/usr/share/tomcat8-docs/docs/windows-auth-howto.html is in tomcat8-docs 8.5.30-1ubuntu1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 | <!DOCTYPE html SYSTEM "about:legacy-compat">
<html lang="en"><head><META http-equiv="Content-Type" content="text/html; charset=UTF-8"><link href="./images/docs-stylesheet.css" rel="stylesheet" type="text/css"><title>Apache Tomcat 8 (8.5.30) - Windows Authentication How-To</title><script type="application/javascript" data-comments-identifier="tomcat-8.5-doc/windows-auth-howto">
"use strict"; // Enable strict mode
(function() {
var thisScript = document.currentScript;
if (!thisScript) { // Workaround for IE <= 11
var scripts = document.getElementsByTagName("script");
thisScript = scripts[scripts.length - 1];
}
document.addEventListener("DOMContentLoaded", (function() {
var commentsDiv = document.getElementById("comments_thread");
var commentsShortname = "tomcat";
var commentsIdentifier = "http://tomcat.apache.org/" +
thisScript.getAttribute("data-comments-identifier") + ".html";
(function(w, d) {
if (w.location.hostname.toLowerCase() == "tomcat.apache.org") {
var s = d.createElement("script");
s.type = "application/javascript";
s.async = true;
s.src = "https://comments.apache.org/show_comments.lua?site=" +
encodeURIComponent(commentsShortname) +
"&page=" + encodeURIComponent(commentsIdentifier);
d.head.appendChild(s);
} else {
commentsDiv.appendChild(d.createTextNode("Comments are disabled for this page at the moment."));
}
})(window, document);
}), false);
})();
</script></head><body><div id="wrapper"><header><div id="header"><div><div><div class="logo noPrint"><a href="http://tomcat.apache.org/"><img alt="Tomcat Home" src="./images/tomcat.png"></a></div><div style="height: 1px;"></div><div class="asfLogo noPrint"><a href="http://www.apache.org/" target="_blank"><img src="./images/asf-logo.svg" alt="The Apache Software Foundation" style="width: 266px; height: 83px;"></a></div><h1>Apache Tomcat 8</h1><div class="versionInfo">
Version 8.5.30,
<time datetime="2018-04-19">Apr 19 2018</time></div><div style="height: 1px;"></div><div style="clear: left;"></div></div></div></div></header><div id="middle"><div><div id="mainLeft" class="noprint"><div><nav><div><h2>Links</h2><ul><li><a href="index.html">Docs Home</a></li><li><a href="http://wiki.apache.org/tomcat/FAQ">FAQ</a></li><li><a href="#comments_section">User Comments</a></li></ul></div><div><h2>User Guide</h2><ul><li><a href="introduction.html">1) Introduction</a></li><li><a href="setup.html">2) Setup</a></li><li><a href="appdev/index.html">3) First webapp</a></li><li><a href="deployer-howto.html">4) Deployer</a></li><li><a href="manager-howto.html">5) Manager</a></li><li><a href="host-manager-howto.html">6) Host Manager</a></li><li><a href="realm-howto.html">7) Realms and AAA</a></li><li><a href="security-manager-howto.html">8) Security Manager</a></li><li><a href="jndi-resources-howto.html">9) JNDI Resources</a></li><li><a href="jndi-datasource-examples-howto.html">10) JDBC DataSources</a></li><li><a href="class-loader-howto.html">11) Classloading</a></li><li><a href="jasper-howto.html">12) JSPs</a></li><li><a href="ssl-howto.html">13) SSL/TLS</a></li><li><a href="ssi-howto.html">14) SSI</a></li><li><a href="cgi-howto.html">15) CGI</a></li><li><a href="proxy-howto.html">16) Proxy Support</a></li><li><a href="mbeans-descriptors-howto.html">17) MBeans Descriptors</a></li><li><a href="default-servlet.html">18) Default Servlet</a></li><li><a href="cluster-howto.html">19) Clustering</a></li><li><a href="balancer-howto.html">20) Load Balancer</a></li><li><a href="connectors.html">21) Connectors</a></li><li><a href="monitoring.html">22) Monitoring and Management</a></li><li><a href="logging.html">23) Logging</a></li><li><a href="apr.html">24) APR/Native</a></li><li><a href="virtual-hosting-howto.html">25) Virtual Hosting</a></li><li><a href="aio.html">26) Advanced IO</a></li><li><a href="extras.html">27) Additional Components</a></li><li><a href="maven-jars.html">28) Mavenized</a></li><li><a href="security-howto.html">29) Security Considerations</a></li><li><a href="windows-service-howto.html">30) Windows Service</a></li><li><a href="windows-auth-howto.html">31) Windows Authentication</a></li><li><a href="jdbc-pool.html">32) Tomcat's JDBC Pool</a></li><li><a href="web-socket-howto.html">33) WebSocket</a></li><li><a href="rewrite.html">34) Rewrite</a></li></ul></div><div><h2>Reference</h2><ul><li><a href="RELEASE-NOTES.txt">Release Notes</a></li><li><a href="config/index.html">Configuration</a></li><li><a href="api/index.html">Tomcat Javadocs</a></li><li><a href="servletapi/index.html">Servlet Javadocs</a></li><li><a href="jspapi/index.html">JSP 2.3 Javadocs</a></li><li><a href="elapi/index.html">EL 3.0 Javadocs</a></li><li><a href="websocketapi/index.html">WebSocket 1.1 Javadocs</a></li><li><a href="http://tomcat.apache.org/connectors-doc/">JK 1.2 Documentation</a></li></ul></div><div><h2>Apache Tomcat Development</h2><ul><li><a href="building.html">Building</a></li><li><a href="changelog.html">Changelog</a></li><li><a href="http://wiki.apache.org/tomcat/TomcatVersions">Status</a></li><li><a href="developers.html">Developers</a></li><li><a href="architecture/index.html">Architecture</a></li><li><a href="funcspecs/index.html">Functional Specs.</a></li><li><a href="tribes/introduction.html">Tribes</a></li></ul></div></nav></div></div><div id="mainRight"><div id="content"><h2>Windows Authentication How-To</h2><h3 id="Table_of_Contents">Table of Contents</h3><div class="text">
<ul><li><a href="#Overview">Overview</a></li><li><a href="#Built-in_Tomcat_support">Built-in Tomcat support</a><ol><li><a href="#Domain_Controller">Domain Controller</a></li><li><a href="#Tomcat_instance_(Windows_server)">Tomcat instance (Windows server)</a></li><li><a href="#Tomcat_instance_(Linux_server)">Tomcat instance (Linux server)</a></li><li><a href="#Web_application">Web application</a></li><li><a href="#Client">Client</a></li><li><a href="#References">References</a></li></ol></li><li><a href="#Third_party_libraries">Third party libraries</a><ol><li><a href="#Waffle">Waffle</a></li><li><a href="#Spring_Security_-_Kerberos_Extension">Spring Security - Kerberos Extension</a></li><li><a href="#SPNEGO_project_at_SourceForge">SPNEGO project at SourceForge</a></li><li><a href="#Jespa">Jespa</a></li></ol></li><li><a href="#Reverse_proxies">Reverse proxies</a><ol><li><a href="#Microsoft_IIS">Microsoft IIS</a></li><li><a href="#Apache_httpd">Apache httpd</a></li></ol></li></ul>
</div><h3 id="Overview">Overview</h3><div class="text">
<p>Integrated Windows authentication is most frequently used within intranet
environments since it requires that the server performing the authentication and
the user being authenticated are part of the same domain. For the user to be
authenticated automatically, the client machine used by the user must also be
part of the domain.</p>
<p>There are several options for implementing integrated Windows authentication
with Apache Tomcat. They are:</p>
<ul>
<li>Built-in Tomcat support.</li>
<li>Use a third party library such as Waffle.</li>
<li>Use a reverse proxy that supports Windows authentication to perform the
authentication step such as IIS or httpd.</li>
</ul>
<p>The configuration of each of these options is discussed in the following
sections.</p>
</div><h3 id="Built-in_Tomcat_support">Built-in Tomcat support</h3><div class="text">
<p>Kerberos (the basis for integrated Windows authentication) requires careful
configuration. If the steps in this guide are followed exactly, then a working
configuration will result. It is important that the steps below are followed
exactly. There is very little scope for flexibility in the configuration. From
the testing to date it is known that:</p>
<ul>
<li>The host name used to access the Tomcat server must match the host name in
the SPN exactly else authentication will fail. A checksum error may be reported
in the debug logs in this case.</li>
<li>The client must be of the view that the server is part of the local trusted
intranet.</li>
<li>The SPN must be HTTP/<hostname> and it must be exactly the same in all
the places it is used.</li>
<li>The port number must not be included in the SPN.</li>
<li>No more than one SPN may be mapped to a domain user.</li>
<li>Tomcat must run as the domain account with which the SPN has been associated
or as domain admin. It is <strong>NOT</strong> recommended to run Tomcat under a
domain admin user.</li>
<li>The domain name (<code>DEV.LOCAL</code>) is not case sensitive when used in
the ktpass command, nor when used in jaas.conf</li>
<li>The domain must be specified when using the ktpass command</li>
</ul>
<p>There are four components to the configuration of the built-in Tomcat
support for Windows authentication. The domain controller, the server hosting
Tomcat, the web application wishing to use Windows authentication and the client
machine. The following sections describe the configuration required for each
component.</p>
<p>The names of the three machines used in the configuration examples below are
win-dc01.dev.local (the domain controller), win-tc01.dev.local (the Tomcat
instance) and win-pc01.dev.local (client). All are members of the DEV.LOCAL
domain.</p>
<p>Note: In order to use the passwords in the steps below, the domain password
policy had to be relaxed. This is not recommended for production environments.
</p>
<div class="subsection"><h4 id="Domain_Controller">Domain Controller</h4><div class="text">
<p>These steps assume that the server has already been configured to act as a
domain controller. Configuration of a Windows server as a domain controller is
outside the scope of this how-to. The steps to configure the domain controller
to enable Tomcat to support Windows authentication are as follows:
</p>
<ul>
<li>Create a domain user that will be mapped to the service name used by the
Tomcat server. In this how-to, this user is called <code>tc01</code> and has a
password of <code>tc01pass</code>.</li>
<li>Map the service principal name (SPN) to the user account. SPNs take the
form <code>
<service class>/<host>:<port>/<service name></code>.
The SPN used in this how-to is <code>HTTP/win-tc01.dev.local</code>. To
map the user to the SPN, run the following:
<div class="codeBox"><pre><code>setspn -A HTTP/win-tc01.dev.local tc01</code></pre></div>
</li>
<li>Generate the keytab file that the Tomcat server will use to authenticate
itself to the domain controller. This file contains the Tomcat private key for
the service provider account and should be protected accordingly. To generate
the file, run the following command (all on a single line):
<div class="codeBox"><pre><code>ktpass /out c:\tomcat.keytab /mapuser tc01@DEV.LOCAL
/princ HTTP/win-tc01.dev.local@DEV.LOCAL
/pass tc01pass /kvno 0</code></pre></div></li>
<li>Create a domain user to be used on the client. In this how-to the domain
user is <code>test</code> with a password of <code>testpass</code>.</li>
</ul>
<p>The above steps have been tested on a domain controller running Windows
Server 2008 R2 64-bit Standard using the Windows Server 2003 functional level
for both the forest and the domain.
</p>
</div></div>
<div class="subsection"><h4 id="Tomcat_instance_(Windows_server)">Tomcat instance (Windows server)</h4><div class="text">
<p>These steps assume that Tomcat and a Java 6 JDK/JRE have already been
installed and configured and that Tomcat is running as the tc01@DEV.LOCAL
user. The steps to configure the Tomcat instance for Windows authentication
are as follows:
</p>
<ul>
<li>Copy the <code>tomcat.keytab</code> file created on the domain controller
to <code>$CATALINA_BASE/conf/tomcat.keytab</code>.</li>
<li>Create the kerberos configuration file
<code>$CATALINA_BASE/conf/krb5.ini</code>. The file used in this how-to
contained:<div class="codeBox"><pre><code>[libdefaults]
default_realm = DEV.LOCAL
default_keytab_name = FILE:c:\apache-tomcat-8.5.x\conf\tomcat.keytab
default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
forwardable=true
[realms]
DEV.LOCAL = {
kdc = win-dc01.dev.local:88
}
[domain_realm]
dev.local= DEV.LOCAL
.dev.local= DEV.LOCAL</code></pre></div>
The location of this file can be changed by setting the
<code>java.security.krb5.conf</code> system property.</li>
<li>Create the JAAS login configuration file
<code>$CATALINA_BASE/conf/jaas.conf</code>. The file used in this how-to
contained:<div class="codeBox"><pre><code>com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/win-tc01.dev.local@DEV.LOCAL"
useKeyTab=true
keyTab="c:/apache-tomcat-8.5.x/conf/tomcat.keytab"
storeKey=true;
};
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/win-tc01.dev.local@DEV.LOCAL"
useKeyTab=true
keyTab="c:/apache-tomcat-8.5.x/conf/tomcat.keytab"
storeKey=true;
};</code></pre></div>
The location of this file can be changed by setting the
<code>java.security.auth.login.config</code> system property. The LoginModule
used is a JVM specific one so ensure that the LoginModule specified matches
the JVM being used. The name of the login configuration must match the
value used by the <a href="config/valve.html#SPNEGO_Valve">authentication
valve</a>.</li>
</ul>
<p>The SPNEGO authenticator will work with any <a href="config/realm.html">
Realm</a> but if used with the JNDI Realm, by default the JNDI Realm will use
the user's delegated credentials to connect to the Active Directory.
</p>
<p>The above steps have been tested on a Tomcat server running Windows Server
2008 R2 64-bit Standard with an Oracle 1.6.0_24 64-bit JDK.</p>
</div></div>
<div class="subsection"><h4 id="Tomcat_instance_(Linux_server)">Tomcat instance (Linux server)</h4><div class="text">
<p>This was tested with:</p>
<ul>
<li>Java 1.7.0, update 45, 64-bit</li>
<li>Ubuntu Server 12.04.3 LTS 64-bit</li>
<li>Tomcat 8.0.x (r1546570)</li>
</ul>
<p>It should work with any Tomcat 8 release although it is recommended that
the latest stable release is used.</p>
<p>The configuration is the same as for Windows but with the following
changes:</p>
<ul>
<li>The Linux server does not have to be part of the Windows domain.</li>
<li>The path to the keytab file in krb5.ini and jaas.conf should be updated
to reflect the path to the keytab file on the Linux server using Linux
style file paths (e.g. /usr/local/tomcat/...).</li>
</ul>
</div></div>
<div class="subsection"><h4 id="Web_application">Web application</h4><div class="text">
<p>The web application needs to be configured to the use Tomcat specific
authentication method of <code>SPNEGO</code> (rather than BASIC etc.) in
web.xml. As with the other authenticators, behaviour can be customised by
explicitly configuring the <a href="config/valve.html#SPNEGO_Valve">
authentication valve</a> and setting attributes on the Valve.</p>
</div></div>
<div class="subsection"><h4 id="Client">Client</h4><div class="text">
<p>The client must be configured to use Kerberos authentication. For Internet
Explorer this means making sure that the Tomcat instance is in the "Local
intranet" security domain and that it is configured (Tools > Internet
Options > Advanced) with integrated Windows authentication enabled. Note that
this <strong>will not</strong> work if you use the same machine for the client
and the Tomcat instance as Internet Explorer will use the unsupported NTLM
protocol.</p>
</div></div>
<div class="subsection"><h4 id="References">References</h4><div class="text">
<p>Correctly configuring Kerberos authentication can be tricky. The following
references may prove helpful. Advice is also always available from the
<a href="http://tomcat.apache.org/lists.html#tomcat-users">Tomcat users
mailing list</a>.</p>
<ol>
<li><a href="http://www.adopenstatic.com/cs/blogs/ken/archive/2006/10/19/512.aspx">
IIS and Kerberos</a></li>
<li><a href="http://spnego.sourceforge.net/index.html">
SPNEGO project at SourceForge</a></li>
<li><a href="http://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/tutorials/index.html">
Oracle Java GSS-API tutorial (Java 7)</a></li>
<li><a href="http://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/tutorials/Troubleshooting.html">
Oracle Java GSS-API tutorial - Troubleshooting (Java 7)</a></li>
<li><a href="https://cwiki.apache.org/confluence/display/GMOxDOC21/Using+SPNEGO+in+Geronimo#UsingSPNEGOinGeronimo-SettinguptheDomainControllerMachine">
Geronimo configuration for Windows authentication</a></li>
<li><a href="http://blogs.msdn.com/b/openspecification/archive/2010/11/17/encryption-type-selection-in-kerberos-exchanges.aspx">
Encryption Selection in Kerberos Exchanges</a></li>
<li><a href="http://support.microsoft.com/kb/977321">Supported Kerberos Cipher
Suites</a></li>
</ol>
</div></div>
</div><h3 id="Third_party_libraries">Third party libraries</h3><div class="text">
<div class="subsection"><h4 id="Waffle">Waffle</h4><div class="text">
<p>Full details of this solution can be found through the
<a href="http://waffle.codeplex.com/" rel="nofollow">Waffle web site</a>. The
key features are:</p>
<ul>
<li>Drop-in solution</li>
<li>Simple configuration (no JAAS or Kerberos keytab configuration required)
</li>
<li>Uses a native library</li>
</ul>
</div></div>
<div class="subsection"><h4 id="Spring_Security_-_Kerberos_Extension">Spring Security - Kerberos Extension</h4><div class="text">
<p>Full details of this solution can be found through the
<a href="http://static.springsource.org/spring-security/site/extensions/krb/index.html" rel="nofollow"> Kerberos extension web site</a>. The key features are:</p>
<ul>
<li>Extension to Spring Security</li>
<li>Requires a Kerberos keytab file to be generated</li>
<li>Pure Java solution</li>
</ul>
</div></div>
<div class="subsection"><h4 id="SPNEGO_project_at_SourceForge">SPNEGO project at SourceForge</h4><div class="text">
<p>Full details of this solution can be found through the
<a href="http://spnego.sourceforge.net/index.html/" rel="nofollow">project
site</a>. The key features are:</p>
<ul>
<li>Uses Kerberos</li>
<li>Pure Java solution</li>
</ul>
</div></div>
<div class="subsection"><h4 id="Jespa">Jespa</h4><div class="text">
<p>Full details of this solution can be found through the
<a href="http://www.ioplex.com/" rel="nofollow">project web site</a>The key
features are:</p>
<ul>
<li>Pure Java solution</li>
<li>Advanced Active Directory integration</li>
</ul>
</div></div>
</div><h3 id="Reverse_proxies">Reverse proxies</h3><div class="text">
<div class="subsection"><h4 id="Microsoft_IIS">Microsoft IIS</h4><div class="text">
<p>There are three steps to configuring IIS to provide Windows authentication.
They are:</p>
<ol>
<li>Configure IIS as a reverse proxy for Tomcat (see the
<a href="http://tomcat.apache.org/connectors-doc/webserver_howto/iis.html">
IIS Web Server How-To)</a>.</li>
<li>Configure IIS to use Windows authentication</li>
<li>Configure Tomcat to use the authentication user information from IIS by
setting the tomcatAuthentication attribute on the <a href="config/ajp.html">
AJP connector</a> to <code>false</code>. Alternatively, set the
tomcatAuthorization attribute to <code>true</code> to allow IIS to
authenticate, while Tomcat performs the authorization.</li>
</ol>
</div></div>
<div class="subsection"><h4 id="Apache_httpd">Apache httpd</h4><div class="text">
<p>Apache httpd does not support Windows authentication out of the box but
there are a number of third-party modules that can be used. These include:</p>
<ol>
<li><a href="http://sourceforge.net/projects/mod-auth-sspi/" rel="nofollow">mod_auth_sspi</a> for use on Windows platforms.</li>
<li><a href="http://adldap.sourceforge.net/wiki/doku.php?id=mod_auth_ntlm_winbind" rel="nofollow">mod_auth_ntlm_winbind</a> for non-Windows platforms. Known to
work with httpd 2.0.x on 32-bit platforms. Some users have reported stability
issues with both httpd 2.2.x builds and 64-bit Linux builds.</li>
</ol>
<p>There are three steps to configuring httpd to provide Windows
authentication. They are:</p>
<ol>
<li>Configure httpd as a reverse proxy for Tomcat (see the
<a href="http://tomcat.apache.org/connectors-doc/webserver_howto/apache.html">
Apache httpd Web Server How-To)</a>.</li>
<li>Configure httpd to use Windows authentication</li>
<li>Configure Tomcat to use the authentication user information from httpd by
setting the tomcatAuthentication attribute on the <a href="config/ajp.html">
AJP connector</a> to <code>false</code>.</li>
</ol>
</div></div>
</div><div class="noprint"><h3 id="comments_section">
Comments
</h3><div class="text"><p class="notice"><strong>Notice: </strong>This comments section collects your suggestions
on improving documentation for Apache Tomcat.<br><br>
If you have trouble and need help, read
<a href="http://tomcat.apache.org/findhelp.html">Find Help</a> page
and ask your question on the tomcat-users
<a href="http://tomcat.apache.org/lists.html">mailing list</a>.
Do not ask such questions here. This is not a Q&A section.<br><br>
The Apache Comments System is explained <a href="./comments.html">here</a>.
Comments may be removed by our moderators if they are either
implemented or considered invalid/off-topic.
</p><div id="comments_thread"></div></div></div></div></div></div></div><footer><div id="footer">
Copyright © 1999-2018, The Apache Software Foundation
</div></footer></div></body></html>
|