Announcement Announcement Module
No announcement yet.
Pre-authentication in a non-Windows environment Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Pre-authentication in a non-Windows environment


    is it possible to pre-authenticate a user using Internet Explorer on Windows, with Spring Security, in a non-Windows server environment?

    Here's an example of what I am attempting to do:

    - a user running IE (or Firefox) on Windows connects to a Spring application running on Linux
    - the application retrieves his browser's Windows user profile and authenticates him/her against ActiveDirectory using the ldap protocol
    - the user uses the application...

    Many thanks.

    Last edited by Philroc; Jul 10th, 2012, 04:10 AM. Reason: Wrong forum

  • #2
    I can move this post to the Spring Security forum. If I were you I'd explain a bit more what you want to do ("pre-authenticate" is a bit vague).


    • #3
      Yes, please move it.

      I will explain a bit more.


      • #4
        It sounds as though you are wanting to use Kerberos. This is possible to do from a Windows or a Linux client using the Spring Security Kerberos extension. Note that this has not been released as a full release yet, so it is possible you will want to use Pre Authentication and Spring Security for authorization. The tricky part will be ensuring you get the setup correctly. The difficulty comes in due to the fact that LDAP configurations are often quite different (and thus the Kerberos setup). If you are not familiar with Kerberos, you will likely want to seek some additional materials on Kerberos.


        • #5
          Thank for the information, Rob.

          In his article, Mike Wiesner ( says

          that you are supposed to generate a service principal using a fully-qualified name, such as

          "HTTP/[email protected]"/

          My problem is that my test environment runs on Centos in a VirtualBox VM hosted on Windows 7 and does not have a fully-qualified name. Furthermore, its IP address is DCHP-generated.

          Any idea how I can create a service principal with this "handicap"?

          Many thanks.



          • #6
            One way to deal with this is to update your hosts file or setup your own DNS server. If you are just wanting to play around with Kerberos I have used ApacheDS to do so. With whatever approach you take, setting up a Kerberos environment is not a simple task (you will likely need external resources if you have not done it before).