We are trying to configure the single sign on using jboss negotiation.
We are able to login successfully if the user is present in active directory.
But in case if user is not present in active directory users, it throw 401 error page.
Instead of 401 we want user to access login form and authenticate user using different login module.
In our case we have login page we authenticate user on that page.
If we receive user credentials we login the user without asking for password.
Now if the user credentials are not received then we want user to open login form present
on login page, but before that is throws 401 error.
We have configure the login-config.xml, web.xml and jboss-web.xml as per the documentation.
Our application is access through Request servlet.
Steps to Reproduce:
edit web.xml as
<module-option name="keyTab">%keytab path%</module-option>
hit login page with the user authenticated using active directory you will be able to login.
Now hit login page with user that is not present in active directory
401 error thrown.
Instead of 401 user should be able to view login form.
Note:We are using JBoss 6.1, Jboss Negotiation Version: 2.1.0.GA which is by default shipped with Jboss 6.1, we have not made any changes in jar.
I would like some guidance here as well, although my use-case is a little different.
I would like to fallback to an alternative authent method (in my particular case straight to the AD for a non SSO login, but it could be to an LDAP, or whatver) when SSO doesn't work, e.g. no longer within the domain, I would also like to be able to switch the login mechanism for support reasons, i.e. login as someone else. i.e. on demand.
I can see how I could do this with the SPNEGO (sourceforge) filter, and my own tweaking, but I am less clear how I would go about this with Jboss Negotiation and security realms.
As an aside (sorry), I also have the problem that the ldap roles lookup doesn't seem to work with any of the other ldap module tweaks, e.g. parse username, or %u. This means that my roles lookup isnt working as our AD doesn't store username@adDomain in the user information. As the documentation reads as if one thing extends another this seems a little illogical (and non useful).
Any luck fixing this?
This seems to be a "bug" still present...
Also: if you use a browser that doesn't support NTLM like the default Firefox it works OK: the login form is shown. The problem is just when the browser tries to authenticate with NTLM.
Someone seems to have sent a patch for a similar issue but it still is marked as unsolved: https://issues.jboss.org/browse/SECURITY-640
Hi Felipe/ Paulo,
I could not find the fallback mechanism configuration.
But I found workaround,
I have login page jsp (login.jsp).
I configured SSO for URL /Secured through
Now the SSO configuration will work only for /Secured pattern.
Now to user is not authenticated using Negotiation Jboss throws 401 error so I configured login page for 401 error code in web.xml as
Also wrote servlet /Secured which checks if the user is user principal is not received from request it redirects user to the login page jsp.