DigitalOcean

Question

How to connect Tomcat 9/10 to Active Directory and login through SSO to and app

We have set up an AD server infrastructure, an application server, and a client server connected to the domain.

We have followed several manuals such as:

  • Tomcat 10 windows-auth-howto
  • Libraries such as SPENEGO WAFFLE

We have tried:

  • Tomcat 10
  • Tomcat 9
  • Java 21
  • Java 17
  • Java 11

We have not been successful in getting the test environment and test apps to work properly to validate communication and correct login.

Has anyone managed to do this?

Note: The Tomcat documentation states that testing is with Java 8, but we have already migrated our applications to higher versions because it was necessary to take advantage of the new technologies offered by higher versions.

Note: We also do not know if we made any mistakes when configuring the AD.

Submit an answer


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Bobby Iliev
Site Moderator
Site Moderator badge
March 14, 2025

Hey there 👋

A few quick suggestions that might help:

  1. As far as I know, SPNEGO/WAFFLE is still your best bet for SSO with Tomcat + Active Directory, but it’s very sensitive to Java version compatibility and proper Kerberos/SPNEGO setup.

  2. Java 11+ sometimes causes issues with WAFFLE, so if possible, test with Java 8 just to validate your setup works end-to-end first — even if it’s not your final goal. Once it’s working, try upgrading gradually.

  3. Make sure your AD DNS and time sync are correct — Kerberos will silently fail if there’s even slight clock drift or DNS resolution issues.

  4. Double-check your SPN and krb5.conf (or Windows registry if you’re using native config) — this is often where things go wrong. Also verify the waffle.tomcat filter is applied correctly in web.xml.

  5. Here’s a good example guide worth revisiting: 👉 https://github.com/Waffle/waffle/blob/master/Docs/tomcat/TomcatSingleSignOnValve.md

  6. If you’re stuck, consider testing with a basic WAFFLE demo app first, outside of your main application, just to confirm the AD integration is actually working before adding complexity.

- Bobby

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Sign Up

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Learn more

Resources for startups and SMBs

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Learn more

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.

© 2025 DigitalOcean, LLC.Sitemap.