users@glassfish.java.net

Re: Glassfish and NT login Name

From: <glassfish_at_javadesktop.org>
Date: Mon, 17 Mar 2008 22:53:48 PST

Jimmy,

      By the way, firefox also works with the NTLM authentication mechanism as long as you configure it properly.

For FireFox, you'll need to do something like the following

1) Type in "about:config"
2) Type in "network.a"
3) Modify the network.automatic-ntlm-auth-trusted-uris then add something like "http://your.site.fqdn.here" and it'll log you in automatically just like IE (you can add multiples by comma delimiting the string).

I prefer the SPNEGO route (instead of NTLM via JCIFS), as it gives you single sign-on even with Linux and other Unix clients as long as said clients are using the AD server via Kerberos authentication.

It's fairly easy to write a servlet filter that uses SPNEGO, as long as your admins can generate a keytab file for your server via the ktpass command, using an SPN like HTTP/your.fqdn.site_at_YOUR.AD.DOMAIN

I've got some a Servlet Filter Authentication code, which is modeled closely after the GlassFish SPNEGO authentication module. Only difference is that when it's passed a non SPNEGO token (ie. a Basic Authentication Base64 username:password token), I make it perform an Active Directory user dn search (&(objectClass=user)(sAMAccountName=?), then perform a bind using the resulting dn and the password (from the the basic auth token) to authenticate the user. At least this way - there's no dependency on the Lan Manager protocols and JCIFS.
[Message sent by forum member 'gdaswani' (gdaswani)]

http://forums.java.net/jive/thread.jspa?messageID=264530