Aftyer reading through the tutorial and several threads here on the forum I
have not been successful in getting CAS to auth with SPNEGO and Kerberos.
Active Directory is our Kerberos Server.
The service account is created
ktpass has been run and the SPN mappings are correct.
jcifsConfig Bean Definition:
<bean name="jcifsConfig"
class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig">
<property name="jcifsServicePrincipal"
value="CASTESTSSO/[email protected]" />
<property name="jcifsServicePassword" value="yummysushi" />
<property name="kerberosDebug" value="true" />
<property name="kerberosRealm" value="TEST.NINTENDO.COM" />
<property name="kerberosKdc" value="10.2.40.31" />
<property name="loginConf"
value="c:/Program Files/Apache Software Foundation/Tomcat
6.0/webapps/cas-server-webapp-3.3.1/WEB-INF/login.conf" />
</bean>
JCIFSSpnegoAuthentication handler Bean Definition:
<bean
class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoAuthenticationHandler">
<property name="authentication">
<bean class="jcifs.spnego.Authentication"/>
</property>
<property name="principalWithDomainName" value="false" />
<property name="NTLMallowed" value="true"/>
</bean>
login.conf file
jcifs.spnego.initiate {
com.sun.security.auth.module.Krb5LoginModule required debug=true
storeKey=true};
jcifs.spnego.accept {
com.sun.security.auth.module.Krb5LoginModule required debug=true
storeKey=true};
Debug output:
2009-09-03 14:56:27,270 DEBUG
[org.jasig.cas.support.spnego.web.flow.SpnegoCrede
ntialsAction] - Action 'SpnegoCredentialsAction' beginning execution
2009-09-03 14:56:27,270 DEBUG
[org.jasig.cas.support.spnego.web.flow.SpnegoCrede
ntialsAction] - SPNEGO Authorization header found with 2820 bytes
2009-09-03 14:56:27,270 DEBUG
[org.jasig.cas.support.spnego.web.flow.SpnegoCrede
ntialsAction] - Obtained token: `=♠♠+♠☺♣♣☻ 10- $0"♠ *+H,÷↕☺☻☻♠
*+H+÷↕☺☻
☻♠
+♠☺♦☺,7☻☻ ......
......
......
2009-09-03 14:56:27,270 DEBUG
[org.jasig.cas.CentralAuthenticationServiceImpl] -
Attempting to create TicketGrantingTicket for Principal is null
2009-09-03 14:56:27,286 DEBUG
[org.jasig.cas.support.spnego.web.flow.SpnegoCrede
ntialsAction] - Unable to obtain the output token required.
2009-09-03 14:56:27,286 DEBUG
[org.jasig.cas.support.spnego.web.flow.SpnegoCrede
ntialsAction] - Setting HTTP Status to 401
2009-09-03 14:56:27,286 DEBUG
[org.jasig.cas.support.spnego.web.flow.SpnegoCrede
ntialsAction] - Action 'SpnegoCredentialsAction' completed execution; result
is
'error'
The app then falls back to ldap authorization. I see the token but, for
what ever reason, Kerberos is not happening.
Any help is much appreciated
Dean
--
View this message in context:
http://www.nabble.com/SPNEGO-and-Kerberos-question....-tp25285010p25285010.html
Sent from the CAS Users mailing list archive at Nabble.com.
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
