IIS, Tomcat & Kerberos

Danny Mayer mayer at gis.net
Thu Apr 21 23:15:57 EDT 2011

On 4/20/2011 7:03 AM, dirweis wrote:
> Hi,
> I'm trying to use the Kerberos authentication on IIS for reading out the
> user's name.
> To make it even more complicated: I let a Tomcat run via IIS 6.0 on which a
> minimalistic servlet is running that does nothing but printing the user's
> name:
> out.print("Logged in as: " + request.getRemoteUser());
> Tomcat's already running fine via the IIS (port 8080 is no longer needed in
> the URL  :-)

This makes no sense. Tomcat has nothing to do with IIS. It needs to do
it's own Kerberos authentication.

I've used Waffle to successfully authenticate a user. The above code is
not written in Java which is what it would need to be if you were doing
it from a Servlet. You need to use getUserPrincipal() from the
authentication object. The code looks something like this:

java.security.Principal principal = httpreq.getUserPrincipal();
if (principal != null)
    userID = principal.getName();

where httpreq is an object of the class

> For a simple testing my Windows 2003 server is all in one: Active Directory
> Domain Controller / DNS, IIS server, Tomcat server and client.
> For using Kerberos the following steps have been done: 
> - Kerberos Network Identity Manager is running
> - I followed the howto on http://support.microsoft.com/kb/215383, section
> IIS 6.0
> - IIS Default Web Site security runs with disabled anonymous access and with
> checked option 'Integrated Windows authentication'
> Can you tell me what else is needed?
> Many thanks in advance for helpful answers!
> Cheers, Dirk

If the question is about IIS, ask Microsoft. If it's about Tomcat, see
above. They are not related. Each server needs to do it's own


More information about the Kerberos mailing list