I’ve added a Tomcat Negotiate (Kerberos + NTLM) authenticator to Waffle 1.3 for Tomcat 6. Here’s how to use it.
Download
Download Waffle 1.3. The zip contains Waffle.chm that has the latest version of this tutorial.
Configure Tomcat
Copy Files
I started with a default installation of Tomcat 6. Checked that I could start the server and navigate to https://localhost:8080. Copy the following files into tomcat’s lib directory.
- jna.jar: Java Native Access
- platform.jar: JNA platform-specific API
- waffle-jna.jar: Tomcat Negotiate Authenticator
Authenticator Valve
Add a valve and a realm to the application context in your context.xml (for an application) or in server.xml (for the entire Tomcat installation).
Security Roles
Configure security roles in your application’s web.xml. The Waffle authenticator adds all user’s security groups (including nested and domain groups) as roles during authentication.
Restrict Access
Restrict access to website resources. For example, to restrict the entire website to locally authenticated users add the following in web.xml.
Test
Restart Tomcat and navigate to https://localhost:8080.
You should be prompted for a logon with a popup. This is because by default localhost is not in the _Intranet Zone _and the server returned a 401 Unauthorized. Internet servers with a fully qualified named are detected automatically.
Internet Explorer
Ensure that Integrated Windows Authentication is enabled.
- Choose the_ Tools, Internet Options_ menu.
- Click the Advanced tab.
- Scroll down to Security
- Check Enable Integrated Windows Authentication.
- Restart the browser.
The target website must be in the Intranet Zone.
- Navigate to the website.
- Choose the Tools, Internet Options menu.
- Click the Local Intranet icon.
- Click the Sites button.
- Check Autmatically detect intranet network.
- For localhost, click Advanced.
- Add https://localhost to the list.
Firefox
- Type about:config in the address bar and hit enter.
- Type network.negotiate-auth.trusted-uris in the Filter box.
- Put your server name as the value. If you have more than one server, you can enter them all as a comma separated list.
- Close the tab.
Navigate to https://localhost:8080 after adding it to the Intranet Zone.
You should no longer be prompted and automatically authenticated.
Logs
In the logs you will see the following output for a successful logon.
logged in user: dblock-green\dblock (S-1-5-21-3442045183-1395134217-4167419351-1000)
group: dblock-green\None
group: Everyone
group: dblock-green\HelpLibraryUpdaters
group: dblock-green\HomeUsers
group: BUILTIN\Administrators
group: BUILTIN\Users
group: NT AUTHORITY\INTERACTIVE
group: CONSOLE LOGON
group: NT AUTHORITY\Authenticated Users
group: NT AUTHORITY\This Organization
group: S-1-5-5-0-442419
group: LOCAL
group: NT AUTHORITY\NTLM Authentication
group: Mandatory Label\Medium Mandatory Level
successfully logged in user: dblock-green\dblock
My laptop is not a member of an Active Directory domain, but you would see domain groups, including nested ones here. There’s nothing special to do for Active Directory. The authenticator also automatically handles all aspects of the Negotiate protocol, chooses Kerberos vs. NTLM and supports NTLM POST. It basically has the same effect in Tomcat as choosing Integrated Windows authentication options in IIS.
Related Projects
- Tomcat SPNEGO by Dominique Guerrin: this is a very good prototype of a filter. It uses JNI and not JNA, doesn’t support NTLM POST and the code is pretty thick.
- SPNEGO Sourceforge: it’s a nightmare to configure, doesn’t work without an Active Directory domain and requires an SPN
- JCIFS NTLM: no longer supported and they recommend using Jespa
- Jespa: a commercial implementation that claims to do the same thing as Waffle, but uses the Netlogon service instead of the native Windows API