Hi Oleg ! I have discovered indeed that we have to be on a different machine taht the AD domain server.
In my tests 3 machines have been used : - Active Directory Domain serveur : 172.16.150.1 - Cas serveur : 172.16.150.6 - Firefox client machine : 172.16.150.5 Hope to have a lot of conversations like this in order to make the things happens ! If i succeed in my configuration i will post a tutorial with machine names examples because i think it's easier to understand how to configure all this ! See ya. -------- Message d'origine-------- De: o v [mailto:[email protected]] Date: lun. 01/06/2009 08:12 À: RAUTUREAU Jérôme Objet : Re: [cas-user] [SPNEGO] Kerberos / NTLM issues or misunderstandings ? Hi Jerome, I can't seem to logon to cas-user forum. So i'll reply directly. Are you accessing CAS from the same machine on which CAS server is installed? I cannot tell from the logs, but the browser which you use to access cas or a cassified webapp needs to be on a different machine to the CAS server. You should then get a Kerberos negotiation happening. Since you are using Kerberos on AD I'd be interested to know if you can get a successful Kerberos authentication going without making changes to the AD and if you could get it to use keytab files. ;) Cheers, hope it helps, Oleg. 2009/5/29 RAUTUREAU Jérôme <[email protected]> > Hi, > > > > It's been two days that I'm trying to make work the SPNEGO CAS support ( > http://www.ja-sig.org/wiki/display/~sharumpe) > > > > My email is a bit long but I'm wanted to show you that I'm had try a lot a > combination. > > > > Here's my config : > > > > Active Directory and domain controller server: adtest.agglo-larochelle.org/ > 172.16.150.1 > > Domain : agglo-larochelle.org / CDA-TEST > > Ja-sig CAS server 3.2 (on Debian Etch) : cas.agglo-larochelle.org / > 172.16.150.6 / URL : https://cas.agglo-larochelle.org:8443/cas/ > > SPNAccount (member of domain administrator) : cas / XXXXX (password never > expires) > > I have added https://cas.agglo-larochelle.org:8443/ in the about.config of > Firefox 3 and in the intranet zone of IE 6. > > Kerberos domain realm : AGGLO-LAROCHELLE.ORG<http://agglo-larochelle.org/> > > > > I'm having some issues to find the correct values to put in the config > spring bean. Here's what I've had : > > > > <property name="principalWithDomainName" value="false" /> > > <property name="NTLMallowed" value="true" /> > > > > and > > > > <bean name="jcifsConfig" > > > class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig"> > > <property name="jcifsServicePrincipal" value="HTTP/ > [email protected]" /> > > <property name="jcifsServicePassword" value="Im4Z3v" /> > > <property name="kerberosDebug" value="true" /> > > <property name="kerberosRealm" > value="AGGLO-LAROCHELLE.ORG<http://agglo-larochelle.org/>" > /> > > <property name="kerberosKdc" value="172.16.150.1" /> > > <property name="loginConf" > value="/home/cas/webapps/cas/WEB-INF/login.conf" /> > > </bean> > > > > Here's the ktpass command I'm writing : > > > > >ktpass.exe /out cas.keytab /princ HTTP/[email protected] /pass > XXXXX /mapuser cas /ptype krb5_nt_principal /crypto rc4-hmac-nt > > Targeting domain controller: adtest.agglo-larochelle.org > > Successfully mapped HTTP/cas to cas. > > Key created. > > Output keytab to cas.keytab: > > Keytab version: 0x502 > > keysize 64 HTTP/[email protected] ptype 1 (KRB5_NT_PRINCIPAL) vno 2 > etype > > 0x17 (RC4-HMAC) keylength 16 (0x5d025157f73f8c7e90c608fe47848c92) > > > > I'm uploading the key file in the cas server (/home/cas/cas.keytab) > > > > My krb5.conf : > > > > [logging] > > default = FILE:/var/log/krb5libs.log > > kdc = FILE:/var/log/krb5kdc.log > > admin_server = FILE:/var/log/kadmind.log > > > > [libdefaults] > > ticket_lifetime = 24000 > > default_realm = AGGLO-LAROCHELLE.ORG <http://agglo-larochelle.org/> > > default_keytab_name = /home/cas/cas.keytab > > dns_lookup_realm = false > > dns_lookup_kdc = false > > default_tkt_enctypes = rc4-hmac > > default_tgs_enctypes = rc4-hmac > > > > [realms] > > AGGLO-LAROCHELLE.ORG <http://agglo-larochelle.org/> = { > > kdc = adtest.AGGLO-LAROCHELLE.ORG:88<http://adtest.agglo-larochelle.org:88/> > > } > > > > [domain_realm] > > .agglo-larochelle.org = AGGLO-LAROCHELLE.ORG<http://agglo-larochelle.org/> > > agglo-larochelle.org = AGGLO-LAROCHELLE.ORG <http://agglo-larochelle.org/> > > > > klist -k > > Keytab name: FILE:/home/cas/cas.keytab > > KVNO Principal > > ---- > -------------------------------------------------------------------------- > > 2 HTTP/[email protected] > > > > $kinit [email protected] > > $Password for [email protected]: > > $ (OK ? I think so.because when I put a wrong password I'm having > "kinit(v5): Preauthentication failed while getting initial credentials") > > > > Deploying the webapp : > > > > INFO: Déploiement de l'archive cas.war de l'application web > > 2009-05-29 13:57:28,076 DEBUG > [org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig] - > <jcifsServicePrincipal is set to HTTP/[email protected]> > > 2009-05-29 13:57:28,076 DEBUG > [org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig] - > <jcifsServicePassword is set to *****> > > 2009-05-29 13:57:28,076 DEBUG > [org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig] - > <kerberosDebug is set to : true> > > 2009-05-29 13:57:28,076 DEBUG > [org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig] - > <kerberosRealm is set to :AGGLO-LAROCHELLE.ORG<http://agglo-larochelle.org/> > > > > 2009-05-29 13:57:28,077 DEBUG > [org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig] - > <kerberosKdc is set to : 172.16.150.1> > > 2009-05-29 13:57:28,077 WARN > [org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig] - > <found login config in system property, may overide : > /home/cas/webapps/cas/WEB-INF/login.conf> > > 2009-05-29 13:57:28,077 DEBUG > [org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig] - > <configured login configuration path : > /home/cas/webapps/cas/WEB-INF/login.conf> > > > > Launch : https://cas.agglo-larochelle.org:8443/cas/login/ (on IE 6 and/OR > FF 3) > > > > LOG : > > > > 2009-05-29 13:57:47,843 INFO > [org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] - > <Starting cleaning of expired tickets from ticket registry at [Fri May 29 > 13:57:47 GMT+01:00 2009]> > > 2009-05-29 13:57:47,843 INFO > [org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] - <0 > found to be removed. Removing now.> > > 2009-05-29 13:57:47,843 INFO > [org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] - > <Finished cleaning of expired tickets from ticket registry at [Fri May 29 > 13:57:47 GMT+01:00 2009]> > > 2009-05-29 13:59:05,236 INFO > [org.jasig.cas.web.flow.InitialFlowSetupAction] - <Setting ContextPath for > cookies to: /cas> > > 2009-05-29 13:59:05,261 DEBUG > [org.jasig.cas.support.spnego.web.flow.SpnegoNegociateCredentialsAction] - > <Action 'SpnegoNegociateCredentialsAction' beginning execution> > > 2009-05-29 13:59:05,262 DEBUG > [org.jasig.cas.support.spnego.web.flow.SpnegoNegociateCredentialsAction] - > <Authorization header not found. Sending WWW-Authenticate header> > > 2009-05-29 13:59:05,262 DEBUG > [org.jasig.cas.support.spnego.web.flow.SpnegoNegociateCredentialsAction] - > <Action 'SpnegoNegociateCredentialsAction' completed execution; result is > 'success'> > > 2009-05-29 13:59:05,262 DEBUG > [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - <Action > 'SpnegoCredentialsAction' beginning execution> > > 2009-05-29 13:59:05,262 DEBUG > [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - <Action > 'SpnegoCredentialsAction' completed execution; result is 'error'> > > 2009-05-29 13:59:06,167 DEBUG > [org.jasig.cas.support.spnego.web.flow.SpnegoNegociateCredentialsAction] - > <Action 'SpnegoNegociateCredentialsAction' beginning execution> > > 2009-05-29 13:59:06,167 DEBUG > [org.jasig.cas.support.spnego.web.flow.SpnegoNegociateCredentialsAction] - > <Action 'SpnegoNegociateCredentialsAction' completed execution; result is > 'success'> > > 2009-05-29 13:59:06,167 DEBUG > [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - <Action > 'SpnegoCredentialsAction' beginning execution> > > 2009-05-29 13:59:06,168 DEBUG > [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - <SPNEGO > Authorization header found with 56 bytes> > > 2009-05-29 13:59:06,169 DEBUG > [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - <Obtained > token: NTLMSSPï¿ï¿½ï¿½> > > 2009-05-29 13:59:06,231 DEBUG > [org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoAuthenticationHandler] > - <Setting nextToken in credentials> > > 2009-05-29 13:59:06,231 DEBUG > [org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoAuthenticationHandler] > - <Principal is null, the processing of the SPNEGO Token failed> > > 2009-05-29 13:59:06,231 INFO > [org.jasig.cas.authentication.AuthenticationManagerImpl] - > <AuthenticationHandler: > org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoAuthenticationHandler > failed to authenticate the user which provided the following credentials: > Principal is null> > > 2009-05-29 13:59:06,233 DEBUG > [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - <Obtained > output token: NTLMSSP8����P�> > > 2009-05-29 13:59:06,233 DEBUG > [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - <Setting > HTTP Status to 401> > > 2009-05-29 13:59:06,233 DEBUG > [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - <Action > 'SpnegoCredentialsAction' completed execution; result is 'error'> > > 2009-05-29 13:59:06,240 DEBUG > [org.jasig.cas.support.spnego.web.flow.SpnegoNegociateCredentialsAction] - > <Action 'SpnegoNegociateCredentialsAction' beginning execution> > > 2009-05-29 13:59:06,240 DEBUG > [org.jasig.cas.support.spnego.web.flow.SpnegoNegociateCredentialsAction] - > <Action 'SpnegoNegociateCredentialsAction' completed execution; result is > 'success'> > > 2009-05-29 13:59:06,240 DEBUG > [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - <Action > 'SpnegoCredentialsAction' beginning execution> > > 2009-05-29 13:59:06,240 DEBUG > [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - <SPNEGO > Authorization header found with 228 bytes> > > 2009-05-29 13:59:06,240 DEBUG > [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - <Obtained > token: NTLMSSPz�HX > > > n��CDA-TESTj.rautureauADTEST�8h�q��<���...@��ֶ��pv�8h�q��<���...@��ֶ��pv�> > > 2009-05-29 13:59:06,254 DEBUG > [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - <Unable to > obtain the output token required.> > > 2009-05-29 13:59:06,254 DEBUG > [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - <Setting > HTTP Status to 401> > > 2009-05-29 13:59:06,254 DEBUG > [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - <Action > 'SpnegoCredentialsAction' completed execution; result is 'error'> > > > > Il seems that Kerberos is falling AND NTLM is falling too. > > But why my browsers doesn't get a Kerberos ticket and always a NTLM ticket > ? > > > > Please help me ! > > ________________________________________ > > RAUTUREAU Jérôme > > Communauté d'Agglomération de La Rochelle > > Gestionnaire bases de données, Développeur > > rue de Vaucanson, 17180 Périgny > > Téléphone : 05.46.30.34.25 / Fax : 05.46.30.34.29 > > Portable : > > Email : [email protected] > > Afin de contribuer au respect de l'environnement, merci de n'imprimer ce > courriel qu'en cas de nécessité > > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
