Take notice! Kerberos authentication is no longer supported for new on-premise installations. It is recommended to use SAML v2.0 (or ADFS for Microsoft Active Directory).
Prerequisites
- Java 1.6 must be installed on the server machine.
- A domain account is available to setup the SPN (Service Principal Names) for pre-authenticaiton.
Preparations
Download and install Java 1.6 on the Tomcat server, if not installed yet. Configure Tomcat to use the new Java Virtual Machine. After the configuration, start Tomcat and check if Toolbox is still working with the new configuration. In the Toolbox you can verify under “Settings” > “System Status” if the new JVM is used.
Download SPNEGO
Download the .jar and .conf files from this topic. Copy these downloaded files (spnego.jar, krb5.conf and login.conf) to the ..\Application\WEB-INF\lib\ directory from the Principal Toolbox.
Change the web.xml file
Add the XML section below to the web.xml file from the Principal Toolbox, which can be found in ..\Application\WEB-INF\. Replace the row with the <!–SpnegoHttpFilterPlaceHolder –>. Change the username and password to the account name as created for pre-authenticaiton. Also check if the path to the krb5.conf and the login,conf are correct.
<filter>
<filter-name>SpnegoHttpFilter</filter-name>
<filter-class>net.sourceforge.spnego.SpnegoHttpFilter</filter-class>
<init-param>
<param-name>spnego.allow.basic</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>spnego.allow.localhost</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>spnego.allow.unsecure.basic</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>spnego.login.client.module</param-name>
<param-value>spnego-client</param-value>
</init-param>
<init-param>
<param-name>spnego.krb5.conf</param-name>
<param-value>C:\Applications\Fortes\Application\krb5.conf</param-value>
</init-param>
<init-param>
<param-name>spnego.login.conf</param-name>
<param-value>C:\Applications\Fortes\Application\login.conf</param-value>
</init-param>
<init-param>
<param-name>spnego.preauth.username</param-name>
<param-value>username</param-value>
</init-param>
<init-param>
<param-name>spnego.preauth.password</param-name>
<param-value>password</param-value>
</init-param>
<init-param>
<param-name>spnego.login.server.module</param-name>
<param-value>spnego-server</param-value>
</init-param>
<init-param>
<param-name>spnego.prompt.ntlm</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>spnego.logger.level</param-name>
<param-value>10</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>SpnegoHttpFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Register the SPN (Service Principal Names)
You need to install the Support Tools from the Windows server installation disc. After installation, you have to open the command prompt to execute the setspn.exe command. Run the following commands and use the pre-authentication user, as used in the web.xml. Also replace the server name and the domain name for these commands.
setspn.exe -A HTTP/servername username
setspn.exe -A HTTP/servername.domain.local username
Finishing
After all the steps are followed, you can start the Tomcat server and see if the application is starting. If not, check the Tomcat logging for errors. If everything works, you will be logged in automatically. Now change the “Login type” under Settings > System Settings > User Login Settings to “Windows authentication (Automatic Login)”.
