I'm sorry, my english is not very good, but I'll try to be more efficient :
Imagine a company with 2 windows domains, I mean 2 Active Directory (without approbation or any other link). These are domains A and B.
The Jboss application is hosted on a Linux server, and uses domain A Active Directory as users database.
When a computer from the B domain access the application, he has a Kerberos token and so silent authentification works perfectly.
When a computer which has not join any domain try to access the application, the fallback gives him the form login. That's OK according to my needs, and that shows that both web.xml and standalone.xml seem to have correct configuration.
I have 2 issues :
- When I try to access the application using IP address, from a computer from the A domain, the token is rejected (Kerberos limitation, I understand) and an I get an HTTP 401 error, with an "Unsupported mechanism NTLM message in the logs). I know that's a bad practice, and I said that to the man in charge of that. Waiting for him to update every shortcut to the application to use name instead of IP address, I wrote a filter to redirect. That gives him time to update shortcuts.
- When I try to access the application from a computer of the B domain, the token is rejected (because he has been delivered by the B domain controler). I get the same 401 error, with an "Unsupported mechanism NTLM message in the logs. Browsers configurations have been done. So why do I get such error ? I think that because the token is wrong, the second login-module (login form) should be used.
Darran said that fallback to login Form after NTLM attempt is not yet supported, so I'm looking for a way to catch 401 error and redirect the user directly to the login form. But why does the browser attempt to use NTLM, only in case of SPNEGO issue (bad token), while the browser configuration is good (same for A domain and B domain computers) ?
I just want to add that if there was a browser configuration issue (for the B domain computers), I would have had the fallback to the login form. Fallback that I have when I access the application without configuring the browser.
1 of 1 people found this helpful
What happend, if you define in web.xml error handling for 401?
I would speek to your AD Administrator if he can configure a trust Between AD Domain A and B.... so Ticket are not rejected.
YES, that does the trick !!!
Thank you for your patience
Is there a way to allow an user (authenticated by SPNEGO) to choose to use LDAP authentication instead, even if SPNEGO works. I explain :
the user has a limited account. He knows admin login/pass and wants to use them, but without switching Windows session.
For this purpose, on the welcome page, I'll display an authentication form with 2 choices : Keep current authentication (acquired by SPNEGO), or manually enter a login/pass. I have done that, with a call to j_security_check as submit action. But it can't be done because it's impossible to give a redirect after successful login page, and because even if the form authentication success, as soon as I access an another secured page, the SPNEGO login is automaticly retrieved.
Do you understand my need ? Any idea ?
When manual login/pass action is triggered you have to invalidate existing http Session, so you create new http Session for manual login.
That's OK, but when the login form is submited (to j_security_check), I get a blank page. If I refresh the page I get an 404 error, but that's not a problem because I can redirect the 404 and get the welcome page with the correct login. But I don't know how to catch the blank page (Internet Explorer cannot disply the Webpage with IE). When I write a Servlet Filter, it is not called.
The good way to handle that would have been to give the url to redirect to the j_security_check, but it is not possible. So this blank page is the last obstacle I have to overcome to success.