Solved

Apache-Tomcat Single Sign On with NTLM/Kerberos on Windows 2008R2

Posted on 2014-11-25
3
177 Views
Last Modified: 2016-06-16
Hi, I need to setup a tomcat installation for a specific web application. As a premise, I am not really familiar with tomcat and java.
We would use sigle sign on for the login as all user works in a Windows domain.
I found a HowTo at the tomcat page ( Link ) and followed all steps (setspn, krb5 file, etc.).
I did set delegation to the user used for the tomcat service (mapped to SPN) and tomcat starts up.

Now how can I find out if it is working?
How to get the windows user name surfing on the tomcat server?
Are there some log files I can look at for the user?
Is someone here with experience implementig this that could help out?
We want to use the built-in facility.

Server: Windows 2008R2 SP1 all patches
Tomcat: 7.0.57 x64
Java: JDK 1.7.0.72 x64

Thank you and best regards
0
Comment
Question by:OliG
3 Comments
 

Author Comment

by:OliG
Comment Utility
Nobody around that could help please?
0
 
LVL 3

Accepted Solution

by:
Brett Crawley earned 500 total points
Comment Utility
Hi OliG

I wrote an article on how to do this that could perhaps help you a great deal in setting this up, you can find it here:

http://www.ostering.com/blog/2015/11/20/configuring-tomcat-single-sign-on-with-spnego-kerberos-ldap/

With regard to knowing if this is setup correctly, if you try to access a protected resource ie one within one of your defined security constraints and you are granted access then it should mean that everything is working otherwise you would get either a 401 Unauthorized HTTP status code which would mean that the user hasn't been able to authenticate and therefore authorization hasn't been performed or a "403 Forbidden" HTTP status code which would mean that the user doesn't have the roles required to access the resource.

You may also try using the request.getRemoteUser(); on the HttpServletRequest object.

Also in the article it details how to enable logging so you can see more information about what is going on.

Regards,

Brett
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
As developers, we are not limited to the functions provided by the VBA language. In addition, we can call the functions that are part of the Windows operating system. These functions are part of the Windows API (Application Programming Interface). U…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now