Solved

Apache-Tomcat Single Sign On with NTLM/Kerberos on Windows 2008R2

Posted on 2014-11-25
3
258 Views
Last Modified: 2016-06-16
Hi, I need to setup a tomcat installation for a specific web application. As a premise, I am not really familiar with tomcat and java.
We would use sigle sign on for the login as all user works in a Windows domain.
I found a HowTo at the tomcat page ( Link ) and followed all steps (setspn, krb5 file, etc.).
I did set delegation to the user used for the tomcat service (mapped to SPN) and tomcat starts up.

Now how can I find out if it is working?
How to get the windows user name surfing on the tomcat server?
Are there some log files I can look at for the user?
Is someone here with experience implementig this that could help out?
We want to use the built-in facility.

Server: Windows 2008R2 SP1 all patches
Tomcat: 7.0.57 x64
Java: JDK 1.7.0.72 x64

Thank you and best regards
0
Comment
Question by:OliG
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 

Author Comment

by:OliG
ID: 40488356
Nobody around that could help please?
0
 
LVL 3

Accepted Solution

by:
Brett Crawley earned 500 total points
ID: 41477003
Hi OliG

I wrote an article on how to do this that could perhaps help you a great deal in setting this up, you can find it here:

http://www.ostering.com/blog/2015/11/20/configuring-tomcat-single-sign-on-with-spnego-kerberos-ldap/

With regard to knowing if this is setup correctly, if you try to access a protected resource ie one within one of your defined security constraints and you are granted access then it should mean that everything is working otherwise you would get either a 401 Unauthorized HTTP status code which would mean that the user hasn't been able to authenticate and therefore authorization hasn't been performed or a "403 Forbidden" HTTP status code which would mean that the user doesn't have the roles required to access the resource.

You may also try using the request.getRemoteUser(); on the HttpServletRequest object.

Also in the article it details how to enable logging so you can see more information about what is going on.

Regards,

Brett
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question