When SPNEGO is going through its Keberos 5 phase, this is what happens:
The Browser takes the sever name from the URL ("sso" or
"singlesignon.behringer.com") and generates a Service Principal Name (SPN)
of HTTP/sso or HTTP/singlesignon.behringer.com and then it contacts the KDC
in its Realm (typically the Domain Controller in its AD) to get a Service
Ticket for that SPN. At this point what happens depends on what type of KDC
you are using:
If you use a Unix KDC, then it looks up the SPN string in the KDC, finds the
key of the server, and generates the Service Ticket from that key.
If you have an AD, then it looks up the SPN which will be an alias for a
Computer object or User object in AD. It then gets the key of the object and
uses it to generate the ST.
The ST is returned to the Browser, GSSAPI embeds it in the initialization
dialog bytes, the Browser does a bin64 encoding of the bytes as characters
and stuff them in the HTTP header and sends them in the next GET to CAS.
CAS then validates the ST using the its own logon to what is hopefully the
same KDC that the Browser used. However, in all the SPNEGO examples I have
seen, CAS (or any other SPNEGO server) typically has only one logon to the
KDC.
If you are using a Unix KDC, I am not quite sure if this is going to work.
Typically CAS is not logged into the KDC as both "HTTP/sso" and also
"HTTP/singlesignon.behringer.com"). However, if you are using AD (which is
probably the only likely candidate these days for K5) then you are in luck.
All you have to do is make both SPN values SPN aliases of the same Computer
or User object. Then no matter which name CAS uses to login to AD, you get
the same object with the same key and therefore the ST validates.
Since it is not working, I assume that you did not use the AD SPN creation
utility to create both aliases when you set up AD. If you are using a Unix
KDC, then you can configure the server to use one SPN or the other, but
probably not both at the same time.
I am not a JCIFS user so I cannot speak to the specific JCIFS configuration
parameters, just to the underlying protocol and algorithms.
From: Barbosa, Bernard [mailto:bernard.barb...@music-group.com]
Sent: Thursday, October 28, 2010 6:15 AM
To: cas-dev@lists.jasig.org
Subject: [cas-dev] CAS with SPNEGO Issue
Dear All,
We have a CAS 3.4.2 with SPNEGO which works when accessed through a "dummy"
local name (e.g.: https://sso/cas/login). "sso" has been specified on client
machine's hosts file as follows:
sso 10.123.8.111
Now in the real scenario the CAS server needs to be reachable through the
Internet (https://singlesignon.behringer.com/cas/login) with no hosts
definition.
With this real scenario SPNEGO automatic authentication does NOT work but
the CAS "normal" login with an Active Directory backend works fine.
This is part of our SPNEGO config:
<bean name="jcifsConfig"
class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConf
ig">
<property name="jcifsServicePrincipal"
value="HTTP/singlesignon.behringer....@behringer.corp.intra" />
<property name="jcifsServicePassword"
value="secret" />
<property name="kerberosDebug"
value="true" />
<property name="kerberosRealm"
value="BEHRINGER.CORP.INTRA" />
<property name="kerberosKdc"
value="sgdc05.behringer.corp.intra" />
<property name="loginConf"
value="/opt/work/local-cas/src/main/webapp/WEB-INF/login.conf" />
</bean>
Does this mean that SPNEGO cannot be used over the Internet? Or there is
something wrong with our setup?
Thank you so much.
Kind Regards,
BARBOSA, Bernard
Senior Administrator, System/Network
MUSIC Group Macao Commercial Offshore Limited (Philippines) ROHQ
IP Phone: 60651 ext 1245
Tel: +63 2 7505401 ext 1245
Email: <mailto:infoservsys...@music-group.com>
infoservsys...@music-group.com
Web: www.music-group.com <http://www.music-group.com/> | www.behringer.com
<http://www.behringer.com/> | www.bugera-amps.com
<http://www.bugera-amps.com/>
<http://www.youtube.com/behringer> youtube.com/behringer
<http://www.twitter.com/behringer> twitter.com/behringer
<http://www.facebook.com/behringer> facebook.com/behringer
<http://www.myspace.com/behringer> myspace.com/behringer
<http://www.flickr.com/behringerrocks> flickr.com/behringerrocks
J Build Teamwork J Take Ownership J Don't Waste Resources J Clean
Workplace = Clean Mind J Respect Guidelines and Policies J Improve
Yourself and Help Others J Don't Forget to Smile and Say Thank You
This email is intended exclusively for the addressee(s) named above and may
contain privileged and confidential information. If you are not (among) the
intended recipient(s), you may not copy, utilize or distribute any of the
information contained herein. If you have received this email in error,
please notify us immediately via return email and delete the original from
your mailbox. Thank you.
--
You are currently subscribed to cas-dev@lists.jasig.org as:
howard.gilb...@yale.edu
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-dev
--
You are currently subscribed to cas-dev@lists.jasig.org as:
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-dev<<image001.jpg>>
<<image002.jpg>>
<<image003.jpg>>
<<image004.jpg>>
<<image005.jpg>>
