Tomcat, SPNEGO, Kerberos against two Active Directory services

[Andreas Røsdal]

Hello!

I would like some help with setting up Tomcat, SPNEGO and Kerberos against
two Active Directory services.

At the monent I have a Java webapp running on Tomcat, which uses SPNEGO and
Kerberos to authenticate users (clients in Internet Explorer) against one
(1) Active Directory user database. Currently, there is only one krb5.conf
which is configured against one Active Directory. There is some custom Java
code (Servlet filters) which extend the integrated Tomcat SPNEGO classes,
and authenticate users against the Active Directory.

However, I now need to authenticate users against two different Active
Directory databases. Some users are found only in
one of the Active Directories, while others are found only in the other
Active Directory, so I now need to authenticate against
both Active Directories. However, the Java configuration only seems to be
able to connect to one Active Directory at a time.
I can't use forest trust between the two Actice Directories.

I would appreciate any information about best-practices of authenticating
users in two Active Directory databases.


Regards,
Andreas R.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20171031/141a5064/attachment.htm>