In order not to interrupt the Kerberos/SSO authentication process, use the following:
ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0;url=/login.htm\"></html>"
This will cause a redirect to occur only when the user clicks cancel on the browser dialog box.
I think you need to import the trusted root certificate, (possibly any intermediary certs as well) into the Java keystore that JBoss is using. (When running on Linux, only place I have run JBoss, it uses Tomcat to run JBoss in it).
I am not sure where the default Java key store would be for Tomcat. You can use keytool
from any Java JDK install, and import the trusted root that way. The keystore password should be 'default' since there is nothing secret about trusted root public keys.
Sample Keytool syntax might be:
keytool -importcert -keystore Path/to/store -storepass Password (Usually default or changeit) -alias Something -file FileWithPublicKey
To get the trusted root, an easy way is if the same cert is used for an HTTP interface. But I think IE will let you try ldaps://serverIP/ and then in the icon with a lock, you can see certificate details.
There is a tab for the certification chain. The top item is the CA who signed this cert (aka the Root that we need to Trust, to make it a Trusted Root).
If all this is too much, then here is a funny trick! Get the 600K Java based LDAP browser, called LBE and delete the local file lbecacert
then run the LDAP Browser, make a config for your LDAP server, with SSL enabled, and when you first connect it will get the Trusted Root, prompt you to Trust it once, always, or never. Select Always, and exit.
The newly created lbecacert file now has just the one trusted root in it. Cute eh? I use this when I am lazy and it works fine.
Now where should the Tomcat cacerts be? Well it might be sufficient in your JVM install, lib/security to either add the trusted root to the cacerts there, or else replace that file with this one (which is not the best option, since you might want some of those default trusted roots).
Best Answer
Several possible solutions; if you're using mod_proxy_ajp or mod_jk for the connector then make sure that this is set in your server.xml connector:
tomcatAuthentication="false"
That will most likely fix the problem. If not, it's a bit more difficult depending on which module you're using for the AJP13 connection; we'll need to know which one before helping further.