In <tt>waffle.windows.auth.impl.logonDomainUserEx()</tt> the LOGON32_LOGON_NETWORK logon type is used. This method is the one implicitly called when using a Basic authentication scheme with the Servlet Filter.
This logon type has a limitation when using the impersonation feature: It does not allow a process impersonating a user to pass along the credentials to a third remote server, for example a file share. That means that when using Basic authentication any
access from the Java app server to a remote file share on behalf on the impersonated user will fail. This is the famous "double hop" problem.
It seems that it can be fixed by using the LOGON32_LOGON_NETWORK_CLEARTEXT logon type instead. The "cleartext" is a bit scary but I didn't found any useful resource about its security implications, and I think that's what IIS is doing because if
you try to access a remote fileshare in a CGI run by IIS under impersonation, using Basic auth., access is granted.
What do you think of switching to this logon type in order to truly mimic IIS behaviour ?