waffle Wiki Rss Feed

Updated Wiki: Home

dblock — Wed, 02 May 2012 01:58:28 GMT

WAFFLE HAS MOVED TO GITHUB

Source: https://github.com/dblock/waffle

WAFFLE

WAFFLE - Windows Authentication Functional Framework (Light Edition) is a native C# and Java library that does everything Windows authentication (Negotiate, NTLM and Kerberos).

Short Story

Most people will be interested in one of the following.

Simple native interfaces in C# and Java to do all things Windows authentication.
A generic Servlet Negotiate (NTLM and Kerberos) Security Filter - Tutorial.
A Tomcat Negotiate (NTLM and Kerberos) Authenticator Valve - Tutorial.
A Tomcat Single Sign-On + Form Authentication Mixed Valve - Tutorial.
A Spring-Security Negotiate (NTLM and Kerberos) Filter - Totorial.
A Spring-Security Windows Authentication Manager
A JAAS Login Module - Tutorial.
If you're using Tomcat, Jetty or Websphere with an IIS front-end to do authentication only, Waffle will allow you to get rid of IIS.

Unlike many other implementations WAFFLE on Windows does not usually require any server-side Kerberos keytab setup, it's a drop-in solution. You can see it in action in this slightly blurry video produced for TeamShatter.com.

Waffle was created and is sponsored by Application Security Inc.. For a long story, read the Project History. Also, feel free to use this PowerPoint presentation for your teams.

Features

Account lookup locally and in Active Directory via Win32 API with zero configuration.
Enumerating Active Directory domains and domain information.
Returns computer domain / workgroup join information.
Supports logon for local and domain users returning consistent fully qualified names, identity (SIDs), local and domain groups, including nested.
Supports all functions required for implementing server-side single-signon with Negotiate and NTLM and various implementations for Java web servers.
Supports Windows Identity impersonation.
Includes a Windows Installer Merge Module for distribution of C# binaries.

Using WAFFLE?

This is a free project. The least you can do is reply to Are you using WAFFLE in your product?. We also love good ratings! Your time is much appreciated.

Issues

Read Troubleshooting Negotiate and Frequently Asked Questions. Don't hesitate to post questions into Discussions.

Forks

There're three 1.4 forks, 1.4-tomcat-5 (Beta), 1.4-tomcat-7 and 1.4-spring-security-2 (Beta).

Updated Wiki: Home

dblock — Mon, 16 Apr 2012 11:14:29 GMT

NEXT RELEASE WILL HAPPEN OFF GITHUB, GO HERE

WAFFLE

WAFFLE - Windows Authentication Functional Framework (Light Edition) is a native C# and Java library that does everything Windows authentication (Negotiate, NTLM and Kerberos).

Short Story

Most people will be interested in one of the following.

Simple native interfaces in C# and Java to do all things Windows authentication.
A generic Servlet Negotiate (NTLM and Kerberos) Security Filter - Tutorial.
A Tomcat Negotiate (NTLM and Kerberos) Authenticator Valve - Tutorial.
A Tomcat Single Sign-On + Form Authentication Mixed Valve - Tutorial.
A Spring-Security Negotiate (NTLM and Kerberos) Filter - Totorial.
A Spring-Security Windows Authentication Manager
A JAAS Login Module - Tutorial.
If you're using Tomcat, Jetty or Websphere with an IIS front-end to do authentication only, Waffle will allow you to get rid of IIS.

Account lookup locally and in Active Directory via Win32 API with zero configuration.
Enumerating Active Directory domains and domain information.
Returns computer domain / workgroup join information.
Supports logon for local and domain users returning consistent fully qualified names, identity (SIDs), local and domain groups, including nested.
Supports all functions required for implementing server-side single-signon with Negotiate and NTLM and various implementations for Java web servers.
Supports Windows Identity impersonation.
Includes a Windows Installer Merge Module for distribution of C# binaries.

Updated Wiki: Frequently Asked Questions

dblock — Mon, 27 Feb 2012 19:30:37 GMT

Troubleshooting Stories

UnsatisfiedLinkerError jnadispatch: solved by placing JNA jars in the common classloader.
Browser shows BASIC authentication popup: solved by re-ordering authenticators.
ClassNotFoundException on Tomcat: solved by putting waffle-jna.jar in tomcat/lib.
ClassNotFoundException on JBoss: solved by putt JARs in application.ear/APP-INF/lib.
Popup asking for username/password: solved by forcing NTLM, Kerberos not working.
Negotiate authentication returns 404 File Not Found: solved by creating a missing 401.html.
Negotiate tries, but keeps failing with 401: solved by creating a proper SPN with setspn.
Issues specifying AD groups with Spring-security: solved by using the fully qualified user/group name.
Tomcat Manager not working under SSO: solved by editing 401.jsp, external solution.
Password prompt instead of SSO: solved by running Tomcat as LocalSystem.
Struts application not accepting multipart/form-data: solved by removing a legacy security constraint.
Server returns 401 Access Denied with the AP_ERR_MODIFIED error code: solved by running server as a service with a domain account.
Failed to create temporary file for jnidispatch library: java.io.IOException: solved by recreating Tomcat temp dir.
com.sun.jna.platform.win32.Win32Exception: the logon attempt failed: solved by enabling Kerberos logging and KB957097.
Cannot find where to enable WAFFLE logging in JBoss: solved by locating application's log4j.xml.
NTLM fails with an Apache / AJP front-end: solved by properly forwarding port number and re-enabling keep-alive in Apache mod_ssl.
IE6 NTLM fails with an Apache front-end with SSL: solved by enabling keep-alive in Apache mod_ssl.
java.lang.NoClassDefFoundError: org/apache/juli/logging/LogFactory with Jetty and JAAS: solved by specifying JAAS realms in Jetty configuration.
HTTP/1.1 400 Bad Request: Kerberos ticket was longer than 4K, solved by increasing maxHttpHeaderSize.
Negotiate fails with a load-balancer: needs some DNS work and a proper SPN.
java.lang.IllegalStateException: Cannot create a session after the response has been committed error with Spring Security: resolved by disabling SessionFixationProtectionFilter.
Waffle returns service user as remote user: fixed by unsaving a user name and password on a local computer.

General FAQ

Can Waffle be used on the client side?

Troubleshooting Kerberos

Troubleshooting NTLM

Enabling NTLM Logging

Updated Wiki: Frequently Asked Questions

dblock — Fri, 10 Feb 2012 12:08:08 GMT

Troubleshooting Stories

UnsatisfiedLinkerError jnadispatch: solved by placing JNA jars in the common classloader.
Browser shows BASIC authentication popup: solved by re-ordering authenticators.
ClassNotFoundException on Tomcat: solved by putting waffle-jna.jar in tomcat/lib.
ClassNotFoundException on JBoss: solved by putt JARs in application.ear/APP-INF/lib.
Popup asking for username/password: solved by forcing NTLM, Kerberos not working.
Negotiate authentication returns 404 File Not Found: solved by creating a missing 401.html.
Negotiate tries, but keeps failing with 401: solved by creating a proper SPN with setspn.
Issues specifying AD groups with Spring-security: solved by using the fully qualified user/group name.
Tomcat Manager not working under SSO: solved by editing 401.jsp, external solution.
Password prompt instead of SSO: solved by running Tomcat as LocalSystem.
Struts application not accepting multipart/form-data: solved by removing a legacy security constraint.
Server returns 401 Access Denied with the AP_ERR_MODIFIED error code: solved by running server as a service with a domain account.
Failed to create temporary file for jnidispatch library: java.io.IOException: solved by recreating Tomcat temp dir.
com.sun.jna.platform.win32.Win32Exception: the logon attempt failed: solved by enabling Kerberos logging and KB957097.
Cannot find where to enable WAFFLE logging in JBoss: solved by locating application's log4j.xml.
NTLM fails with an Apache / AJP front-end: solved by properly forwarding port number and re-enabling keep-alive in Apache mod_ssl.
IE6 NTLM fails with an Apache front-end with SSL: solved by enabling keep-alive in Apache mod_ssl.
java.lang.NoClassDefFoundError: org/apache/juli/logging/LogFactory with Jetty and JAAS: solved by specifying JAAS realms in Jetty configuration.
HTTP/1.1 400 Bad Request: Kerberos ticket was longer than 4K, solved by increasing maxHttpHeaderSize.
Negotiate fails with a load-balancer: needs some DNS work and a proper SPN.
java.lang.IllegalStateException: Cannot create a session after the response has been committed error with Spring Security: resolved by disabling SessionFixationProtectionFilter.

General FAQ

Can Waffle be used on the client side?

Troubleshooting Kerberos

Troubleshooting NTLM

Enabling NTLM Logging

Updated Wiki: Frequently Asked Questions

dblock — Fri, 09 Sep 2011 12:13:25 GMT

Troubleshooting Stories

UnsatisfiedLinkerError jnadispatch: solved by placing JNA jars in the common classloader.
Browser shows BASIC authentication popup: solved by re-ordering authenticators.
ClassNotFoundException on Tomcat: solved by putting waffle-jna.jar in tomcat/lib.
ClassNotFoundException on JBoss: solved by putt JARs in application.ear/APP-INF/lib.
Popup asking for username/password: solved by forcing NTLM, Kerberos not working.
Negotiate authentication returns 404 File Not Found: solved by creating a missing 401.html.
Negotiate tries, but keeps failing with 401: solved by creating a proper SPN with setspn.
Issues specifying AD groups with Spring-security: solved by using the fully qualified user/group name.
Tomcat Manager not working under SSO: solved by editing 401.jsp, external solution.
Password prompt instead of SSO: solved by running Tomcat as LocalSystem.
Struts application not accepting multipart/form-data: solved by removing a legacy security constraint.
Server returns 401 Access Denied with the AP_ERR_MODIFIED error code: solved by running server as a service with a domain account.
Failed to create temporary file for jnidispatch library: java.io.IOException: solved by recreating Tomcat temp dir.
com.sun.jna.platform.win32.Win32Exception: the logon attempt failed: solved by enabling Kerberos logging and KB957097.
Cannot find where to enable WAFFLE logging in JBoss: solved by locating application's log4j.xml.
NTLM fails with an Apache / AJP front-end: solved by properly forwarding port number and re-enabling keep-alive in Apache mod_ssl.
IE6 NTLM fails with an Apache front-end with SSL: solved by enabling keep-alive in Apache mod_ssl.
java.lang.NoClassDefFoundError: org/apache/juli/logging/LogFactory with Jetty and JAAS: solved by specifying JAAS realms in Jetty configuration.
HTTP/1.1 400 Bad Request: Kerberos ticket was longer than 4K, solved by increasing maxHttpHeaderSize.
Negotiate fails with a load-balancer: needs some DNS work and a proper SPN.

General FAQ

Can Waffle be used on the client side?

Troubleshooting Kerberos

Troubleshooting NTLM

Enabling NTLM Logging

Updated Wiki: Frequently Asked Questions

dblock — Tue, 16 Aug 2011 14:52:11 GMT

Troubleshooting Stories

UnsatisfiedLinkerError jnadispatch: solved by placing JNA jars in the common classloader.
Browser shows BASIC authentication popup: solved by re-ordering authenticators.
ClassNotFoundException on Tomcat: solved by putting waffle-jna.jar in tomcat/lib.
ClassNotFoundException on JBoss: solved by putt JARs in application.ear/APP-INF/lib.
Popup asking for username/password: solved by forcing NTLM, Kerberos not working.
Negotiate authentication returns 404 File Not Found: solved by creating a missing 401.html.
Negotiate tries, but keeps failing with 401: solved by creating a proper SPN with setspn.
Issues specifying AD groups with Spring-security: solved by using the fully qualified user/group name.
Tomcat Manager not working under SSO: solved by editing 401.jsp, external solution.
Password prompt instead of SSO: solved by running Tomcat as LocalSystem.
Struts application not accepting multipart/form-data: solved by removing a legacy security constraint.
Server returns 401 Access Denied with the AP_ERR_MODIFIED error code: solved by running server as a service with a domain account.
Failed to create temporary file for jnidispatch library: java.io.IOException: solved by recreating Tomcat temp dir.
com.sun.jna.platform.win32.Win32Exception: the logon attempt failed: solved by enabling Kerberos logging and KB957097.
Cannot find where to enable WAFFLE logging in JBoss: solved by locating application's log4j.xml.
NTLM fails with an Apache / AJP front-end: solved by properly forwarding port number and re-enabling keep-alive in Apache mod_ssl.
IE6 NTLM fails with an Apache front-end with SSL: solved by enabling keep-alive in Apache mod_ssl.
java.lang.NoClassDefFoundError: org/apache/juli/logging/LogFactory with Jetty and JAAS: solved by specifying JAAS realms in Jetty configuration.
HTTP/1.1 400 Bad Request: Kerberos ticket was longer than 4K, solved by increasing maxHttpHeaderSize.

General FAQ

Can Waffle be used on the client side?

Troubleshooting Kerberos

Troubleshooting NTLM

Enabling NTLM Logging

Updated Wiki: Frequently Asked Questions

dblock — Mon, 25 Jul 2011 11:14:46 GMT

Troubleshooting Stories

UnsatisfiedLinkerError jnadispatch: solved by placing JNA jars in the common classloader.
Browser shows BASIC authentication popup: solved by re-ordering authenticators.
ClassNotFoundException on Tomcat: solved by putting waffle-jna.jar in tomcat/lib.
ClassNotFoundException on JBoss: solved by putt JARs in application.ear/APP-INF/lib.
Popup asking for username/password: solved by forcing NTLM, Kerberos not working.
Negotiate authentication returns 404 File Not Found: solved by creating a missing 401.html.
Negotiate tries, but keeps failing with 401: solved by creating a proper SPN with setspn.
Issues specifying AD groups with Spring-security: solved by using the fully qualified user/group name.
Tomcat Manager not working under SSO: solved by editing 401.jsp, external solution.
Password prompt instead of SSO: solved by running Tomcat as LocalSystem.
Struts application not accepting multipart/form-data: solved by removing a legacy security constraint.
Server returns 401 Access Denied with the AP_ERR_MODIFIED error code: solved by running server as a service with a domain account.
Failed to create temporary file for jnidispatch library: java.io.IOException: solved by recreating Tomcat temp dir.
com.sun.jna.platform.win32.Win32Exception: the logon attempt failed: solved by enabling Kerberos logging and KB957097.
Cannot find where to enable WAFFLE logging in JBoss: solved by locating application's log4j.xml.
NTLM fails with an Apache / AJP front-end: solved by properly forwarding port number and re-enabling keep-alive in Apache mod_ssl.
java.lang.NoClassDefFoundError: org/apache/juli/logging/LogFactory with Jetty and JAAS: solved by specifying JAAS realms in Jetty configuration.
HTTP/1.1 400 Bad Request: Kerberos ticket was longer than 4K, solved by increasing maxHttpHeaderSize.

General FAQ

Can Waffle be used on the client side?

Troubleshooting Kerberos

Troubleshooting NTLM

Enabling NTLM Logging

Updated Wiki: Home

dblock — Sun, 26 Jun 2011 22:07:15 GMT

Simple native interfaces in C# and Java to do all things Windows authentication.
A generic Servlet Negotiate (NTLM and Kerberos) Security Filter - Tutorial.
A Tomcat Negotiate (NTLM and Kerberos) Authenticator Valve - Tutorial.
A Tomcat Single Sign-On + Form Authentication Mixed Valve - Tutorial.
A Spring-Security Negotiate (NTLM and Kerberos) Filter - Totorial.
A Spring-Security Windows Authentication Manager
A JAAS Login Module - Tutorial.
If you're using Tomcat, Jetty or Websphere with an IIS front-end to do authentication only, Waffle will allow you to get rid of IIS.

Account lookup locally and in Active Directory via Win32 API with zero configuration.
Enumerating Active Directory domains and domain information.
Returns computer domain / workgroup join information.
Supports logon for local and domain users returning consistent fully qualified names, identity (SIDs), local and domain groups, including nested.
Supports all functions required for implementing server-side single-signon with Negotiate and NTLM and various implementations for Java web servers.
Supports Windows Identity impersonation.
Includes a Windows Installer Merge Module for distribution of C# binaries.

Updated Wiki: Frequently Asked Questions

dblock — Thu, 19 May 2011 21:10:43 GMT

Troubleshooting Stories

UnsatisfiedLinkerError jnadispatch: solved by placing JNA jars in the common classloader.
Browser shows BASIC authentication popup: solved by re-ordering authenticators.
ClassNotFoundException on Tomcat: solved by putting waffle-jna.jar in tomcat/lib.
ClassNotFoundException on JBoss: solved by putt JARs in application.ear/APP-INF/lib.
Popup asking for username/password: solved by forcing NTLM, Kerberos not working.
Negotiate authentication returns 404 File Not Found: solved by creating a missing 401.html.
Negotiate tries, but keeps failing with 401: solved by creating a proper SPN with setspn.
Issues specifying AD groups with Spring-security: solved by using the fully qualified user/group name.
Tomcat Manager not working under SSO: solved by editing 401.jsp, external solution.
Password prompt instead of SSO: solved by running Tomcat as LocalSystem.
Struts application not accepting multipart/form-data: solved by removing a legacy security constraint.
Server returns 401 Access Denied with the AP_ERR_MODIFIED error code: solved by running server as a service with a domain account.
Failed to create temporary file for jnidispatch library: java.io.IOException: solved by recreating Tomcat temp dir.
com.sun.jna.platform.win32.Win32Exception: the logon attempt failed: solved by enabling Kerberos logging and KB957097.
Cannot find where to enable WAFFLE logging in JBoss: solved by locating application's log4j.xml.
NTLM fails with an Apache / AJP front-end: solved by properly forwarding port number and re-enabling keep-alive in Apache mod_ssl.
java.lang.NoClassDefFoundError: org/apache/juli/logging/LogFactory with Jetty and JAAS: solved by specifying JAAS realms in Jetty configuration.
HTTP/1.1 400 Bad Request: Kerberos ticket was longer than 4K, solved by increasing maxHttpHeaderSize.

Troubleshooting Kerberos

Troubleshooting NTLM

Enabling NTLM Logging

Updated Wiki: Frequently Asked Questions

dblock — Thu, 17 Mar 2011 11:45:23 GMT

Troubleshooting Stories

UnsatisfiedLinkerError jnadispatch: solved by placing JNA jars in the common classloader.
Browser shows BASIC authentication popup: solved by re-ordering authenticators.
ClassNotFoundException on Tomcat: solved by putting waffle-jna.jar in tomcat/lib.
ClassNotFoundException on JBoss: solved by putt JARs in application.ear/APP-INF/lib.
Popup asking for username/password: solved by forcing NTLM, Kerberos not working.
Negotiate authentication returns 404 File Not Found: solved by creating a missing 401.html.
Issues specifying AD groups with Spring-security: solved by using the fully qualified user/group name.
Tomcat Manager not working under SSO: solved by editing 401.jsp, external solution.
Password prompt instead of SSO: solved by running Tomcat as LocalSystem.
Struts application not accepting multipart/form-data: solved by removing a legacy security constraint.
Server returns 401 Access Denied with the AP_ERR_MODIFIED error code: solved by running server as a service with a domain account.
Failed to create temporary file for jnidispatch library: java.io.IOException: solved by recreating Tomcat temp dir.
com.sun.jna.platform.win32.Win32Exception: the logon attempt failed: solved by enabling Kerberos logging and KB957097.
Cannot find where to enable WAFFLE logging in JBoss: solved by locating application's log4j.xml.
NTLM fails with an Apache / AJP front-end: solved by properly forwarding port number and re-enabling keep-alive in Apache mod_ssl.
java.lang.NoClassDefFoundError: org/apache/juli/logging/LogFactory with Jetty and JAAS: solved by specifying JAAS realms in Jetty configuration.
HTTP/1.1 400 Bad Request: Kerberos ticket was longer than 4K, solved by increasing maxHttpHeaderSize.

Troubleshooting Kerberos

Troubleshooting NTLM

Enabling NTLM Logging

Updated Wiki: Frequently Asked Questions

dblock — Thu, 03 Mar 2011 13:31:15 GMT

Troubleshooting Stories

UnsatisfiedLinkerError jnadispatch: solved by placing JNA jars in the common classloader.
Browser shows BASIC authentication popup: solved by re-ordering authenticators.
ClassNotFoundException on Tomcat: solved by putting waffle-jna.jar in tomcat/lib.
ClassNotFoundException on JBoss: solved by putt JARs in application.ear/APP-INF/lib.
Popup asking for username/password: solved by forcing NTLM, Kerberos not working.
Negotiate authentication returns 404 File Not Found: solved by creating a missing 401.html.
Issues specifying AD groups with Spring-security: solved by using the fully qualified user/group name.
Tomcat Manager not working under SSO: solved by editing 401.jsp, external solution.
Password prompt instead of SSO: solved by running Tomcat as LocalSystem.
Struts application not accepting multipart/form-data: solved by removing a legacy security constraint.
Server returns 401 Access Denied with the AP_ERR_MODIFIED error code: solved by running server as a service with a domain account.
Failed to create temporary file for jnidispatch library: java.io.IOException: solved by recreating Tomcat temp dir.
com.sun.jna.platform.win32.Win32Exception: the logon attempt failed: solved by enabling Kerberos logging and KB957097.
Cannot find where to enable WAFFLE logging in JBoss: solved by locating application's log4j.xml.
NTLM fails with an Apache / AJP front-end: solved by properly forwarding port number and re-enabling keep-alive in Apache mod_ssl.
java.lang.NoClassDefFoundError: org/apache/juli/logging/LogFactory with Jetty and JAAS: solved by specifying JAAS realms in Jetty configuration.
HTTP/1.1 400 Bad Request: Kerberos ticket was longer than 4K, solved by increasing maxHttpHeaderSize.

Troubleshooting Kerberos

Troubleshooting NTLM

Enabling NTLM Logging

Updated Wiki: Frequently Asked Questions

dblock — Tue, 08 Feb 2011 23:39:55 GMT

Troubleshooting Stories

UnsatisfiedLinkerError jnadispatch: solved by placing JNA jars in the common classloader.
Browser shows BASIC authentication popup: solved by re-ordering authenticators.
ClassNotFoundException on Tomcat: solved by putting waffle-jna.jar in tomcat/lib.
ClassNotFoundException on JBoss: solved by putt JARs in application.ear/APP-INF/lib.
Popup asking for username/password: solved by forcing NTLM, Kerberos not working.
Negotiate authentication returns 404 File Not Found: solved by creating a missing 401.html.
Issues specifying AD groups with Spring-security: solved by using the fully qualified user/group name.
Tomcat Manager not working under SSO: solved by editing 401.jsp, external solution.
Password prompt instead of SSO: solved by running Tomcat as LocalSystem.
Struts application not accepting multipart/form-data: solved by removing a legacy security constraint.
Server returns 401 Access Denied with the AP_ERR_MODIFIED error code: solved by running server as a service with a domain account.
Failed to create temporary file for jnidispatch library: java.io.IOException: solved by recreating Tomcat temp dir.
com.sun.jna.platform.win32.Win32Exception: the logon attempt failed: solved by enabling Kerberos logging and KB957097.
Cannot find where to enable WAFFLE logging in JBoss: solved by locating application's log4j.xml.
NTLM fails with an Apache / AJP front-end: solved by properly forwarding port number and re-enabling keep-alive in Apache mod_ssl.
java.lang.NoClassDefFoundError: org/apache/juli/logging/LogFactory with Jetty and JAAS: solved by specifying JAAS realms in Jetty configuration.

Troubleshooting Kerberos

Troubleshooting NTLM

Enabling NTLM Logging

Updated Wiki: Frequently Asked Questions

dblock — Fri, 04 Feb 2011 17:30:43 GMT

Troubleshooting Stories

UnsatisfiedLinkerError jnadispatch: solved by placing JNA jars in the common classloader.
Browser shows BASIC authentication popup: solved by re-ordering authenticators.
ClassNotFoundException on Tomcat: solved by putting waffle-jna.jar in tomcat/lib.
ClassNotFoundException on JBoss: solved by putt JARs in application.ear/APP-INF/lib.
Popup asking for username/password: solved by forcing NTLM, Kerberos not working.
Negotiate authentication returns 404 File Not Found: solved by creating a missing 401.html.
Issues specifying AD groups with Spring-security: solved by using the fully qualified user/group name.
Tomcat Manager not working under SSO: solved by editing 401.jsp, external solution.
Password prompt instead of SSO: solved by running Tomcat as LocalSystem.
Struts application not accepting multipart/form-data: solved by removing a legacy security constraint.
Server returns 401 Access Denied with the AP_ERR_MODIFIED error code: solved by running server as a service with a domain account.
Failed to create temporary file for jnidispatch library: java.io.IOException: solved by recreating Tomcat temp dir.
com.sun.jna.platform.win32.Win32Exception: the logon attempt failed: solved by enabling Kerberos logging and KB957097.
Cannot find where to enable WAFFLE logging in JBoss: solved by locating application's log4j.xml.
NTLM fails with an Apache / AJP front-end: solved by properly forwarding port number and re-enabling keep-alive in Apache mod_ssl.

Troubleshooting Kerberos

Troubleshooting NTLM

Enabling NTLM Logging

Updated Wiki: Frequently Asked Questions

dblock — Fri, 04 Feb 2011 17:30:01 GMT

Troubleshooting Stories

UnsatisfiedLinkerError jnadispatch: solved by placing JNA jars in the common classloader.
Browser shows BASIC authentication popup: solved by re-ordering authenticators.
ClassNotFoundException on Tomcat: solved by putting waffle-jna.jar in tomcat/lib.
ClassNotFoundException on JBoss: solved by putt JARs in application.ear/APP-INF/lib.
Popup asking for username/password: solved by forcing NTLM, Kerberos not working.
Negotiate authentication returns 404 File Not Found: solved by creating a missing 401.html.
Issues specifying AD groups with Spring-security: solved by using the fully qualified user/group name.
Tomcat Manager not working under SSO: solved by editing 401.jsp, external solution.
Password prompt instead of SSO: solved by running Tomcat as LocalSystem.
Struts application not accepting multipart/form-data: solved by removing a legacy security constraint.
Server returns 401 Access Denied with the AP_ERR_MODIFIED error code: solved by running server as a service with a domain account.
Failed to create temporary file for jnidispatch library: java.io.IOException: solved by recreating Tomcat temp dir.
com.sun.jna.platform.win32.Win32Exception: the logon attempt failed: solved by enabling Kerberos logging and KB957097.
Cannot find where to enable WAFFLE logging in JBoss: solved by locating application's log4j.xml.
NTLM fails with an Apache / AJP front-end: solved by re-enabling keep-alive in Apache mod_ssl.

Troubleshooting Kerberos

Troubleshooting NTLM

Enabling NTLM Logging

Updated Wiki: Home

dblock — Fri, 04 Feb 2011 16:18:01 GMT

Simple native interfaces in C# and Java to do all things Windows authentication.
A generic Servlet Negotiate (NTLM and Kerberos) Security Filter - Tutorial.
A Tomcat Negotiate (NTLM and Kerberos) Authenticator Valve - Tutorial.
A Tomcat Single Sign-On + Form Authentication Mixed Valve - Tutorial.
A Spring-Security Negotiate (NTLM and Kerberos) Filter - Totorial.
A Spring-Security Windows Authentication Manager
A JAAS Login Module - Tutorial.
If you're using Tomcat, Jetty or Websphere with an IIS front-end to do authentication only, Waffle will allow you to get rid of IIS.

Account lookup locally and in Active Directory via Win32 API with zero configuration.
Enumerating Active Directory domains and domain information.
Returns computer domain / workgroup join information.
Supports logon for local and domain users returning consistent fully qualified names, identity (SIDs), local and domain groups, including nested.
Supports all functions required for implementing server-side single-signon with Negotiate and NTLM and various implementations for Java web servers.
Supports Windows Identity impersonation.
Includes a Windows Installer Merge Module for distribution of C# binaries.

Using WAFFLE?

This is a free project. The least you can do is reply to Are you using WAFFLE in your product?. We also love good ratings! Your time is much appreciated.

Issues

Read Troubleshooting Negotiate and Frequently Asked Questions. Don't hesitate to post questions into Discussions.

Next Release

Next release is 1.4 (Beta). There're also three forks, 1.4-tomcat-5 (Beta), 1.4-tomcat-7 (Beta) and 1.4-spring-security-2 (Beta).
Please read the changes before submitting bugs or feature requests.

Updated Wiki: Troubleshooting Negotiate

dblock — Fri, 04 Feb 2011 16:17:05 GMT

This is a step-by-step guide an Q&A on troubleshooting Negotiate authentication.

Browser Configuration

Most easy problems are caused by browser configurations. The browser must believe that the target URL is in the Intranet zone.

Internet Explorer

Ensure that Integrated Windows Authentication is enabled.

Choose the Tools, Internet Options menu.
Click the Advanced tab.
Scroll down to Security
Check Enable Integrated Windows Authentication.
Restart the browser.

The target website must be in the Intranet Zone.

Navigate to the website.
Choose the Tools, Internet Options menu.
Click the Local Intranet icon.
Click the Sites button.
Check Automatically detect intranet network.
If the above didn't solve the problem, click Advanced.
Add the website to the list.

Firefox

Type about:config in the address bar and hit enter.
Type network.negotiate-auth.trusted-uris in the Filter box.
Put your server name as the value. If you have more than one server, you can enter them all as a comma separated list.
Close the tab.

Troubleshooting WAFFLE

See Frequently Asked Questions.

Still Need Help?

Trace the HTTP request/response.

Download and install IEHttpHeaders.
Choose Tools, Display IEHttpHeaders.
Make one request that ends up in a popup or failure.
Copy the entire HTTP conversation.

Post the http conversation with your question into discussions.

Updated Wiki: Frequently Asked Questions

dblock — Fri, 04 Feb 2011 16:16:48 GMT

Troubleshooting Stories

UnsatisfiedLinkerError jnadispatch: solved by placing JNA jars in the common classloader.
Browser shows BASIC authentication popup: solved by re-ordering authenticators.
ClassNotFoundException on Tomcat: solved by putting waffle-jna.jar in tomcat/lib.
ClassNotFoundException on JBoss: solved by putt JARs in application.ear/APP-INF/lib.
Popup asking for username/password: solved by forcing NTLM, Kerberos not working.
Negotiate authentication returns 404 File Not Found: solved by creating a missing 401.html.
Issues specifying AD groups with Spring-security: solved by using the fully qualified user/group name.
Tomcat Manager not working under SSO: solved by editing 401.jsp, external solution.
Password prompt instead of SSO: solved by running Tomcat as LocalSystem.
Struts application not accepting multipart/form-data: solved by removing a legacy security constraint.
Server returns 401 Access Denied with the AP_ERR_MODIFIED error code: solved by running server as a service with a domain account.
Failed to create temporary file for jnidispatch library: java.io.IOException: solved by recreating Tomcat temp dir.
com.sun.jna.platform.win32.Win32Exception: the logon attempt failed: solved by enabling Kerberos logging and KB957097.
Cannot find where to enable WAFFLE logging in JBoss: solved by locating application's log4j.xml.

Troubleshooting Kerberos

Troubleshooting NTLM

Enabling NTLM Logging

Updated Wiki: Documentation

dblock — Fri, 04 Feb 2011 16:16:25 GMT

Documentation

WAFFLE comes with a CHM file that contains a getting started guide and all the up-to-date tutorials.
Download a release, extract it and review the CHM.

Troubleshooting

Presentations

When WAFFLE was started, I did an internal presentation on Windows Authentication. It might be helpful: Waffle 1.0.ppt. A more Tomcat/Java-centric presentation is also available here.

Related or Similar Products

Quest Vintella Single-Sign-On (Commercial)
IOPlex Jespa (Commercial)
Josso
Tomcat SPNEGO

Updated Wiki: Troubleshooting Negotiate

dblock — Fri, 04 Feb 2011 16:15:47 GMT

This is a step-by-step guide an Q&A on troubleshooting Negotiate authentication.

Browser Configuration

Most easy problems are caused by browser configurations. The browser must believe that the target URL is in the Intranet zone.

Internet Explorer

Ensure that Integrated Windows Authentication is enabled.

Choose the Tools, Internet Options menu.
Click the Advanced tab.
Scroll down to Security
Check Enable Integrated Windows Authentication.
Restart the browser.

The target website must be in the Intranet Zone.

Navigate to the website.
Choose the Tools, Internet Options menu.
Click the Local Intranet icon.
Click the Sites button.
Check Automatically detect intranet network.
If the above didn't solve the problem, click Advanced.
Add the website to the list.

Firefox

Type about:config in the address bar and hit enter.
Type network.negotiate-auth.trusted-uris in the Filter box.
Put your server name as the value. If you have more than one server, you can enter them all as a comma separated list.
Close the tab.

Troubleshooting WAFFLE

See [[FAQ]].

Still Need Help?

Trace the HTTP request/response.

Download and install IEHttpHeaders.
Choose Tools, Display IEHttpHeaders.
Make one request that ends up in a popup or failure.
Copy the entire HTTP conversation.

Post the http conversation with your question into discussions.

Updated Wiki: Troubleshooting Negotiate

dblock — Fri, 04 Feb 2011 16:15:29 GMT

This is a step-by-step guide an Q&A on troubleshooting Negotiate authentication.

Browser Configuration

Most easy problems are caused by browser configurations. The browser must believe that the target URL is in the Intranet zone.

Internet Explorer

Ensure that Integrated Windows Authentication is enabled.

Choose the Tools, Internet Options menu.
Click the Advanced tab.
Scroll down to Security
Check Enable Integrated Windows Authentication.
Restart the browser.

The target website must be in the Intranet Zone.

Navigate to the website.
Choose the Tools, Internet Options menu.
Click the Local Intranet icon.
Click the Sites button.
Check Automatically detect intranet network.
If the above didn't solve the problem, click Advanced.
Add the website to the list.

Firefox

Type about:config in the address bar and hit enter.
Type network.negotiate-auth.trusted-uris in the Filter box.
Put your server name as the value. If you have more than one server, you can enter them all as a comma separated list.
Close the tab.

Troubleshooting

See [FAQ].

Still Need Help?

Trace the HTTP request/response.

Download and install IEHttpHeaders.
Choose Tools, Display IEHttpHeaders.
Make one request that ends up in a popup or failure.
Copy the entire HTTP conversation.

Post the http conversation with your question into discussions.