waffle-filter demo working on localhost, but not from another machine

[Kieran Shaw]

Hi all,

I've started up the waffle-filter demo (with Negotiate only, no NTLM) and can automatically login without username/password prompts on the same machine as the server is running on either using my hostname (http://ks-pc:9080/waffle-filter/) or localhost (http://localhost:9080/waffle-filter/).

If I go to another machine that is on the domain, I get prompted for with a username/password. I use http://ks-pc:9080/waffle-filter/ on that machine and that is in the local intranet zone and is setup correctly in IE as far as I can tell. Interestingly when the username/password box pops up, it says "Connecting to ks-pc.domain.local". 

If I try http://ks-pc.domain.local:9080/waffle-filter/ on that machine or even my local machine, the DNS correctly resolves as that is my real underlying fully-qualified name, but on my local machine I get prompted for a username/password this time, unlike when I go to just ks-pc.

setspn output on the server machine is as below (altered slightly):

>setspn -L KS-PC

Registered ServicePrincipalNames for CN=KS-PC,OU=SBSComputers,OU=Computers,OU=MyBusiness,DC=Domain,DC=local:

        TERMSRV/KS-PC

        TERMSRV/KS-PC.Domain.local

        RestrictedKrbHost/KS-PC

        HOST/KS-PC

        RestrictedKrbHost/KS-PC.Domain.local

        HOST/KS-PC.Domain.local

>setspn -L KS    (KS being the username I'm logged in as on the server)

Registered ServicePrincipalNames for CN=Kieran Shaw,OU=No Lockdown,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=Domain,DC=local:

Having a look at https://github.com/dblock/waffle/blob/master/Docs/Troubleshooting.md, I can't make much sense of what I would expect to get from the setspn command for both my user and my machine.

Any help much appreciated.

Thanks,

Kieran

[Kieran Shaw]

I've made some progress, but I'm not sure why this works.

I'm now running the waffle-filter demo in a Tomcat 8 service running as the Local System user. This now works perfectly from my local machine and from remote machines. I'd love to know why though?

[Daniel Doubrovkine]

It has to do with the privileges held by the account running the service. When you run as Local System you're being "the computer" and you can provide services on behalf of Active Directory since the computer is a member of the domain.

--
You received this message because you are subscribed to the Google Groups "waffle" group.
To unsubscribe from this group and stop receiving emails from it, send an email to waffle-users...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

dB. | Moscow - Geneva - Seattle - New York
code.dblock.org - @dblockdotorg - artsy.net - github/dblock

[mou...@comcast.net]

Is there a way to boost the privileges of a user account so that it can "provide services on behalf of Active Directory"?

On Tuesday, March 22, 2016 at 7:03:44 AM UTC-5, Daniel D. wrote:

It has to do with the privileges held by the account running the service. When you run as Local System you're being "the computer" and you can provide services on behalf of Active Directory since the computer is a member of the domain.

[mou...@comcast.net]

Background: I have implemented Windows Authentication w/SSO in our server product. It works great when Tomcat runs with local system credentials. But our customers need for Tomcat to run with an account that can read their data on the local network. When Tomcat is running with domain user credentials, attempted connections from other machines on the network fail but connections from localhost work.

How can one enable a specific user account to be used as the logon account for Tomcat and still support SSO from another machine on the LAN?