Hi,
It's been two days that I'm trying to make work the SPNEGO CAS support (http://www.ja-sig.org/wiki/display/~sharumpe) My email is a bit long but I'm wanted to show you that I'm had try a lot a combination... Here's my config : Active Directory and domain controller server: adtest.agglo-larochelle.org / 172.16.150.1 Domain : agglo-larochelle.org / CDA-TEST Ja-sig CAS server 3.2 (on Debian Etch) : cas.agglo-larochelle.org / 172.16.150.6 / URL : https://cas.agglo-larochelle.org:8443/cas/ SPNAccount (member of domain administrator) : cas / XXXXX (password never expires) I have added https://cas.agglo-larochelle.org:8443/ in the about.config of Firefox 3 and in the intranet zone of IE 6. Kerberos domain realm : AGGLO-LAROCHELLE.ORG I'm having some issues to find the correct values to put in the config spring bean. Here's what I've had : <property name="principalWithDomainName" value="false" /> <property name="NTLMallowed" value="true" /> and <bean name="jcifsConfig" class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig"> <property name="jcifsServicePrincipal" value="HTTP/[email protected]" /> <property name="jcifsServicePassword" value="Im4Z3v" /> <property name="kerberosDebug" value="true" /> <property name="kerberosRealm" value="AGGLO-LAROCHELLE.ORG" /> <property name="kerberosKdc" value="172.16.150.1" /> <property name="loginConf" value="/home/cas/webapps/cas/WEB-INF/login.conf" /> </bean> Here's the ktpass command I'm writing : >ktpass.exe /out cas.keytab /princ HTTP/[email protected] /pass XXXXX >/mapuser cas /ptype krb5_nt_principal /crypto rc4-hmac-nt Targeting domain controller: adtest.agglo-larochelle.org Successfully mapped HTTP/cas to cas. Key created. Output keytab to cas.keytab: Keytab version: 0x502 keysize 64 HTTP/[email protected] ptype 1 (KRB5_NT_PRINCIPAL) vno 2 etype 0x17 (RC4-HMAC) keylength 16 (0x5d025157f73f8c7e90c608fe47848c92) I'm uploading the key file in the cas server (/home/cas/cas.keytab) My krb5.conf : [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] ticket_lifetime = 24000 default_realm = AGGLO-LAROCHELLE.ORG default_keytab_name = /home/cas/cas.keytab dns_lookup_realm = false dns_lookup_kdc = false default_tkt_enctypes = rc4-hmac default_tgs_enctypes = rc4-hmac [realms] AGGLO-LAROCHELLE.ORG = { kdc = adtest.AGGLO-LAROCHELLE.ORG:88 } [domain_realm] .agglo-larochelle.org = AGGLO-LAROCHELLE.ORG agglo-larochelle.org = AGGLO-LAROCHELLE.ORG klist -k Keytab name: FILE:/home/cas/cas.keytab KVNO Principal ---- -------------------------------------------------------------------------- 2 HTTP/[email protected] $kinit [email protected] $Password for [email protected]: $ (OK ? I think so...because when I put a wrong password I'm having "kinit(v5): Preauthentication failed while getting initial credentials") Deploying the webapp : INFO: Déploiement de l'archive cas.war de l'application web 2009-05-29 13:57:28,076 DEBUG [org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig] - <jcifsServicePrincipal is set to HTTP/[email protected]> 2009-05-29 13:57:28,076 DEBUG [org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig] - <jcifsServicePassword is set to *****> 2009-05-29 13:57:28,076 DEBUG [org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig] - <kerberosDebug is set to : true> 2009-05-29 13:57:28,076 DEBUG [org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig] - <kerberosRealm is set to :AGGLO-LAROCHELLE.ORG> 2009-05-29 13:57:28,077 DEBUG [org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig] - <kerberosKdc is set to : 172.16.150.1> 2009-05-29 13:57:28,077 WARN [org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig] - <found login config in system property, may overide : /home/cas/webapps/cas/WEB-INF/login.conf> 2009-05-29 13:57:28,077 DEBUG [org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig] - <configured login configuration path : /home/cas/webapps/cas/WEB-INF/login.conf> Launch : https://cas.agglo-larochelle.org:8443/cas/login/ (on IE 6 and/OR FF 3) LOG : 2009-05-29 13:57:47,843 INFO [org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] - <Starting cleaning of expired tickets from ticket registry at [Fri May 29 13:57:47 GMT+01:00 2009]> 2009-05-29 13:57:47,843 INFO [org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] - <0 found to be removed. Removing now.> 2009-05-29 13:57:47,843 INFO [org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] - <Finished cleaning of expired tickets from ticket registry at [Fri May 29 13:57:47 GMT+01:00 2009]> 2009-05-29 13:59:05,236 INFO [org.jasig.cas.web.flow.InitialFlowSetupAction] - <Setting ContextPath for cookies to: /cas> 2009-05-29 13:59:05,261 DEBUG [org.jasig.cas.support.spnego.web.flow.SpnegoNegociateCredentialsAction] - <Action 'SpnegoNegociateCredentialsAction' beginning execution> 2009-05-29 13:59:05,262 DEBUG [org.jasig.cas.support.spnego.web.flow.SpnegoNegociateCredentialsAction] - <Authorization header not found. Sending WWW-Authenticate header> 2009-05-29 13:59:05,262 DEBUG [org.jasig.cas.support.spnego.web.flow.SpnegoNegociateCredentialsAction] - <Action 'SpnegoNegociateCredentialsAction' completed execution; result is 'success'> 2009-05-29 13:59:05,262 DEBUG [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - <Action 'SpnegoCredentialsAction' beginning execution> 2009-05-29 13:59:05,262 DEBUG [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - <Action 'SpnegoCredentialsAction' completed execution; result is 'error'> 2009-05-29 13:59:06,167 DEBUG [org.jasig.cas.support.spnego.web.flow.SpnegoNegociateCredentialsAction] - <Action 'SpnegoNegociateCredentialsAction' beginning execution> 2009-05-29 13:59:06,167 DEBUG [org.jasig.cas.support.spnego.web.flow.SpnegoNegociateCredentialsAction] - <Action 'SpnegoNegociateCredentialsAction' completed execution; result is 'success'> 2009-05-29 13:59:06,167 DEBUG [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - <Action 'SpnegoCredentialsAction' beginning execution> 2009-05-29 13:59:06,168 DEBUG [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - <SPNEGO Authorization header found with 56 bytes> 2009-05-29 13:59:06,169 DEBUG [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - <Obtained token: NTLMSSPï¿ï¿½ï¿½> 2009-05-29 13:59:06,231 DEBUG [org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoAuthenticationHandler] - <Setting nextToken in credentials> 2009-05-29 13:59:06,231 DEBUG [org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoAuthenticationHandler] - <Principal is null, the processing of the SPNEGO Token failed> 2009-05-29 13:59:06,231 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <AuthenticationHandler: org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoAuthenticationHandler failed to authenticate the user which provided the following credentials: Principal is null> 2009-05-29 13:59:06,233 DEBUG [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - <Obtained output token: NTLMSSP8����P�> 2009-05-29 13:59:06,233 DEBUG [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - <Setting HTTP Status to 401> 2009-05-29 13:59:06,233 DEBUG [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - <Action 'SpnegoCredentialsAction' completed execution; result is 'error'> 2009-05-29 13:59:06,240 DEBUG [org.jasig.cas.support.spnego.web.flow.SpnegoNegociateCredentialsAction] - <Action 'SpnegoNegociateCredentialsAction' beginning execution> 2009-05-29 13:59:06,240 DEBUG [org.jasig.cas.support.spnego.web.flow.SpnegoNegociateCredentialsAction] - <Action 'SpnegoNegociateCredentialsAction' completed execution; result is 'success'> 2009-05-29 13:59:06,240 DEBUG [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - <Action 'SpnegoCredentialsAction' beginning execution> 2009-05-29 13:59:06,240 DEBUG [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - <SPNEGO Authorization header found with 228 bytes> 2009-05-29 13:59:06,240 DEBUG [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - <Obtained token: NTLMSSPz�HX n��CDA-TESTj.rautureauADTEST�8h�q��<���...@��ֶ��pv�8h�q��<���...@��ֶ��pv�> 2009-05-29 13:59:06,254 DEBUG [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - <Unable to obtain the output token required.> 2009-05-29 13:59:06,254 DEBUG [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - <Setting HTTP Status to 401> 2009-05-29 13:59:06,254 DEBUG [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - <Action 'SpnegoCredentialsAction' completed execution; result is 'error'> Il seems that Kerberos is falling AND NTLM is falling too... But why my browsers doesn't get a Kerberos ticket and always a NTLM ticket ? Please help me ! ________________________________________ RAUTUREAU Jérôme Communauté d'Agglomération de La Rochelle Gestionnaire bases de données, Développeur rue de Vaucanson, 17180 Périgny Téléphone : 05.46.30.34.25 / Fax : 05.46.30.34.29 Portable : Email : [email protected] Afin de contribuer au respect de l'environnement, merci de n'imprimer ce courriel qu'en cas de nécessité -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
