How to configure Tomcat to use Windows NTLM authentication? - authentication

I would like to use NTLM authentication with Tomcat so that Iexplorer send automatically both the user id+pwd to webapp. Is this possible?
With "BASIC" authentication IE pops up the usual pwd dialog but I want to skip this dialog. ( Note, I use JNDIReal/ldap)

Yes, it's now possible with Waffle Tomcat Authenticator that supports Negotiate (NTLM v1, v2, etc., and Kerberos).
Tutorial:
http://code.dblock.org/ShowPost.aspx?id=103
Waffle:
http://dblock.github.io/waffle/
Waffle works on windows server only

Yes it is. The Tomcat Wiki references a documentation about Samba code that enables Tomcat to do NTLM authentication.
The Samba community implemented a Servlet filter that allows to athenticate users agains a domain controller.

Alternatively, if you're on a Windows server, you can have IIS do the authentication and redirect requests to Tomcat. Here's the documentation: http://tomcat.apache.org/connectors-doc/webserver_howto/iis.html

JCIF is now (2011) deprecated (does not support NTLM v2).
JESPA is not free but may work out for you
Waffle is windows server only
You may want to check out UnboundID's LDAP solution www.unboundid.com/products/ldapsdk/
Haven't tried it yet but seems like a compromise.
Here is a quick comparison between UnboundID SDK, JNDI and Netscape SDK: www.unboundid.com/products/ldap-sdk/docs/advantages/comparison.php . It may be biased since it's on unbound's website but hey, gives you a good idea why you might consider it.

people from the JCIFS project (the one reerenced in mkoller's answer) says that the solution they provide is not compatible with NTLMv2...
http://jcifs.samba.org/src/docs/ntlmhttpauth.html
you should check http://www.ioplex.com/jespa.html, which is not free...

I have used JCIFS, Waffle and IIS side by side.
JCIFS does not support NTLM v2, sometimes prompts users
Waffle support NTLM v2, but sometimes prompts user
IIS is the only solutio where promptless NTLM authentication works 100% of the time

Related

Paw - Support for https mutual (client-side cert) authentication?

Trying out PAW and liking it very much.
The only thing I don't manage to get working is using HTTPS mutual auth. Some of the APIs I need to interact with require mutually authenticated https.
How do I tell PAW to use a cert to authenticate? The cert is already in OSX Keychain and Safari can do GETs to that API without problems, so I (hope) it should be doable...
Not being able to do this might be the make/or break for PAW for me.
Thanks!
While you are waiting for the next version of Paw, you can use SoapUI to test a REST interface with SSL client authentication: http://geekswithblogs.net/gvdmaaden/archive/2011/02/24/how-to-configure-soapui-with-client-certificate-authentication.aspx

Avoid NTLM authentication method

I have a web application which is developed using vb.net.
My web application uses Windows authentication mode.
Security team scanned the application and reported one issue.
Steps followed to produce the issue:
1. Type the url in browser (url - https://sample/applicationname) and press Enter
2. Analyze the response using proxy tool 'Fiddler' - which shows that authentication method in NTLM which is insecure.
Recomendations given by security team:
Change authentication method to a more secure one such as Digest, client certificates or similar. Otherwise use an encrypted channel to protect information by implementing HTTPS.
Note: HTTPS is already implemented.
Kindly let me know how to solve the issue.
Thanks in advance.
Digest is less secure than NTLM, so you may want to mock your security team. Digest uses MD5 (in a weak manner) and requires reversible passwords. If you really want to go more secure than NTLM, your may want to configure kerberos. The options vary depending on your version of IIS. Google will have your answer.

How to make Kerberos module

It is possible to make kerberos module for Apache server who is on windows? I understand that i need to make dll file from some source, but how?
Thank you.
Try http://modauthkerb.sourceforge.net/
Mod_auth_kerb is an Apache module designed to provide Kerberos authentication to the Apache web server. Using the Basic Auth mechanism, it retrieves a username/password pair from the browser and checks them against a Kerberos server as set up by your particular organization. The module also supports the Negotiate authentication method, which performs full Kerberos authentication based on ticket exchanges, and does not require users to insert their passwords to the browser. In order to use the Negotiate method you need a browser supporting it (currently standard IE6.0 or Mozilla with the negotiateauth extension).

mobile application: how do I provide client authentication

I had an idea for a fitness mobile app and I have been developing applications based on this idea for iPhone (Obj-C based), Android (java based), WebOS (html5 based) and Nokia Qt.
I now need to provide authentication to the users of my application. The server is a typical LAMP system. I would like the users of my mobile application to log in to the server seamlessly and securely.
I am not really a web programmer and hence would appreciate ideas on how I can go about providing authentication. I've heard about OpenID...but I am not sure if it can be used for authenticating mobile clients. Some one mentioned OAuth but I am not sure if a) it would work in this use case and b) What if my client does not have a Facebook/Twitter account?
Any ideas will be appreciated!
I have done something similar and used gnuTLS and a x.509 certificate to authenticate from the client side. Its seamless and easy to integrate.
https://idlebox.net/2009/apidocs/gnutls-2.6.6.zip/gnutls_7.html#SEC65
The important thing about using this method for me was that the https connection was just simple method calls and the handshaking process itself would be handled by the gnuTLS library.
My app was an iOS app and i used xcode to do it which was easy. I think it will be easier on the Java side but I am not sure about the Nokia part. The coding is in C and is thus cross platform.
However if you are looking for a iOS based solution i recommend http://developer.apple.com/library/ios/#samplecode/AdvancedURLConnections/Introduction/Intro.html
But for a cross platform solution that would require the same certificate across all applications and no input or work fro the user, I still suggest gnuTLS and using the x509 certificate.
If you already have a LAMP server somewhere, it should be fairly easy to set implement your own API for password authentication -- the important thing is that you do it via HTTPS! (so the user-ids / passwords can not be sniffed). You will need a digital certificate (CERT) for your web-server.
On your LAMP system you can keep the user data in it's database. Your LAMP server should also allow to create a local user account (of course).
You can use this solution either separate or together with OpenID or OAuth!
That means, if your client doesn't have Facebook or Twitter, they can still create an account on your LAMP server.
http://en.wikipedia.org/wiki/OAuth

Jabber client that supports client-certificate based authentication

This is a little odd.
I'm working on improving Pidgin, trying to add client-certificate based authentication for jabber. I set up an openfire server (which supports client-certificate based authentication), but I want to make sure I set it up correctly - test it with a client that I know works. And for that, I need a client that already supports client-certificate based authentication.
I suppose this is how testing meets dependency hell.
Anyone know of a jabber client I can use to test my openfire setup, so I can get back to testing my code against the openfire server?
Both Swift and Gajim 0.14 support certificate authentication. The first on the login screen (yellow shiny button), the second in the account settings window under "Client Certificate".