Dean, Is there any reason why you chose SPNEGO over JAAS using KrbLoginModule?
On 9/3/09 5:13 PM, "deanhe01" <[email protected]> wrote: > > Aftyer reading through the tutorial and several threads here on the forum I > have not been successful in getting CAS to auth with SPNEGO and Kerberos. > > Active Directory is our Kerberos Server. > The service account is created > ktpass has been run and the SPN mappings are correct. > > jcifsConfig Bean Definition: > <bean name="jcifsConfig" > class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig > "> > <property name="jcifsServicePrincipal" > > value="CASTESTSSO/[email protected]" /> > <property name="jcifsServicePassword" value="yummysushi" /> > <property name="kerberosDebug" value="true" /> > <property name="kerberosRealm" value="TEST.NINTENDO.COM" /> > <property name="kerberosKdc" value="10.2.40.31" /> > <property name="loginConf" > value="c:/Program Files/Apache Software Foundation/Tomcat > 6.0/webapps/cas-server-webapp-3.3.1/WEB-INF/login.conf" /> > </bean> > > JCIFSSpnegoAuthentication handler Bean Definition: > <bean > class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnego > AuthenticationHandler"> > <property name="authentication"> > <bean class="jcifs.spnego.Authentication"/> > </property> > <property name="principalWithDomainName" value="false" /> > <property name="NTLMallowed" value="true"/> > </bean> > > > login.conf file > jcifs.spnego.initiate { > com.sun.security.auth.module.Krb5LoginModule required debug=true > storeKey=true}; > jcifs.spnego.accept { > com.sun.security.auth.module.Krb5LoginModule required debug=true > storeKey=true}; > > > Debug output: > > > 2009-09-03 14:56:27,270 DEBUG > [org.jasig.cas.support.spnego.web.flow.SpnegoCrede > ntialsAction] - Action 'SpnegoCredentialsAction' beginning execution > 2009-09-03 14:56:27,270 DEBUG > [org.jasig.cas.support.spnego.web.flow.SpnegoCrede > ntialsAction] - SPNEGO Authorization header found with 2820 bytes > 2009-09-03 14:56:27,270 DEBUG > [org.jasig.cas.support.spnego.web.flow.SpnegoCrede > ntialsAction] - Obtained token: `=♠♠+♠☺♣♣☻ 10- $0"♠ *+H,÷↕☺☻☻♠ > *+H+÷↕☺☻ > ☻♠ > +♠☺♦☺,7☻☻ ...... > ...... > ...... > > 2009-09-03 14:56:27,270 DEBUG > [org.jasig.cas.CentralAuthenticationServiceImpl] - > Attempting to create TicketGrantingTicket for Principal is null > 2009-09-03 14:56:27,286 DEBUG > [org.jasig.cas.support.spnego.web.flow.SpnegoCrede > ntialsAction] - Unable to obtain the output token required. > 2009-09-03 14:56:27,286 DEBUG > [org.jasig.cas.support.spnego.web.flow.SpnegoCrede > ntialsAction] - Setting HTTP Status to 401 > 2009-09-03 14:56:27,286 DEBUG > [org.jasig.cas.support.spnego.web.flow.SpnegoCrede > ntialsAction] - Action 'SpnegoCredentialsAction' completed execution; result > is > 'error' > > > The app then falls back to ldap authorization. I see the token but, for > what ever reason, Kerberos is not happening. > > Any help is much appreciated > > Dean -- Andrew Feller, Business System Programmer LSU University Information Services 200 Frey Computing Services Center Baton Rouge, LA 70803 Office: 225.578.3737 Fax: 225.578.6400 -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
