webapps/docs/windows-auth-howto.html

<html><head><META http-equiv="Content-Type" content="text/html; charset=iso-8859-1"><title>Apache Tomcat 7 (7.0.42) - Windows Authentication How-To</title><style type="text/css" media="print">
            .noPrint {display: none;}
            td#mainBody {width: 100%;}
        </style><style type="text/css">
            code {background-color:rgb(224,255,255);padding:0 0.1em;}
            code.attributeName, code.propertyName {background-color:transparent;}
        </style><style type="text/css">
            .wrapped-source code { display: block; background-color: transparent; }
            .wrapped-source div { margin: 0 0 0 1.25em; }
            .wrapped-source p { margin: 0 0 0 1.25em; text-indent: -1.25em; }
        </style><style type="text/css">
            p.notice {
                border: 1px solid rgb(255, 0, 0);
                background-color: rgb(238, 238, 238);
                color: rgb(0, 51, 102);
                padding: 0.5em;
                margin: 1em 2em 1em 1em;
            }
        </style></head><body bgcolor="#ffffff" text="#000000" link="#525D76" alink="#525D76" vlink="#525D76"><table border="0" width="100%" cellspacing="0"><!--PAGE HEADER--><tr><td><!--PROJECT LOGO--><a href="http://tomcat.apache.org/"><img src="./images/tomcat.gif" align="right" alt="
      The Apache Tomcat Servlet/JSP Container
    " border="0"></a></td><td><h1><font face="arial,helvetica,sanserif">Apache Tomcat 7</font></h1><font face="arial,helvetica,sanserif">Version 7.0.42, Jul 2 2013</font></td><td><!--APACHE LOGO--><a href="http://www.apache.org/"><img src="./images/asf-logo.gif" align="right" alt="Apache Logo" border="0"></a></td></tr></table><table border="0" width="100%" cellspacing="4"><!--HEADER SEPARATOR--><tr><td colspan="2"><hr noshade size="1"></td></tr><tr><!--LEFT SIDE NAVIGATION--><td width="20%" valign="top" nowrap class="noPrint"><p><strong>Links</strong></p><ul><li><a href="index.html">Docs Home</a></li><li><a href="http://wiki.apache.org/tomcat/FAQ">FAQ</a></li><li><a href="#comments_section">User Comments</a></li></ul><p><strong>User Guide</strong></p><ul><li><a href="introduction.html">1) Introduction</a></li><li><a href="setup.html">2) Setup</a></li><li><a href="appdev/index.html">3) First webapp</a></li><li><a href="deployer-howto.html">4) Deployer</a></li><li><a href="manager-howto.html">5) Manager</a></li><li><a href="realm-howto.html">6) Realms and AAA</a></li><li><a href="security-manager-howto.html">7) Security Manager</a></li><li><a href="jndi-resources-howto.html">8) JNDI Resources</a></li><li><a href="jndi-datasource-examples-howto.html">9) JDBC DataSources</a></li><li><a href="class-loader-howto.html">10) Classloading</a></li><li><a href="jasper-howto.html">11) JSPs</a></li><li><a href="ssl-howto.html">12) SSL</a></li><li><a href="ssi-howto.html">13) SSI</a></li><li><a href="cgi-howto.html">14) CGI</a></li><li><a href="proxy-howto.html">15) Proxy Support</a></li><li><a href="mbeans-descriptor-howto.html">16) MBean Descriptor</a></li><li><a href="default-servlet.html">17) Default Servlet</a></li><li><a href="cluster-howto.html">18) Clustering</a></li><li><a href="balancer-howto.html">19) Load Balancer</a></li><li><a href="connectors.html">20) Connectors</a></li><li><a href="monitoring.html">21) Monitoring and Management</a></li><li><a href="logging.html">22) Logging</a></li><li><a href="apr.html">23) APR/Native</a></li><li><a href="virtual-hosting-howto.html">24) Virtual Hosting</a></li><li><a href="aio.html">25) Advanced IO</a></li><li><a href="extras.html">26) Additional Components</a></li><li><a href="maven-jars.html">27) Mavenized</a></li><li><a href="security-howto.html">28) Security Considerations</a></li><li><a href="windows-service-howto.html">29) Windows Service</a></li><li><a href="windows-auth-howto.html">30) Windows Authentication</a></li><li><a href="jdbc-pool.html">31) Tomcat's JDBC Pool</a></li><li><a href="web-socket-howto.html">32) WebSocket</a></li></ul><p><strong>Reference</strong></p><ul><li><a href="RELEASE-NOTES.txt">Release Notes</a></li><li><a href="config/index.html">Configuration</a></li><li><a href="api/index.html">Tomcat Javadocs</a></li><li><a href="servletapi/index.html">Servlet Javadocs</a></li><li><a href="jspapi/index.html">JSP 2.2 Javadocs</a></li><li><a href="elapi/index.html">EL 2.2 Javadocs</a></li><li><a href="http://tomcat.apache.org/connectors-doc/">JK 1.2 Documentation</a></li></ul><p><strong>Apache Tomcat Development</strong></p><ul><li><a href="building.html">Building</a></li><li><a href="changelog.html">Changelog</a></li><li><a href="http://wiki.apache.org/tomcat/TomcatVersions">Status</a></li><li><a href="developers.html">Developers</a></li><li><a href="architecture/index.html">Architecture</a></li><li><a href="funcspecs/index.html">Functional Specs.</a></li><li><a href="tribes/introduction.html">Tribes</a></li></ul></td><!--RIGHT SIDE MAIN BODY--><td width="80%" valign="top" align="left" id="mainBody"><h1>Windows Authentication How-To</h1><table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Table of Contents"><!--()--></a><a name="Table_of_Contents"><strong>Table of Contents</strong></a></font></td></tr><tr><td><blockquote>
<ul><li><a href="#Overview">Overview</a></li><li><a href="#Built-in_Tomcat_support">Built-in Tomcat support</a><ol><li><a href="#Domain_Controller">Domain Controller</a></li><li><a href="#Tomcat_instance">Tomcat instance</a></li><li><a href="#Web_application">Web application</a></li><li><a href="#Client">Client</a></li><li><a href="#References">References</a></li></ol></li><li><a href="#Third_party_libraries">Third party libraries</a><ol><li><a href="#Waffle">Waffle</a></li><li><a href="#Spring_Security_-_Kerberos_Extension">Spring Security - Kerberos Extension</a></li><li><a href="#SPNEGO_project_at_SourceForge">SPNEGO project at SourceForge</a></li><li><a href="#Jespa">Jespa</a></li></ol></li><li><a href="#Reverse_proxies">Reverse proxies</a><ol><li><a href="#Microsoft_IIS">Microsoft IIS</a></li><li><a href="#Apache_httpd">Apache httpd</a></li></ol></li></ul>
</blockquote></td></tr></table><table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Overview"><strong>Overview</strong></a></font></td></tr><tr><td><blockquote>
<p>Integrated Windows authentication is most frequently used within intranet
environments since it requires that the server performing the authentication and
the user being authenticated are part of the same domain. For the user to be
authenticated automatically, the client machine used by the user must also be
part of the domain.</p>
<p>There are several options for implementing integrated Windows authentication
with Apache Tomcat. They are:
<ul>
<li>Built-in Tomcat support.</li>
<li>Use a third party library such as Waffle.</li>
<li>Use a reverse proxy that supports Windows authentication to perform the
authentication step such as IIS or httpd.</li>
</ul>
The configuration of each of these options is discussed in the following
sections.</p>
</blockquote></td></tr></table><table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Built-in Tomcat support"><!--()--></a><a name="Built-in_Tomcat_support"><strong>Built-in Tomcat support</strong></a></font></td></tr><tr><td><blockquote>
<p><strong>This documentation is a work in progress. There are a number of
outstanding questions around the edge cases that require further
testing.</strong> These include:
</p>
<ul>
<li>Does the domain name have to be in upper case?</li>
<li>Does the SPN have to start with HTTP/...?</li>
<li>Can a port number be appended to the end of the host in the SPN?</li>
<li>Can the domain be left off the user in the ktpass command?</li>
<li>What are the limitations on the account that Tomcat can run as? SPN
    associated account works, domain admin works, local admin doesn't
    work</li>
</ul>
<p>There are four components to the configuration of the built-in Tomcat
support for Windows authentication. The domain controller, the server hosting
Tomcat, the web application wishing to use Windows authentication and the client
machine. The following sections describe the configuration required for each
component.</p>
<p>The names of the three machines used in the configuration examples below are
win-dc01.dev.local (the domain controller), win-tc01.dev.local (the Tomcat
instance) and win-pc01.dev.local (client). All are members of the DEV.LOCAL
domain.</p>
<p>Note: In order to use the passwords in the steps below, the domain password
policy had to be relaxed. This is not recommended for production environments.
</p>

  <table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Domain Controller"><!--()--></a><a name="Domain_Controller"><strong>Domain Controller</strong></a></font></td></tr><tr><td><blockquote>
  <p>These steps assume that the server has already been configured to act as a
  domain controller. Configuration of a Windows server as a domain controller is
  outside the scope of this how-to. The steps to configure the domain controller
  to enable Tomcat to support Windows authentication are as follows:
  </p>
  <ul>
  <li>Create a domain user that will be mapped to the service name used by the
  Tomcat server. In this how-to, this user is called <code>tc01</code> and has a
  password of <code>tc01pass</code>.</li>
  <li>Map the service principal name (SPN) to the user account. SPNs take the
  form <code>
  &lt;service class&gt;/&lt;host&gt;:&lt;port&gt;/&lt;service name&gt;</code>.
  The SPN used in this how-to is <code>HTTP/win-tc01.dev.local</code>. To
  map the user to the SPN, run the following:
  <div align="left"><table cellspacing="4" cellpadding="0" border="0"><tr><td bgcolor="#023264" width="1" height="1"><img src="./images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" height="1"><img src="./images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" width="1" height="1"><img src="./images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td></tr><tr><td bgcolor="#023264" width="1"><img src="./images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#ffffff" height="1"><pre>setspn -A HTTP/win-tc01.dev.local tc01</pre></td><td bgcolor="#023264" width="1"><img src="./images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td></tr><tr><td bgcolor="#023264" width="1" height="1"><img src="./images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" height="1"><img src="./images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" width="1" height="1"><img src="./images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td></tr></table></div>
  </li>
  <li>Generate the keytab file that the Tomcat server will use to authenticate
  itself to the domain controller. This file contains the Tomcat private key for
  the service provider account and should be protected accordingly. To generate
  the file, run the following command (all on a single line):
  <div align="left"><table cellspacing="4" cellpadding="0" border="0"><tr><td bgcolor="#023264" width="1" height="1"><img src="./images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" height="1"><img src="./images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" width="1" height="1"><img src="./images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td></tr><tr><td bgcolor="#023264" width="1"><img src="./images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#ffffff" height="1"><pre>ktpass /out c:\tomcat.keytab /mapuser tc01@DEV.LOCAL
          /princ HTTP/win-tc01.dev.local@DEV.LOCAL
          /pass tc01pass /kvno 0</pre></td><td bgcolor="#023264" width="1"><img src="./images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td></tr><tr><td bgcolor="#023264" width="1" height="1"><img src="./images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" height="1"><img src="./images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" width="1" height="1"><img src="./images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td></tr></table></div></li>
  <li>Create a domain user to be used on the client. In this how-to the domain
  user is <code>test</code> with a password of <code>testpass</code>.</li>
  </ul>
  <p>The above steps have been tested on a domain controller running Windows
  Server 2008 R2 64-bit Standard using the Windows Server 2003 functional level
  for both the forest and the domain.
  </p>
  </blockquote></td></tr></table>

  <table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Tomcat instance"><!--()--></a><a name="Tomcat_instance"><strong>Tomcat instance</strong></a></font></td></tr><tr><td><blockquote>
  <p>These steps assume that Tomcat and a Java 6 JDK/JRE have already been
  installed and configured and that Tomcat is running as the tc01@DEV.LOCAL
  user. The steps to configure the Tomcat instance for Windows authentication
  are as follows:
  </p>
  <ul>
  <li>Copy the <code>tomcat.keytab</code> file created on the domain controller
  to <code>$CATALINA_BASE/conf/tomcat.keytab</code>.</li>
  <li>Create the kerberos configuration file
  <code>$CATALINA_BASE/conf/krb5.ini</code>. The file used in this how-to
  contained:<div align="left"><table cellspacing="4" cellpadding="0" border="0"><tr><td bgcolor="#023264" width="1" height="1"><img src="./images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" height="1"><img src="./images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" width="1" height="1"><img src="./images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td></tr><tr><td bgcolor="#023264" width="1"><img src="./images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#ffffff" height="1"><pre>[libdefaults]
default_realm = DEV.LOCAL
default_keytab_name = FILE:c:\apache-tomcat-7.0.x\conf\tomcat.keytab
default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
forwardable=true

[realms]
DEV.LOCAL = {
        kdc = win-dc01.dev.local:88
}

[domain_realm]
dev.local= DEV.LOCAL
.dev.local= DEV.LOCAL</pre></td><td bgcolor="#023264" width="1"><img src="./images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td></tr><tr><td bgcolor="#023264" width="1" height="1"><img src="./images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" height="1"><img src="./images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" width="1" height="1"><img src="./images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td></tr></table></div>
  The location of this file can be changed by setting the
  <code>java.security.krb5.conf</code> systm property.</li>
  <li>Create the JAAS login configuration file
  <code>$CATALINA_BASE/conf/jaas.conf</code>. The file used in this how-to
  contained:<div align="left"><table cellspacing="4" cellpadding="0" border="0"><tr><td bgcolor="#023264" width="1" height="1"><img src="./images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" height="1"><img src="./images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" width="1" height="1"><img src="./images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td></tr><tr><td bgcolor="#023264" width="1"><img src="./images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#ffffff" height="1"><pre>com.sun.security.jgss.krb5.initiate {
    com.sun.security.auth.module.Krb5LoginModule required
    doNotPrompt=true
    principal="HTTP/win-tc01.dev.local@DEV.LOCAL"
    useKeyTab=true
    keyTab="c:/apache-tomcat-7.0.x/conf/tomcat.keytab"
    storeKey=true;
};

com.sun.security.jgss.krb5.accept {
    com.sun.security.auth.module.Krb5LoginModule required
    doNotPrompt=true
    principal="HTTP/win-tc01.dev.local@DEV.LOCAL"
    useKeyTab=true
    keyTab="c:/apache-tomcat-7.0.x/conf/tomcat.keytab"
    storeKey=true;
};</pre></td><td bgcolor="#023264" width="1"><img src="./images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td></tr><tr><td bgcolor="#023264" width="1" height="1"><img src="./images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" height="1"><img src="./images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td><td bgcolor="#023264" width="1" height="1"><img src="./images/void.gif" alt="" width="1" height="1" vspace="0" hspace="0" border="0"></td></tr></table></div>
  The location of this file can be changed by setting the
  <code>java.security.auth.login.config</code> system property. The LoginModule
  used is a JVM specific one so ensure that the LoginModule specified matches
  the JVM being used. The name of the login configuration must match the
  value used by the <a href="config/valve.html#SPNEGO_Valve">authentication
  valve</a>.</li>
  <li>The system property <code>javax.security.auth.useSubjectCredsOnly</code>
  is automatically set to the required value of false if a web application is
  configured to use the SPNEGO authentication method.</li>
  </ul>
  <p>The SPNEGO authenticator will work with any <a href="config/realm.html">
  Realm</a> but if used with the JNDI Realm, by default the JNDI Realm will use
  the user's delegated credentials to connect to the Active Directory.
  </p>
  <p>The above steps have been tested on a Tomcat server running Windows Server
  2008 R2 64-bit Standard with an Oracle 1.6.0_24 64-bit JDK.</p>
  </blockquote></td></tr></table>

  <table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Web application"><!--()--></a><a name="Web_application"><strong>Web application</strong></a></font></td></tr><tr><td><blockquote>
  <p>The web application needs to be configured to the use Tomcat specific
  authentication method of <code>SPNEGO</code> (rather than BASIC etc.) in
  web.xml. As with the other authenticators, behaviour can be customised by
  explicitly configuring the <a href="config/valve.html#SPNEGO_Valve">
  authentication valve</a> and setting attributes on the Valve.</p>
  </blockquote></td></tr></table>

  <table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Client"><strong>Client</strong></a></font></td></tr><tr><td><blockquote>
  <p>The client must be configured to use Kerberos authentication. For Internet
  Explorer this means making sure that the Tomcat instance is in the "Local
  intranet" security domain and that it is configured (Tools &gt; Internet
  Options &gt; Advanced) with integrated Windows authentication enabled. Note that
  this <strong>will not</strong> work if you use the same machine for the client
  and the Tomcat instance as Internet Explorer will use the unsupported NTLM
  protocol.</p>
  </blockquote></td></tr></table>

  <table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="References"><strong>References</strong></a></font></td></tr><tr><td><blockquote>
  <p>Correctly configuring Kerberos authentication can be tricky. The following
  references may prove helpful. Advice is also always available from the
  <a href="http://tomcat.apache.org/lists.html#tomcat-users">Tomcat users
  mailing list</a>.</p>
  <ol>
  <li><a href="http://www.adopenstatic.com/cs/blogs/ken/archive/2006/10/19/512.aspx">
      IIS and Kerberos</a></li>
  <li><a href="http://spnego.sourceforge.net/index.html">
      SPNEGO project at SourceForge</a></li>
  <li><a href="http://docs.oracle.com/javase/1.5.0/docs/guide/security/jgss/tutorials/index.html">
      Oracle JGSS tutorial</a></li>
  <li><a href="https://cwiki.apache.org/GMOxDOC21/using-spengo-in-geronimo.html#UsingSpengoingeronimo-SettinguptheActiveDirectoryDomainController">
      Geronimo configuration for Windows authentication</a></li>
  <li><a href="http://blogs.msdn.com/b/openspecification/archive/2010/11/17/encryption-type-selection-in-kerberos-exchanges.aspx">
      Encryption Selection in Kerberos Exchanges</a></li>
  <li><a href="http://support.microsoft.com/kb/977321">Supported Kerberos Cipher
      Suites</a></li>
  </ol>
  </blockquote></td></tr></table>

</blockquote></td></tr></table><table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Third party libraries"><!--()--></a><a name="Third_party_libraries"><strong>Third party libraries</strong></a></font></td></tr><tr><td><blockquote>

  <table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Waffle"><strong>Waffle</strong></a></font></td></tr><tr><td><blockquote>
  <p>Full details of this solution can be found through the
  <a href="http://waffle.codeplex.com/">Waffle web site</a>. The
  key features are:</p>
  <ul>
  <li>Drop-in solution</li>
  <li>Simple configuration (no JAAS or Kerberos keytab configuration required)
  </li>
  <li>Uses a native library</li>
  </ul>
  </blockquote></td></tr></table>

  <table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Spring Security - Kerberos Extension"><!--()--></a><a name="Spring_Security_-_Kerberos_Extension"><strong>Spring Security - Kerberos Extension</strong></a></font></td></tr><tr><td><blockquote>
  <p>Full details of this solution can be found through the
  <a href="http://static.springsource.org/spring-security/site/extensions/krb/index.html"> Kerberos extension web site</a>. The key features are:</p>
  <ul>
  <li>Extension to Spring Security</li>
  <li>Requires a Kerberos keytab file to be generated</li>
  <li>Pure Java solution</li>
  </ul>
  </blockquote></td></tr></table>

  <table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="SPNEGO project at SourceForge"><!--()--></a><a name="SPNEGO_project_at_SourceForge"><strong>SPNEGO project at SourceForge</strong></a></font></td></tr><tr><td><blockquote>
  <p>Full details of this solution can be found through the
  <a href="http://spnego.sourceforge.net/index.html/">project
  site</a>. The key features are:</p>
  <ul>
  <li>Uses Kerberos</li>
  <li>Pure Java solution</li>
  </ul>
  </blockquote></td></tr></table>

  <table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Jespa"><strong>Jespa</strong></a></font></td></tr><tr><td><blockquote>
  <p>Full details of this solution can be found through the
  <a href="http://www.ioplex.com/">project web site</a>The key
  features are:</p>
  <ul>
  <li>Pure Java solution</li>
  <li>Advanced Active Directory integration</li>
  </ul>
  </blockquote></td></tr></table>
</blockquote></td></tr></table><table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Reverse proxies"><!--()--></a><a name="Reverse_proxies"><strong>Reverse proxies</strong></a></font></td></tr><tr><td><blockquote>

  <table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Microsoft IIS"><!--()--></a><a name="Microsoft_IIS"><strong>Microsoft IIS</strong></a></font></td></tr><tr><td><blockquote>
  <p>There are three steps to configuring IIS to provide Windows authentication.
  They are:</p>
  <ol>
  <li>Configure IIS as a reverse proxy for Tomcat (see the
  <a href="http://tomcat.apache.org/connectors-doc/webserver_howto/iis.html">
  IIS Web Server How-To)</a>.</li>
  <li>Configure IIS to use Windows authentication</li>
  <li>Configure Tomcat to use the authentication user information from IIS by
  setting the tomcatAuthentication attribute on the <a href="config/ajp.html">
  AJP connector</a> to <code>false</code>.</li>
  </ol>
  </blockquote></td></tr></table>

  <table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Apache httpd"><!--()--></a><a name="Apache_httpd"><strong>Apache httpd</strong></a></font></td></tr><tr><td><blockquote>
  <p>Apache httpd does not support Windows authentication out of the box but
  there are a number of third-party modules that can be used. These include:</p>
  <ol>
  <li><a href="http://sourceforge.net/projects/mod-auth-sspi/">mod_auth_sspi</a> for use on Windows platforms.</li>
  <li><a href="http://adldap.sourceforge.net/wiki/doku.php?id=mod_auth_ntlm_winbind">mod_auth_ntlm_winbind</a> for non-Windows platforms. Known to
  work with httpd 2.0.x on 32-bit platforms. Some users have reported stability
  issues with both httpd 2.2.x builds and 64-bit Linux builds.</li>
  </ol>
  <p>There are three steps to configuring httpd to provide Windows
  authentication. They are:</p>
  <ol>
  <li>Configure httpd as a reverse proxy for Tomcat (see the
  <a href="http://tomcat.apache.org/connectors-doc/webserver_howto/apache.html">
  Apache httpd Web Server How-To)</a>.</li>
  <li>Configure httpd to use Windows authentication</li>
  <li>Configure Tomcat to use the authentication user information from httpd by
  setting the tomcatAuthentication attribute on the <a href="config/ajp.html">
  AJP connector</a> to <code>false</code>.</li>
  </ol>
  </blockquote></td></tr></table>

</blockquote></td></tr></table></td></tr><tr class="noPrint"><td width="20%" valign="top" nowrap class="noPrint"></td><td width="80%" valign="top" align="left"><table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="comments_section" id="comments_section"><strong>Comments</strong></a></font></td></tr><tr><td><blockquote><p class="notice"><strong>Notice: </strong>This comments section collects your suggestions
              on improving documentation for Apache Tomcat.<br><br>
              If you have trouble and need help, read
              <a href="http://tomcat.apache.org/findhelp.html">Find Help</a> page
              and ask your question on the tomcat-users
              <a href="http://tomcat.apache.org/lists.html">mailing list</a>.
              Do not ask such questions here. This is not a Q&amp;A section.<br><br>
              The Apache Comments System is explained <a href="/tomcat-7.0-doc/comments.html">here</a>.
              Comments may be removed by our moderators if they are either
              implemented or considered invalid/off-topic.</p><script type="text/javascript"><!--//--><![CDATA[//><!--
              var comments_shortname = 'tomcat';
              var comments_identifier = 'http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html';
              (function(w, d) {
                  if (w.location.hostname.toLowerCase() == "tomcat.apache.org") {
                      d.write('<div id="comments_thread"><\/div>');
                      var s = d.createElement('script');
                      s.type = 'text/javascript';
                      s.async = true;
                      s.src = 'https://comments.apache.org/show_comments.lua?site=' + comments_shortname + '&page=' + comments_identifier;
                      (d.getElementsByTagName('head')[0] || d.getElementsByTagName('body')[0]).appendChild(s);
                  }
                  else {
                      d.write('<div id="comments_thread"><strong>Comments are disabled for this page at the moment.<\/strong><\/div>');
                  }
              })(window, document);
              //--><!]]></script></blockquote></td></tr></table></td></tr><!--FOOTER SEPARATOR--><tr><td colspan="2"><hr noshade size="1"></td></tr><!--PAGE FOOTER--><tr><td colspan="2"><div align="center"><font color="#525D76" size="-1"><em>
        Copyright &copy; 1999-2013, Apache Software Foundation
        </em></font></div></td></tr></table></body></html>