svn commit: r1546657 - in /tomcat/tc7.0.x/trunk: ./ webapps/docs/changelog.xml webapps/docs/windows-auth-howto.xml

[markt]

Author: markt
Date: Fri Nov 29 22:43:29 2013
New Revision: 1546657

URL: http://svn.apache.org/r1546657
Log:
Got Windows auth working with Tomcat running on a Linux server. Add the details 
to the docs.

Modified:
    tomcat/tc7.0.x/trunk/   (props changed)
    tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
    tomcat/tc7.0.x/trunk/webapps/docs/windows-auth-howto.xml

Propchange: tomcat/tc7.0.x/trunk/
------------------------------------------------------------------------------
  Merged /tomcat/trunk:r1546656

Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1546657&r1=1546656&r2=1546657&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Fri Nov 29 22:43:29 2013
@@ -320,6 +320,10 @@
       <add>
         Correct the documentation for Cluster manager. (kfujino)
       </add>
+      <add>
+        Add information on how to configure integrated Windows authentication
+        when Tomcat is running on a non-Windows host. (markt)
+      </add>
     </changelog>
   </subsection>
   <subsection name="Extras">

Modified: tomcat/tc7.0.x/trunk/webapps/docs/windows-auth-howto.xml
URL: 
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/windows-auth-howto.xml?rev=1546657&r1=1546656&r2=1546657&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/windows-auth-howto.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/windows-auth-howto.xml Fri Nov 29 
22:43:29 2013
@@ -51,10 +51,19 @@ sections.</p>
 </section>
 
 <section name="Built-in Tomcat support">
-<p><strong>This documentation is a work in progress. There are a number of
-outstanding questions around the edge cases that require further
-testing.</strong> These include:
-</p>
+<p>Kerberos (the basis for integrated Windows authentication) requires careful
+configuration. If the steps in this guide are followed exactly, then a working
+configuration will result. There may be some flexibility in some of the steps
+below but further testing is required to explore this. From the testing to date
+it is known that:</p>
+<ul>
+<li>The host name of the Tomcat server must match the host name in the SPN
+exactly else authentication will fail. A checksum error may be reported in the
+debug logs in this case.</li>
+<li>The client must be of the view that the server is part of the local trusted
+intranet.</li>
+</ul>
+<p>The areas where further testing is required include:</p>
 <ul>
 <li>Does the domain name have to be in upper case?</li>
 <li>Does the SPN have to start with HTTP/...?</li>
@@ -110,7 +119,7 @@ policy had to be relaxed. This is not re
   </p>
   </subsection>
 
-  <subsection name="Tomcat instance">
+  <subsection name="Tomcat instance (Windows server)">
   <p>These steps assume that Tomcat and a Java 6 JDK/JRE have already been
   installed and configured and that Tomcat is running as the tc01@DEV.LOCAL
   user. The steps to configure the Tomcat instance for Windows authentication
@@ -175,6 +184,25 @@ com.sun.security.jgss.krb5.accept {
   2008 R2 64-bit Standard with an Oracle 1.6.0_24 64-bit JDK.</p>
   </subsection>
 
+  <subsection name="Tomcat instance (Linux server)">
+  <p>This was tested with:</p>
+  <ul>
+  <li>Java 1.7.0, update 45, 64-bit</li>
+  <li>Ubuntu Server 12.04.3 LTS 64-bit</li>
+  <li>Tomcat 8.0.x (r1546570)</li>
+  </ul>
+  <p>It should work with any Tomcat 7 release from 7.0.12 onwards although it 
is
+  recommended that the latest stable release is used.</p>
+  <p>The configuration is the same as for Windows but with the following
+  changes:</p>
+  <ul>
+  <li>The Linux server does not have to be part of the Windows domain.</li>
+  <li>The path to the keytab file in krb5.ini and jass.conf should be updated
+      to reflect the path to the keytab file on the Linux server using Linux
+      style file paths (e.g. /usr/local/tomcat/...).</li>
+  </ul>
+  </subsection>
+
   <subsection name="Web application">
   <p>The web application needs to be configured to the use Tomcat specific
   authentication method of <code>SPNEGO</code> (rather than BASIC etc.) in



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org