How to use primary use Kerberos and NTLM as fallback?

Jan 25, 2011 at 2:34 PM
Edited Jan 25, 2011 at 3:28 PM

Hi,

we've successfully implemented waffle on JBOSS 4x and Windows.

Were using the SingleSignOn Security-Filter

We want to use primarily Kerberos for authentication and NTLM as fallback only.

If we activate both in web.xml(see below) we observe that mainly NTLM is used.

<init-param>
<param-name>waffle.servlet.spi.NegotiateSecurityFilterProvider/protocols</param-name>
<param-value>
    Negotiate
    NTLM
</param-value>
</init-param>

How do we have to configure the filter(or anything else) to prefer kerberos over NTLM?

 

Best regards

david

 

 

complete Filter-config(without mappings):

<filter>  
<filter-name>SecurityFilter</filter-name>
<filter-class>waffle.servlet.NegotiateSecurityFilter</filter-class>
  <init-param>
      <param-name>principalFormat</param-name>
<param-value>fqn</param-value>
</init-param>
<init-param>
<param-name>roleFormat</param-name>
<param-value>both</param-value>
</init-param>
<init-param>
<param-name>allowGuestLogin</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>securityFilterProviders</param-name>
<param-value>waffle.servlet.spi.NegotiateSecurityFilterProvider</paramvalue>
</init-param>
  <init-param>
<paramname>waffle.servlet.spi.NegotiateSecurityFilterProvider/protocols</param-name>
<param-value>
          Negotiate
          NTLM
</param-value>
</init-param>
</filter>

Coordinator
Jan 25, 2011 at 4:23 PM

The client plays the majority role in selecting NTLM vs. Kerberos. You need a valid server SPN (search for service principal name on google) in order for it to select Kerberos. 

This is a pretty common question, I'd appreciate if you did a nice writeup as a response to this thread once you figure it all out.