Assuming that the Windows 2003 is a domain controller (the Kerberos is AD K5), then Windows provides a command setspn.exe that creates SPN aliases of Computer or User objects in the Domain. When you install certain types of services (IIS and SQL Server instances in particular) SPN aliases are added to the Computer object on which it was installed. However, a Java program like CAS doesn't have to have any physical association with the User or Computer object the SPN aliases. I think it is easier to use a dummy User just to keep things clean, and then CAS just needs to supply the password assigned to the user account in order to logon to Kerberos.
In AD any User or Computer object can have any number of SPN aliases because it can be running any number of services. IP addresses aren't part of the picture, just SPN names which come from the URL and are indexed in the AD. SPNs are a specially indexed LDAP array attribute of the object. From: BARBOSA Bernard [mailto:bernard.barb...@music-group.com] Sent: Friday, October 29, 2010 12:14 AM To: cas-dev@lists.jasig.org Subject: RE: [cas-dev] CAS with SPNEGO Issue Dear All, Our Kerberos Server is running Windows 2003 and our CAS server is running Debian Lenny. This debian is not joined to the domain BEHRINGER.CORP.INTRA. SS0 is the machine (server) name with IP Address 10.123.8.111 while singlesignon.behringer.com is a public DNS which is pointing to the same server 10.123.8.111(via NAT). For SPN account we created the following account: sso.runner - > <mailto:HTTP/singlesignon.behringer....@behringer.corp.intra> HTTP/singlesignon.behringer....@behringer.corp.intra spn2.runner - > <mailto:HTTP/s...@behringer.corp.intra> HTTP/s...@behringer.corp.intra You mentioned about the solution which is "All you have to do is make both SPN values SPN aliases of the same Computer or User object." How can we make both SPN Values and SPN Aliases on the same computer or User Object? Kind Regards, BARBOSA, Bernard Senior Administrator, System/Network MUSIC Group Macao Commercial Offshore Limited (Philippines) ROHQ IP Phone: 60651 ext 1245 Tel: +63 2 7505401 ext 1245 Email: <mailto:infoservsys...@music-group.com> infoservsys...@music-group.com Web: <http://www.music-group.com/> www.music-group.com | <http://www.behringer.com/> www.behringer.com | <http://www.bugera-amps.com/> www.bugera-amps.com <http://www.youtube.com/behringer> Description: cid:image001.jpg@01CB773B.0A6F6740 youtube.com/behringer <http://www.twitter.com/behringer> Description: cid:image002.jpg@01CB773B.0A6F6740 twitter.com/behringer <http://www.facebook.com/behringer> Description: cid:image003.jpg@01CB773B.0A6F6740 facebook.com/behringer <http://www.myspace.com/behringer> Description: cid:image004.jpg@01CB773B.0A6F6740 myspace.com/behringer <http://www.flickr.com/behringerrocks> Description: cid:image005.jpg@01CB773B.0A6F6740 flickr.com/behringerrocks J Build Teamwork J Take Ownership J Don't Waste Resources J Clean Workplace = Clean Mind J Respect Guidelines and Policies J Improve Yourself and Help Others J Don't Forget to Smile and Say Thank You This email is intended exclusively for the addressee(s) named above and may contain privileged and confidential information. If you are not (among) the intended recipient(s), you may not copy, utilize or distribute any of the information contained herein. If you have received this email in error, please notify us immediately via return email and delete the original from your mailbox. Thank you. _____ From: Howard Gilbert [mailto:howard.gilb...@yale.edu] Sent: Thursday, October 28, 2010 11:12 PM To: cas-dev@lists.jasig.org Subject: RE: [cas-dev] CAS with SPNEGO Issue When SPNEGO is going through its Keberos 5 phase, this is what happens: The Browser takes the sever name from the URL ("sso" or "singlesignon.behringer.com") and generates a Service Principal Name (SPN) of HTTP/sso or HTTP/singlesignon.behringer.com and then it contacts the KDC in its Realm (typically the Domain Controller in its AD) to get a Service Ticket for that SPN. At this point what happens depends on what type of KDC you are using: If you use a Unix KDC, then it looks up the SPN string in the KDC, finds the key of the server, and generates the Service Ticket from that key. If you have an AD, then it looks up the SPN which will be an alias for a Computer object or User object in AD. It then gets the key of the object and uses it to generate the ST. The ST is returned to the Browser, GSSAPI embeds it in the initialization dialog bytes, the Browser does a bin64 encoding of the bytes as characters and stuff them in the HTTP header and sends them in the next GET to CAS. CAS then validates the ST using the its own logon to what is hopefully the same KDC that the Browser used. However, in all the SPNEGO examples I have seen, CAS (or any other SPNEGO server) typically has only one logon to the KDC. If you are using a Unix KDC, I am not quite sure if this is going to work. Typically CAS is not logged into the KDC as both "HTTP/sso" and also "HTTP/singlesignon.behringer.com"). However, if you are using AD (which is probably the only likely candidate these days for K5) then you are in luck. All you have to do is make both SPN values SPN aliases of the same Computer or User object. Then no matter which name CAS uses to login to AD, you get the same object with the same key and therefore the ST validates. Since it is not working, I assume that you did not use the AD SPN creation utility to create both aliases when you set up AD. If you are using a Unix KDC, then you can configure the server to use one SPN or the other, but probably not both at the same time. I am not a JCIFS user so I cannot speak to the specific JCIFS configuration parameters, just to the underlying protocol and algorithms. From: Barbosa, Bernard [mailto:bernard.barb...@music-group.com] Sent: Thursday, October 28, 2010 6:15 AM To: cas-dev@lists.jasig.org Subject: [cas-dev] CAS with SPNEGO Issue Dear All, We have a CAS 3.4.2 with SPNEGO which works when accessed through a "dummy" local name (e.g.: <https://sso/cas/login> https://sso/cas/login). "sso" has been specified on client machine's hosts file as follows: sso 10.123.8.111 Now in the real scenario the CAS server needs to be reachable through the Internet ( <https://singlesignon.behringer.com/cas/login> https://singlesignon.behringer.com/cas/login) with no hosts definition. With this real scenario SPNEGO automatic authentication does NOT work but the CAS "normal" login with an Active Directory backend works fine. This is part of our SPNEGO config: <bean name="jcifsConfig" class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConf ig"> <property name="jcifsServicePrincipal" value=" <mailto:HTTP/singlesignon.behringer....@behringer.corp.intra> HTTP/singlesignon.behringer....@behringer.corp.intra" /> <property name="jcifsServicePassword" value="secret" /> <property name="kerberosDebug" value="true" /> <property name="kerberosRealm" value="BEHRINGER.CORP.INTRA" /> <property name="kerberosKdc" value="sgdc05.behringer.corp.intra" /> <property name="loginConf" value="/opt/work/local-cas/src/main/webapp/WEB-INF/login.conf" /> </bean> Does this mean that SPNEGO cannot be used over the Internet? Or there is something wrong with our setup? Thank you so much. Kind Regards, BARBOSA, Bernard Senior Administrator, System/Network MUSIC Group Macao Commercial Offshore Limited (Philippines) ROHQ IP Phone: 60651 ext 1245 Tel: +63 2 7505401 ext 1245 Email: <mailto:infoservsys...@music-group.com> infoservsys...@music-group.com Web: <http://www.music-group.com/> www.music-group.com | <http://www.behringer.com/> www.behringer.com | <http://www.bugera-amps.com/> www.bugera-amps.com <http://www.youtube.com/behringer> Description: cid:image001.jpg@01CB773B.0A6F6740 youtube.com/behringer <http://www.twitter.com/behringer> Description: cid:image002.jpg@01CB773B.0A6F6740 twitter.com/behringer <http://www.facebook.com/behringer> Description: cid:image003.jpg@01CB773B.0A6F6740 facebook.com/behringer <http://www.myspace.com/behringer> Description: cid:image004.jpg@01CB773B.0A6F6740 myspace.com/behringer <http://www.flickr.com/behringerrocks> Description: cid:image005.jpg@01CB773B.0A6F6740 flickr.com/behringerrocks J Build Teamwork J Take Ownership J Don't Waste Resources J Clean Workplace = Clean Mind J Respect Guidelines and Policies J Improve Yourself and Help Others J Don't Forget to Smile and Say Thank You This email is intended exclusively for the addressee(s) named above and may contain privileged and confidential information. If you are not (among) the intended recipient(s), you may not copy, utilize or distribute any of the information contained herein. If you have received this email in error, please notify us immediately via return email and delete the original from your mailbox. Thank you. -- You are currently subscribed to cas-dev@lists.jasig.org as: howard.gilb...@yale.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev -- You are currently subscribed to cas-dev@lists.jasig.org as: bernard.barb...@music-group.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev -- You are currently subscribed to cas-dev@lists.jasig.org as: howard.gilb...@yale.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev -- You are currently subscribed to cas-dev@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
<<image006.jpg>>
<<image007.jpg>>
<<image008.jpg>>
<<image009.jpg>>
<<image010.jpg>>
