It's all about the answers!

Ask a question

Problems with authentication on Jazz Team Server

Milan Krivic (9809171139) | asked Aug 27 '09, 6:13 a.m.
We have problem with authentication of users in IBM Jazz Team Server. We are using IBM Jazz Team Server v2.0 on MS Windows 2003 EE Server platform, and Microsoft Active Directory as repository of users. We configured it according to the documentation. Problem occures with Active Directory users that have "logon to" restrictions set on user account poperties.

For that users we are receiving message that username or password are invalid. If we give "Logon to" rights for a user on Jazz server and both Domain Conntrollers, than we can logon on the Jazz system. This is not acceptable for us, since we need to have logon restrictions on particular workstation for some Jazz users. For standard users withount "logon to" restrictions everything works as expected.

We have contacted Microsoft support about this problem and sent them a set of network traces from the client and the Tomcat Server in the success and the failure login scenario. Their answer was that the user is putting a user name and password from client machine and then the Tomcat server performs a simple bind to Active Directory. So in essence, the logon is happening at the domain controller, and the logon workstation needs to contain the Domain Controller in "logon to" list. They tried to use a SSPI bind and then the logon workstation needs to have only the application server included in "logon to" restriction list.
Their recommendation is to use negotiated bind (GSS-API) from the Tomcat application instead of simple bind.

We configured "GSS-API" authentication in Tomcat server. After that, users can access Jazz server, but their password is never checked against Active Directory. Users can enter arbitary password and logon to system. It seems that authentication process is run under credentials of server system computer account. This solution is clearly unacceptable.

Our configuration is:
Jazz server: IBM Jazz Team Server v2.0 (Tomcat 5.5.23)
Server OS: MS Windows Server 2003 EE SP2
Workstation: MS Windows XP SP2
Domain Controllers: MS Windows Server 2003 EE SP2

We need your help and suggestions how to setup Jazz conection to MS Active Directory for users with "logon to" restrictions set on their account properties.

Best regards,

One answer

permanent link
Stephanie Bagot (2.1k1513) | answered May 16 '13, 2:00 p.m.
Because Tomcat is open source, we are limited to the functionality within Tomcat. I would suggest moving to WebSphere since it is more robust and may be able to handle the AD restrictions better.

Your answer

Register or to post your answer.