I’ve added a Tomcat Negotiate (Kerberos + NTLM) authenticator to Waffle 1.3 for Tomcat 6. Here’s how to use it.
Download Waffle 1.3. The zip contains Waffle.chm that has the latest version of this tutorial.
I started with a default installation of Tomcat 6. Checked that I could start the server and navigate to https://localhost:8080. Copy the following files into tomcat’s lib directory.
- jna.jar: Java Native Access
- platform.jar: JNA platform-specific API
- waffle-jna.jar: Tomcat Negotiate Authenticator
Add a valve and a realm to the application context in your context.xml (for an application) or in server.xml (for the entire Tomcat installation).
Configure security roles in your application’s web.xml. The Waffle authenticator adds all user’s security groups (including nested and domain groups) as roles during authentication.
Restrict access to website resources. For example, to restrict the entire website to locally authenticated users add the following in web.xml.
Restart Tomcat and navigate to https://localhost:8080.
You should be prompted for a logon with a popup. This is because by default localhost is not in the _Intranet Zone _and the server returned a 401 Unauthorized. Internet servers with a fully qualified named are detected automatically.
Ensure that Integrated Windows Authentication is enabled.
- Choose the_ Tools, Internet Options_ menu.
- Click the Advanced tab.
- Scroll down to Security
- Check Enable Integrated Windows Authentication.
- Restart the browser.
The target website must be in the Intranet Zone.
- Navigate to the website.
- Choose the Tools, Internet Options menu.
- Click the Local Intranet icon.
- Click the Sites button.
- Check Autmatically detect intranet network.
- For localhost, click Advanced.
- Add https://localhost to the list.
- Type about:config in the address bar and hit enter.
- Type network.negotiate-auth.trusted-uris in the Filter box.
- Put your server name as the value. If you have more than one server, you can enter them all as a comma separated list.
- Close the tab.
Navigate to https://localhost:8080 after adding it to the Intranet Zone.
You should no longer be prompted and automatically authenticated.
In the logs you will see the following output for a successful logon.
logged in user: dblock-green\dblock (S-1-5-21-3442045183-1395134217-4167419351-1000) group: dblock-green\None group: Everyone group: dblock-green\HelpLibraryUpdaters group: dblock-green\HomeUsers group: BUILTIN\Administrators group: BUILTIN\Users group: NT AUTHORITY\INTERACTIVE group: CONSOLE LOGON group: NT AUTHORITY\Authenticated Users group: NT AUTHORITY\This Organization group: S-1-5-5-0-442419 group: LOCAL group: NT AUTHORITY\NTLM Authentication group: Mandatory Label\Medium Mandatory Level successfully logged in user: dblock-green\dblock
My laptop is not a member of an Active Directory domain, but you would see domain groups, including nested ones here. There’s nothing special to do for Active Directory. The authenticator also automatically handles all aspects of the Negotiate protocol, chooses Kerberos vs. NTLM and supports NTLM POST. It basically has the same effect in Tomcat as choosing Integrated Windows authentication options in IIS.
- Tomcat SPNEGO by Dominique Guerrin: this is a very good prototype of a filter. It uses JNI and not JNA, doesn’t support NTLM POST and the code is pretty thick.
- SPNEGO Sourceforge: it’s a nightmare to configure, doesn’t work without an Active Directory domain and requires an SPN
- JCIFS NTLM: no longer supported and they recommend using Jespa
- Jespa: a commercial implementation that claims to do the same thing as Waffle, but uses the Netlogon service instead of the native Windows API