Tomcat Kerberos

  1. Tomcat Kerberos Logo
  2. Tomcat Basic Auth
  3. Tomcat Kerberos Authentication Linux
  4. Tomcat Kerberos Ldap

I'm trying to setup kerberos authentication in a Java web-app running in a Tomcat on Linux. I'm using the spring security kerberos extension. I'm using: jdk 1.7u75; spring-security-kerberos 1.0.0.RELEASE; MS Active Directory; On my local development machine (windows) everything runs fine. Built-in Tomcat support: Kerberos (the basis for integrated Windows authentication) requires careful configuration. If the steps in this guide are followed exactly, then a working configuration will result. It is important that the steps below are followed exactly. There is very little scope for flexibility in the configuration. Kerberos authentication provides a highly secure method to authenticate client and server entities (security principals) on a network. To use Kerberos authentication with SQL Server, a Service Principal Name (SPN) must be registered with Active Directory, which plays the role of the Key Distribution Center in a Windows domain. Ticket Granting Service (TGS) is a principal that can grant tickets to others. When the user wants to talk to a kerberized service, s/he uses the Ticket Granting Ticket to talk to the TGS (e.g.

I’ve added a Tomcat Negotiate (Kerberos + NTLM) authenticator to Waffle 1.3 for Tomcat 6. Here’s how to use it.


Download Waffle 1.3. The zip contains Waffle.chm that has the latest version of this tutorial.

Configure Tomcat

Copy Files

I started with a default installation of Tomcat 6. Checked that I could start the server and navigate to http://localhost:8080. Copy the following files into tomcat’s lib directory.

  • jna.jar: Java Native Access
  • platform.jar: JNA platform-specific API
  • waffle-jna.jar: Tomcat Negotiate Authenticator

Authenticator Valve

Add a valve and a realm to the application context in your context.xml (for an application) or in server.xml (for the entire Tomcat installation).

Security Roles

Configure security roles in your application’s web.xml. The Waffle authenticator adds all user’s security groups (including nested and domain groups) as roles during authentication.

Restrict Access

Tomcat basic auth

Tomcat Basic Auth

Restrict access to website resources. For example, to restrict the entire website to locally authenticated users add the following in web.xml.

Tomcat Kerberos Authentication Linux


Restart Tomcat and navigate to http://localhost:8080.

You should be prompted for a logon with a popup. This is because by default localhost is not in the _Intranet Zone _and the server returned a 401 Unauthorized. Internet servers with a fully qualified named are detected automatically.

Internet Explorer

Tomcat Kerberos Ldap

Ensure that Integrated Windows Authentication is enabled.

  1. Choose the_ Tools, Internet Options_ menu.
  2. Click the Advanced tab.
  3. Scroll down to Security
  4. Check Enable Integrated Windows Authentication.
  5. Restart the browser.

The target website must be in the Intranet Zone.

  1. Navigate to the website.
  2. Choose the Tools, Internet Options menu.
  3. Click the Local Intranet icon.
  4. Click the Sites button.
  5. Check Autmatically detect intranet network.
  6. For localhost, click Advanced.
  7. Add http://localhost to the list.


  1. Type about:config in the address bar and hit enter.
  2. Type network.negotiate-auth.trusted-uris in the Filter box.
  3. Put your server name as the value. If you have more than one server, you can enter them all as a comma separated list.
  4. Close the tab.
Tomcat Kerberos

Navigate to http://localhost:8080 after adding it to the Intranet Zone.

You should no longer be prompted and automatically authenticated.


In the logs you will see the following output for a successful logon.

My laptop is not a member of an Active Directory domain, but you would see domain groups, including nested ones here. There’s nothing special to do for Active Directory. The authenticator also automatically handles all aspects of the Negotiate protocol, chooses Kerberos vs. NTLM and supports NTLM POST. It basically has the same effect in Tomcat as choosing Integrated Windows authentication options in IIS.


Related Projects

  • Tomcat SPNEGO by Dominique Guerrin: this is a very good prototype of a filter. It uses JNI and not JNA, doesn’t support NTLM POST and the code is pretty thick.
  • SPNEGO Sourceforge: it’s a nightmare to configure, doesn’t work without an Active Directory domain and requires an SPN
  • JCIFS NTLM: no longer supported and they recommend using Jespa
  • Jespa: a commercial implementation that claims to do the same thing as Waffle, but uses the Netlogon service instead of the native Windows API
Please enable JavaScript to view the comments powered by Disqus.comments powered by Disqus