Andrew, Other than having no real experience using Kerberos in a project before now, ...no. I was able to get a test program using JAAS and the KrbLoginModule to work just fine. Can you point me to any documentation/wiki that contains best practices for integration with CAS?
Thanks Dean Andrew Feller wrote: > > Dean, > > Is there any reason why you chose SPNEGO over JAAS using KrbLoginModule? > > > On 9/3/09 5:13 PM, "deanhe01" <[email protected]> wrote: > >> >> Aftyer reading through the tutorial and several threads here on the forum >> I >> have not been successful in getting CAS to auth with SPNEGO and Kerberos. >> >> Active Directory is our Kerberos Server. >> The service account is created >> ktpass has been run and the SPN mappings are correct. >> >> jcifsConfig Bean Definition: >> <bean name="jcifsConfig" >> class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig >> "> >> <property name="jcifsServicePrincipal" >> >> value="CASTESTSSO/[email protected]" /> >> <property name="jcifsServicePassword" value="yummysushi" /> >> <property name="kerberosDebug" value="true" /> >> <property name="kerberosRealm" value="TEST.NINTENDO.COM" /> >> <property name="kerberosKdc" value="10.2.40.31" /> >> <property name="loginConf" >> value="c:/Program Files/Apache Software Foundation/Tomcat >> 6.0/webapps/cas-server-webapp-3.3.1/WEB-INF/login.conf" /> >> </bean> >> >> JCIFSSpnegoAuthentication handler Bean Definition: >> <bean >> class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnego >> AuthenticationHandler"> >> <property name="authentication"> >> <bean class="jcifs.spnego.Authentication"/> >> </property> >> <property name="principalWithDomainName" value="false" /> >> <property name="NTLMallowed" value="true"/> >> </bean> >> >> >> login.conf file >> jcifs.spnego.initiate { >> com.sun.security.auth.module.Krb5LoginModule required debug=true >> storeKey=true}; >> jcifs.spnego.accept { >> com.sun.security.auth.module.Krb5LoginModule required debug=true >> storeKey=true}; >> >> >> Debug output: >> >> >> 2009-09-03 14:56:27,270 DEBUG >> [org.jasig.cas.support.spnego.web.flow.SpnegoCrede >> ntialsAction] - Action 'SpnegoCredentialsAction' beginning execution >> 2009-09-03 14:56:27,270 DEBUG >> [org.jasig.cas.support.spnego.web.flow.SpnegoCrede >> ntialsAction] - SPNEGO Authorization header found with 2820 bytes >> 2009-09-03 14:56:27,270 DEBUG >> [org.jasig.cas.support.spnego.web.flow.SpnegoCrede >> ntialsAction] - Obtained token: `=♠♠+♠☺♣♣☻ 10- $0"♠ *+H,÷↕☺☻☻♠ >> *+H+÷↕☺☻ >> ☻♠ >> +♠☺♦☺,7☻☻ ...... >> ...... >> ...... >> >> 2009-09-03 14:56:27,270 DEBUG >> [org.jasig.cas.CentralAuthenticationServiceImpl] - >> Attempting to create TicketGrantingTicket for Principal is null >> 2009-09-03 14:56:27,286 DEBUG >> [org.jasig.cas.support.spnego.web.flow.SpnegoCrede >> ntialsAction] - Unable to obtain the output token required. >> 2009-09-03 14:56:27,286 DEBUG >> [org.jasig.cas.support.spnego.web.flow.SpnegoCrede >> ntialsAction] - Setting HTTP Status to 401 >> 2009-09-03 14:56:27,286 DEBUG >> [org.jasig.cas.support.spnego.web.flow.SpnegoCrede >> ntialsAction] - Action 'SpnegoCredentialsAction' completed execution; >> result >> is >> 'error' >> >> >> The app then falls back to ldap authorization. I see the token but, for >> what ever reason, Kerberos is not happening. >> >> Any help is much appreciated >> >> Dean > > -- > Andrew Feller, Business System Programmer > LSU University Information Services > 200 Frey Computing Services Center > Baton Rouge, LA 70803 > Office: 225.578.3737 > Fax: 225.578.6400 > > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > -- View this message in context: http://www.nabble.com/SPNEGO-and-Kerberos-question....-tp25285010p25294547.html Sent from the CAS Users mailing list archive at Nabble.com. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
