2, and I could do the
authentication either there or at the Tomcat level. At this problem
site, both Apache and Tomcat run on the same Windows 2003 host.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Windows Domain authentication with Vista (and Tomcat)
Posted by André Warnier <aw...@ice-sa.com>.
Caldarale, Charles R wrote:
>> From: Caldarale, Charles R [mailto:Chuck.Caldarale@unisys.com]
>> Subject: RE: Windows Domain authentication with Vista (and Tomcat)
>>
>> Even if you're not using the NTLM HTTP filter
>
> Are you using the current version of jCIFS? Only 1.3 and above support NTLMv2.
>
> You may want to post your question on the jCIFS mailing list; Mike will likely want Wireshark traces of the NTLMv2 negotiations if you do.
>
Many thanks for the info. I had completely overlooked the latest 1.3.1
version. I did try the 1.3.0 and it didn't work, but I see now a
comment to the effect that it was broken for HTTP authentication (which
I do use). I'll go and try it again.
And I understand why Mike would want a Wireshark trace with that stuff.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Windows Domain authentication with Vista (and Tomcat)
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Caldarale, Charles R [mailto:Chuck.Caldarale@unisys.com]
> Subject: RE: Windows Domain authentication with Vista (and Tomcat)
>
> Even if you're not using the NTLM HTTP filter
Are you using the current version of jCIFS? Only 1.3 and above support NTLMv2.
You may want to post your question on the jCIFS mailing list; Mike will likely want Wireshark traces of the NTLMv2 negotiations if you do.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Windows Domain authentication with Vista (and Tomcat)
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: André Warnier [mailto:aw@ice-sa.com]
> Subject: Windows Domain authentication with Vista (and Tomcat)
>
> https://issues.apache.org/bugzilla/show_bug.cgi?id=46323
> This would seem to indicate that there is something going on at the
> Tomcat level about NTLM/AD authentication.
Not that there /is/ something going on, but the submitter would like something /to be/ going on. I doubt that the above enhancement request would be accepted as is, since it modifies the permitted values for <auth-method> and is therefore out of compliance with the servlet spec. But we'll see...
> For a Tomcat application, I use an authentication/SSO
> mechanism partly composed of jCIFS (jcifs.samba.org),
> partly self-built.
Are you using the NTLM HTTP filter that is available with jCIFS? If so, it cannot be used in conjunction with NTLMv2, which the Vista box may well be insisting on. Examine the LmCompatibilityLevel setting in the Vista system registry at HKLM\SYSTEM\CurrentControlSet\Control\Lsa; make sure it's no higher than 3.
Even if you're not using the NTLM HTTP filter, we've had trouble with Vista connecting to non-Microsoft SMB servers when the above registry setting is higher than 3; XP works fine when at 5 (the highest setting), so Vista is doing something weird that we haven't figured out yet.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org