Tomcat, SPNEGO, Kerberos against two Active Directory services

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Tomcat, SPNEGO, Kerberos against two Active Directory services

Andreas Røsdal
Hello!

I would like some help with setting up Tomcat, SPNEGO and Kerberos against two Active Directory services.

At the monent I have a Java webapp running on Tomcat, which uses SPNEGO and Kerberos to authenticate users (clients in Internet Explorer) against one (1) Active Directory user database. Currently, there is only one krb5.conf which is configured against one Active Directory. There is some custom Java code (Servlet filters) which extend the integrated Tomcat SPNEGO classes, and authenticate users against the Active Directory.

However, I now need to authenticate users against two different Active Directory databases. Some users are found only in
one of the Active Directories, while others are found only in the other Active Directory, so I now need to authenticate against
both Active Directories. However, the Java configuration only seems to be able to connect to one Active Directory at a time.
I can't use forest trust between the two Actice Directories.

I would appreciate any information about best-practices of authenticating users in two Active Directory databases.


Regards,
Andreas R.
Reply | Threaded
Open this post in threaded view
|

Re: Tomcat, SPNEGO, Kerberos against two Active Directory services

Weijun Wang
You can add info about multiple realms in a single krb5.conf. There is only one default_realm but if the principal name contains the realm part it will be recognized.

BTW, this mail list is about developing the JDK instead of how to use it.

--Max

> On Nov 1, 2017, at 4:25 AM, Andreas Røsdal <[hidden email]> wrote:
>
> Hello!
>
> I would like some help with setting up Tomcat, SPNEGO and Kerberos against two Active Directory services.
>
> At the monent I have a Java webapp running on Tomcat, which uses SPNEGO and Kerberos to authenticate users (clients in Internet Explorer) against one (1) Active Directory user database. Currently, there is only one krb5.conf which is configured against one Active Directory. There is some custom Java code (Servlet filters) which extend the integrated Tomcat SPNEGO classes, and authenticate users against the Active Directory.
>
> However, I now need to authenticate users against two different Active Directory databases. Some users are found only in
> one of the Active Directories, while others are found only in the other Active Directory, so I now need to authenticate against
> both Active Directories. However, the Java configuration only seems to be able to connect to one Active Directory at a time.
> I can't use forest trust between the two Actice Directories.
>
> I would appreciate any information about best-practices of authenticating users in two Active Directory databases.
>
>
> Regards,
> Andreas R.