Hi Mark,
one last nitpick.
Am 22.09.2014 um 23:03 schrieb ma...@apache.org:
Author: markt
Date: Mon Sep 22 21:03:37 2014
New Revision: 1626893
URL: http://svn.apache.org/r1626893
Log:
Update the Windows authentication documentation after some additional testing
to answer the remaining questions.
Modified:
tomcat/trunk/webapps/docs/changelog.xml
tomcat/trunk/webapps/docs/windows-auth-howto.xml
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1626893&r1=1626892&r2=1626893&view=diff
Modified: tomcat/trunk/webapps/docs/windows-auth-howto.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/windows-auth-howto.xml?rev=1626893&r1=1626892&r2=1626893&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/windows-auth-howto.xml (original)
+++ tomcat/trunk/webapps/docs/windows-auth-howto.xml Mon Sep 22 21:03:37 2014
@@ -53,27 +53,25 @@ sections.</p>
<section name="Built-in Tomcat support">
<p>Kerberos (the basis for integrated Windows authentication) requires careful
configuration. If the steps in this guide are followed exactly, then a working
-configuration will result. There may be some flexibility in some of the steps
-below but further testing is required to explore this. From the testing to date
-it is known that:</p>
+configuration will result. It is important that the steps below are followed
+exactly. There is very little scope for flexibility in the configuration. From
+the testing to date it is known that:</p>
<ul>
-<li>The host name of the Tomcat server must match the host name in the SPN
-exactly else authentication will fail. A checksum error may be reported in the
-debug logs in this case.</li>
+<li>The host name used to access the Tomcat server must match the host name in
+the SPN exactly else authentication will fail. A checksum error may be reported
+in the debug logs in this case.</li>
<li>The client must be of the view that the server is part of the local
trusted
intranet.</li>
-<li>The SPN does not have to start with HTTP but the SPN must be the same in
all
-the files it is used.</li>
+<li>The SPN must be HTTP/<hostname> and it must be exactly the same in
all
+the places it is used.</li>
+<li>The port number must not be included in the SPN.</li>
Chrome has a flag, to disable the port stripping for non standard ports
:) If a user has enabled that, the SPN has to match that setting, of course.
But I think users with such a setup will probably know what they do and
ignore that sentence.
Regards
Felix
<li>No more than one SPN may be mapped to a domain user.</li>
-</ul>
-<p>The areas where further testing is required include:</p>
-<ul>
-<li>Does the domain name have to be in upper case?</li>
-<li>Can a port number be appended to the end of the host in the SPN?</li>
-<li>Can the domain be left off the user in the ktpass command?</li>
-<li>What are the limitations on the account that Tomcat can run as? SPN
- associated account works, domain admin works, local admin doesn't
- work</li>
+<li>Tomcat must run as the domain account with which the SPN has been
associated
+or as domain admin. It is <strong>NOT</strong> recommended to run Tomcat under
a
+domain admin user.</li>
+<li>The domain name (<code>DEV.LOCAL</code>) is not case sensitive when used in
+the ktpass command, nor when used in jaas.conf</li>
+<li>The domain must be specified when using the ktpass command</li>
</ul>
<p>There are four components to the configuration of the built-in Tomcat
support for Windows authentication. The domain controller, the server hosting
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
