Kerberos (the basis for integrated Windows authentication) requires careful
configuration. If the steps in this guide are followed exactly, then a working
configuration will result. There may be some flexibility in some of the steps
below but further testing is required to explore this. From the testing to date
it is known that:
- The host name of the Tomcat server must match the host name in the SPN
exactly else authentication will fail. A checksum error may be reported in the
debug logs in this case.
- The client must be of the view that the server is part of the local trusted
The areas where further testing is required include:
- Does the domain name have to be in upper case?
- Does the SPN have to start with HTTP/...?
- Can a port number be appended to the end of the host in the SPN?
- Can the domain be left off the user in the ktpass command?
- What are the limitations on the account that Tomcat can run as? SPN
associated account works, domain admin works, local admin doesn't
There are four components to the configuration of the built-in Tomcat
support for Windows authentication. The domain controller, the server hosting
Tomcat, the web application wishing to use Windows authentication and the client
machine. The following sections describe the configuration required for each
The names of the three machines used in the configuration examples below are
win-dc01.dev.local (the domain controller), win-tc01.dev.local (the Tomcat
instance) and win-pc01.dev.local (client). All are members of the DEV.LOCAL
Note: In order to use the passwords in the steps below, the domain password
policy had to be relaxed. This is not recommended for production environments.
|Tomcat instance (Linux server)|
This was tested with:
- Java 1.7.0, update 45, 64-bit
- Ubuntu Server 12.04.3 LTS 64-bit
- Tomcat 8.0.x (r1546570)
It should work with any Tomcat 7 release from 7.0.12 onwards although it is
recommended that the latest stable release is used.
The configuration is the same as for Windows but with the following
- The Linux server does not have to be part of the Windows domain.
- The path to the keytab file in krb5.ini and jass.conf should be updated
to reflect the path to the keytab file on the Linux server using Linux
style file paths (e.g. /usr/local/tomcat/...).
The web application needs to be configured to the use Tomcat specific
authentication method of
SPNEGO (rather than BASIC etc.) in
web.xml. As with the other authenticators, behaviour can be customised by
explicitly configuring the
authentication valve and setting attributes on the Valve.
The client must be configured to use Kerberos authentication. For Internet
Explorer this means making sure that the Tomcat instance is in the "Local
intranet" security domain and that it is configured (Tools > Internet
Options > Advanced) with integrated Windows authentication enabled. Note that
this will not work if you use the same machine for the client
and the Tomcat instance as Internet Explorer will use the unsupported NTLM