I've got a webapp running in a tomcat, I'm using the waffle filter and I can connect to this tomcat and be logged in using my windows username. However, I also have a simple reverse proxy between the two (also running in tomcat). Note all the boxes are windows
So, I want to be able to go to http://proxy/ and for my request and credentials to be forwarded on to the backend server. I'd rather not have to configure authentication on the proxy, I'd prefer to let the backend server handle this, but
I'm open to any suggestions that work.
I'm running the proxy tomcat as a service, under a service user. I believe I have the relevant SPNs set up, and have told active directory that the server 'proxy' is trusted for delegation.
However, when I try to browse to http://proxy/test.html, the request gets proxied onto the backend server, and waffle on the backend authenticates, but the request is authenticated using the user that the proxy is running as, not the user making the original
request in the web browser. I have tried putting the waffle filter on the proxy, and turning on 'impersonate', but that seems to result in the backend server thinking the user is "NT AUTHORITY\ANONYMOUS LOGON".
I am going about this in completely the wrong way, have I totally mis-understood something? Or have I just missed a step somewhere?
Note that the waffle logs seem to show it trying to authenticate using NTLM in some situations and 'negotiate' in others. I'm currently using IE6, I have followed all the steps I can find make it use kerberos (I believe that ntlm will not work with a proxy
in the middle), but I'm not totally convinced that it is.
Any suggestions greatly appreciated.