How to configure Tomcat to use Windows NTLM authentication?

Question

I would like to use NTLM authentication with Tomcat so that Iexplorer send automatically both the user id+pwd to webapp. Is this possible?

With \"BASIC\" authent

Answer 1

Yes, it's now possible with Waffle Tomcat Authenticator that supports Negotiate (NTLM v1, v2, etc., and Kerberos).

• Tutorial: http://code.dblock.org/ShowPost.aspx?id=103
• Waffle: http://dblock.github.io/waffle/

Waffle works on windows server only

Answer 2

Yes it is. The Tomcat Wiki references a documentation about Samba code that enables Tomcat to do NTLM authentication.

The Samba community implemented a Servlet filter that allows to athenticate users agains a domain controller.

Answer 3

I have used JCIFS, Waffle and IIS side by side.

• JCIFS does not support NTLM v2, sometimes prompts users
• Waffle support NTLM v2, but sometimes prompts user
• IIS is the only solutio where promptless NTLM authentication works 100% of the time

Answer 4

Alternatively, if you're on a Windows server, you can have IIS do the authentication and redirect requests to Tomcat. Here's the documentation: http://tomcat.apache.org/connectors-doc/webserver_howto/iis.html

Answer 5

• JCIF is now (2011) deprecated (does not support NTLM v2).
• JESPA is not free but may work out for you
• Waffle is windows server only

You may want to check out UnboundID's LDAP solution www.unboundid.com/products/ldapsdk/ Haven't tried it yet but seems like a compromise.

Here is a quick comparison between UnboundID SDK, JNDI and Netscape SDK: www.unboundid.com/products/ldap-sdk/docs/advantages/comparison.php . It may be biased since it's on unbound's website but hey, gives you a good idea why you might consider it.

Answer 6

people from the JCIFS project (the one reerenced in mkoller's answer) says that the solution they provide is not compatible with NTLMv2...

http://jcifs.samba.org/src/docs/ntlmhttpauth.html

you should check http://www.ioplex.com/jespa.html, which is not free...