Waffle Single Sign on

Nov 18, 2010 at 3:52 PM

I have a Tomcat Web application running under Tomcat 6, Using Java 1.6.

Integrated Authentication works well as long as the role-name specified in the web.xml file is an LDAP group that was created prior to Windows Server 2003. For all the groups that were created in Windows Server 2003 going forward, integrated Authentication fails.

Anyone encountering the same issue or knows what could be the problem?


Thanks in advance,


Nov 18, 2010 at 6:30 PM

Define "fails". Is the user not getting that group in the list of his groups (roles)? You can see with Waffle in logging the list of groups, maybe something is in that list that is spelled differently or something like that...

Double-check that those groups are created as security groups and not as DLs (read this) and that there're no DLs in the path in case you have nested groups.

Nov 18, 2010 at 6:57 PM

Authentication only works when I use the windows server 2k alias. It fails when I use the Group Name.

Nov 18, 2010 at 7:03 PM

I didn't have enough coffee today, I don't understand what this means :) Can you please elaborate?

Nov 18, 2010 at 10:18 PM

Ok let me see if this makes more sense:

Where i add active directory user roles to the web.xml, i am supposed to add the active directory group. IE <role-name>DOMAIN\group_name</role-name>

When I set up Single Sign-on, using the group name, authentication fails.

But if instead of the group-name I use the  group alias, which under Active Directory Administration is lised as "Group Name(pre windows 2000)", authentication is successful


Ill try to make this Clearer

I have a Domain: "MYDOMAIN"

I have a Group Name:"My_Group"

The Group Name(pre windows 2000) taken from Active Directory Administration: "MyGroup"


When I add "My_Group" as role, Authentication fails

When i add "MyGroup" as role, Authenticatio succeeds.

I checked, and the underscore has nothing to do with it. It happens with groups that don't have an underscore too

Nov 18, 2010 at 10:47 PM

You're missing one piece of information: what is the list of groups that the user is a member of? Try with a waffle sample, demo pages list that. Most likely the group name (format) is not the correct one, which is configurable in waffle. Which waffle filter are you using?

Nov 19, 2010 at 4:04 PM

I believe I am using waffle-negotiate. I'm  set up similar to the waffle-negotiate sample.

This is on my context.xml:

  <Valve className="waffle.apache.NegotiateAuthenticator" />
  <Realm className="waffle.apache.WindowsRealm" />


Yes, I got all Groups from the user, and the getName method for a group doesn’t return the actual group name. but rather the group alias. Any idea how I can configure it to get the group name instead of the alias?

And thanks for the quick replies!

Nov 21, 2010 at 3:32 PM

NegotiateAuthenticator takes a principal and role format, like this:

  <Valve className="waffle.apache.NegotiateAuthenticator" principalFormat="fqn" roleFormat="both" /> 
  <Realm className="waffle.apache.WindowsRealm" /> 

The values are documented, FQN is the fully qualified name (domain\group), which is what you want. But I think in your case the value returned is the pre-Windows 2000 one. So this needs a deep dive.

Are you in for some more serious debugging? This isn't going to be quick.

Get waffle source code from SVN and make sure you can build it (or at least the Java part). The docs have a contributing section with required software. Your goal is to be able to run the waffle.windows.auth.WindowsAuthProviderTests. In testAcceptSecurityToken you'll see it dumping FQNs for the groups. You'll probably find that those are the pre-windows 2000 groups. This creates WindowsIdentityImpl which in turn calls Advapi32Util.getTokenGroups, a JNA function. Examine the contents of the Account type objects returned and see if they contain the non-pre-Windows 2000 names. If they do, then all the changes are in Waffle, if they don't, we need to look at JNA source code next.

Parallel to this, tell me about your setup. I can probably get a DC that has some pre-windows-2000 names.


Nov 22, 2010 at 3:19 PM

Thanks again for your help!

I decided I am just going to go with the pre-windows 2000 groups.

This application has only a few roles defined in it so I can just check AD for the aliases.


Now., I have another problem and i was wondering if you would know anything about it. Using the same  NegotiateAuthenticator for Single Sign-on, I want to retrieve the current user's OU.

I was going through the fields in the WindowsPrincipal and couldnt find anything that seems of any use. Would this be a JNA question? or will I need to code something like this myself?



Nov 22, 2010 at 11:04 PM

All these Active Directory attributes aren't available via SSPI. You have to lookup the user in AD using the user's SID after authentication. You should write a separate piece of code (a filter or something else) that does the lookup using, for example, ADSI. I have no idea how to do this in Java ;)