Daniel Doubrovkine bio photo

Daniel Doubrovkine

aka dB., @awscloud, former CTO @artsy, +@vestris, NYC

Email Twitter LinkedIn Github Strava
Suggest a Topic
RSS
Creative Commons License

Single Sign-On: Tomcat Negotiate Authenticator (Kerberos + NTLM) w/ Waffle
tomcat | waffle | java | active directory

I’ve added a Tomcat Negotiate (Kerberos + NTLM) authenticator to Waffle 1.3 for Tomcat 6. Here’s how to use it.

Download

Download Waffle 1.3. The zip contains Waffle.chm that has the latest version of this tutorial.

Configure Tomcat

Copy Files

I started with a default installation of Tomcat 6. Checked that I could start the server and navigate to https://localhost:8080. Copy the following files into tomcat’s lib directory.

  • jna.jar: Java Native Access
  • platform.jar: JNA platform-specific API
  • waffle-jna.jar: Tomcat Negotiate Authenticator

Authenticator Valve

Add a valve and a realm to the application context in your context.xml (for an application) or in server.xml (for the entire Tomcat installation).

<Context>
  <Valve className="waffle.apache.NegotiateAuthenticator" principalFormat="fqn" roleFormat="both" />
  <Realm className="waffle.apache.WindowsRealm" />
</Context>

Security Roles

Configure security roles in your application’s web.xml. The Waffle authenticator adds all user’s security groups (including nested and domain groups) as roles during authentication.

<security-role>
  <role-name>Everyone</role-name>
</security-role>

Restrict Access

Restrict access to website resources. For example, to restrict the entire website to locally authenticated users add the following in web.xml.

<security-constraint>
  <display-name>Waffle Security Constraint</display-name>
  <web-resource-collection>
    <web-resource-name>Protected Area</web-resource-name>
    <url-pattern>/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
    <role-name>Everyone</role-name>
  </auth-constraint>
</security-constraint>

Test

Restart Tomcat and navigate to https://localhost:8080.

You should be prompted for a logon with a popup. This is because by default localhost is not in the _Intranet Zone _and the server returned a 401 Unauthorized. Internet servers with a fully qualified named are detected automatically.

Internet Explorer

Ensure that Integrated Windows Authentication is enabled.

  1. Choose the_ Tools, Internet Options_ menu.
  2. Click the Advanced tab.
  3. Scroll down to Security
  4. Check Enable Integrated Windows Authentication.
  5. Restart the browser.

The target website must be in the Intranet Zone.

  1. Navigate to the website.
  2. Choose the Tools, Internet Options menu.
  3. Click the Local Intranet icon.
  4. Click the Sites button.
  5. Check Autmatically detect intranet network.
  6. For localhost, click Advanced.
  7. Add https://localhost to the list.

Firefox

  1. Type about:config in the address bar and hit enter.
  2. Type network.negotiate-auth.trusted-uris in the Filter box.
  3. Put your server name as the value. If you have more than one server, you can enter them all as a comma separated list.
  4. Close the tab.

Navigate to https://localhost:8080 after adding it to the Intranet Zone.

You should no longer be prompted and automatically authenticated.

Logs

In the logs you will see the following output for a successful logon.

logged in user: dblock-green\dblock (S-1-5-21-3442045183-1395134217-4167419351-1000)
 group: dblock-green\None
 group: Everyone
 group: dblock-green\HelpLibraryUpdaters
 group: dblock-green\HomeUsers
 group: BUILTIN\Administrators
 group: BUILTIN\Users
 group: NT AUTHORITY\INTERACTIVE
 group: CONSOLE LOGON
 group: NT AUTHORITY\Authenticated Users
 group: NT AUTHORITY\This Organization
 group: S-1-5-5-0-442419
 group: LOCAL
 group: NT AUTHORITY\NTLM Authentication
 group: Mandatory Label\Medium Mandatory Level
successfully logged in user: dblock-green\dblock

My laptop is not a member of an Active Directory domain, but you would see domain groups, including nested ones here. There’s nothing special to do for Active Directory. The authenticator also automatically handles all aspects of the Negotiate protocol, chooses Kerberos vs. NTLM and supports NTLM POST. It basically has the same effect in Tomcat as choosing Integrated Windows authentication options in IIS.

  • Tomcat SPNEGO by Dominique Guerrin: this is a very good prototype of a filter. It uses JNI and not JNA, doesn’t support NTLM POST and the code is pretty thick.
  • SPNEGO Sourceforge: it’s a nightmare to configure, doesn’t work without an Active Directory domain and requires an SPN
  • JCIFS NTLM: no longer supported and they recommend using Jespa
  • Jespa: a commercial implementation that claims to do the same thing as Waffle, but uses the Netlogon service instead of the native Windows API