Andrew,

   Other than having no real experience using Kerberos in a project before
now, ...no.  I was able to get a test program using JAAS and the
KrbLoginModule to work just fine.  Can you point me to any
documentation/wiki that contains best practices for integration with CAS?

Thanks

Dean


Andrew Feller wrote:
> 
> Dean,
> 
> Is there any reason why you chose SPNEGO over JAAS using KrbLoginModule?
> 
> 
> On 9/3/09 5:13 PM, "deanhe01" <[email protected]> wrote:
> 
>> 
>> Aftyer reading through the tutorial and several threads here on the forum
>> I
>> have not been successful in getting CAS to auth with SPNEGO and Kerberos.
>> 
>> Active Directory is our Kerberos Server.
>> The service account is created
>> ktpass has been run and the SPN mappings are correct.
>> 
>> jcifsConfig Bean Definition:
>> <bean name="jcifsConfig"
>> class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig
>> ">
>>     <property name="jcifsServicePrincipal"
>>              
>> value="CASTESTSSO/[email protected]" />
>>     <property name="jcifsServicePassword" value="yummysushi" />
>>     <property name="kerberosDebug" value="true" />
>>     <property name="kerberosRealm" value="TEST.NINTENDO.COM" />
>>     <property name="kerberosKdc" value="10.2.40.31" />
>>     <property name="loginConf"
>>            value="c:/Program Files/Apache Software Foundation/Tomcat
>> 6.0/webapps/cas-server-webapp-3.3.1/WEB-INF/login.conf" />
>> </bean>
>> 
>> JCIFSSpnegoAuthentication handler Bean Definition:
>> <bean
>> class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnego
>> AuthenticationHandler">
>>     <property name="authentication">
>> <bean class="jcifs.spnego.Authentication"/>
>>     </property>
>>     <property name="principalWithDomainName" value="false" />
>>     <property name="NTLMallowed" value="true"/>
>> </bean>
>> 
>> 
>> login.conf   file
>> jcifs.spnego.initiate {
>>    com.sun.security.auth.module.Krb5LoginModule required  debug=true
>> storeKey=true};
>> jcifs.spnego.accept {
>>    com.sun.security.auth.module.Krb5LoginModule required  debug=true
>> storeKey=true};
>> 
>> 
>> Debug output:
>> 
>> 
>> 2009-09-03 14:56:27,270 DEBUG
>> [org.jasig.cas.support.spnego.web.flow.SpnegoCrede
>> ntialsAction] - Action 'SpnegoCredentialsAction' beginning execution
>> 2009-09-03 14:56:27,270 DEBUG
>> [org.jasig.cas.support.spnego.web.flow.SpnegoCrede
>> ntialsAction] - SPNEGO Authorization header found with 2820 bytes
>> 2009-09-03 14:56:27,270 DEBUG
>> [org.jasig.cas.support.spnego.web.flow.SpnegoCrede
>> ntialsAction] - Obtained token: `=♠♠+♠☺♣♣☻ 10- $0"♠     *+H,÷↕☺☻☻♠
>> *+H+÷↕☺☻
>> ☻♠
>> +♠☺♦☺,7☻☻ ......
>> ......
>> ......
>> 
>> 2009-09-03 14:56:27,270 DEBUG
>> [org.jasig.cas.CentralAuthenticationServiceImpl] -
>>  Attempting to create TicketGrantingTicket for Principal is null
>> 2009-09-03 14:56:27,286 DEBUG
>> [org.jasig.cas.support.spnego.web.flow.SpnegoCrede
>> ntialsAction] - Unable to obtain the output token required.
>> 2009-09-03 14:56:27,286 DEBUG
>> [org.jasig.cas.support.spnego.web.flow.SpnegoCrede
>> ntialsAction] - Setting HTTP Status to 401
>> 2009-09-03 14:56:27,286 DEBUG
>> [org.jasig.cas.support.spnego.web.flow.SpnegoCrede
>> ntialsAction] - Action 'SpnegoCredentialsAction' completed execution;
>> result
>> is
>> 'error'
>> 
>> 
>> The app then falls back to ldap authorization.  I see the token but, for
>> what ever reason, Kerberos is not happening.
>> 
>> Any help is much appreciated
>> 
>> Dean
> 
> -- 
> Andrew Feller, Business System Programmer
> LSU University Information Services
> 200 Frey Computing Services Center
> Baton Rouge, LA 70803
> Office: 225.578.3737
> Fax: 225.578.6400
> 
> 
> 
> -- 
> You are currently subscribed to [email protected] as:
> [email protected]
> To unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/display/JSG/cas-user
> 
> 
> 

-- 
View this message in context: 
http://www.nabble.com/SPNEGO-and-Kerberos-question....-tp25285010p25294547.html
Sent from the CAS Users mailing list archive at Nabble.com.


-- 
You are currently subscribed to [email protected] as: 
[email protected]
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Reply via email to