Dean, The main Active Directory page ( http://www.ja-sig.org/wiki/display/CASUM/Active+Directory ) contains links:
SPNEGO ( http://www.ja-sig.org/wiki/display/CASUM/SPNEGO ) LDAP ( http://www.ja-sig.org/wiki/display/CASUM/LDAP ) Kerberos ( http://www.ja-sig.org/wiki/display/CASUM/JAAS ) The Kerberos documentation is pretty much what you need though I don't think the JAAS configuration needs to be as complicated as it is; depends on your AD setup. HTH, A- On 9/4/09 8:40 AM, "deanhe01" <[email protected]> wrote: > > Andrew, > > Other than having no real experience using Kerberos in a project before > now, ...no. I was able to get a test program using JAAS and the > KrbLoginModule to work just fine. Can you point me to any > documentation/wiki that contains best practices for integration with CAS? > > Thanks > > Dean > > > Andrew Feller wrote: >> >> Dean, >> >> Is there any reason why you chose SPNEGO over JAAS using KrbLoginModule? >> >> >> On 9/3/09 5:13 PM, "deanhe01" <[email protected]> wrote: >> >>> >>> Aftyer reading through the tutorial and several threads here on the forum >>> I >>> have not been successful in getting CAS to auth with SPNEGO and Kerberos. >>> >>> Active Directory is our Kerberos Server. >>> The service account is created >>> ktpass has been run and the SPN mappings are correct. >>> >>> jcifsConfig Bean Definition: >>> <bean name="jcifsConfig" >>> class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConf >>> ig >>> "> >>> <property name="jcifsServicePrincipal" >>> >>> value="CASTESTSSO/[email protected]" /> >>> <property name="jcifsServicePassword" value="yummysushi" /> >>> <property name="kerberosDebug" value="true" /> >>> <property name="kerberosRealm" value="TEST.NINTENDO.COM" /> >>> <property name="kerberosKdc" value="10.2.40.31" /> >>> <property name="loginConf" >>> value="c:/Program Files/Apache Software Foundation/Tomcat >>> 6.0/webapps/cas-server-webapp-3.3.1/WEB-INF/login.conf" /> >>> </bean> >>> >>> JCIFSSpnegoAuthentication handler Bean Definition: >>> <bean >>> class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpne >>> go >>> AuthenticationHandler"> >>> <property name="authentication"> >>> <bean class="jcifs.spnego.Authentication"/> >>> </property> >>> <property name="principalWithDomainName" value="false" /> >>> <property name="NTLMallowed" value="true"/> >>> </bean> >>> >>> >>> login.conf file >>> jcifs.spnego.initiate { >>> com.sun.security.auth.module.Krb5LoginModule required debug=true >>> storeKey=true}; >>> jcifs.spnego.accept { >>> com.sun.security.auth.module.Krb5LoginModule required debug=true >>> storeKey=true}; >>> >>> >>> Debug output: >>> >>> >>> 2009-09-03 14:56:27,270 DEBUG >>> [org.jasig.cas.support.spnego.web.flow.SpnegoCrede >>> ntialsAction] - Action 'SpnegoCredentialsAction' beginning execution >>> 2009-09-03 14:56:27,270 DEBUG >>> [org.jasig.cas.support.spnego.web.flow.SpnegoCrede >>> ntialsAction] - SPNEGO Authorization header found with 2820 bytes >>> 2009-09-03 14:56:27,270 DEBUG >>> [org.jasig.cas.support.spnego.web.flow.SpnegoCrede >>> ntialsAction] - Obtained token: `=♠♠+♠☺♣♣☻ 10- $0"♠ *+H,÷↕☺☻☻♠ >>> *+H+÷↕☺☻ >>> ☻♠ >>> +♠☺♦☺,7☻☻ ...... >>> ...... >>> ...... >>> >>> 2009-09-03 14:56:27,270 DEBUG >>> [org.jasig.cas.CentralAuthenticationServiceImpl] - >>> Attempting to create TicketGrantingTicket for Principal is null >>> 2009-09-03 14:56:27,286 DEBUG >>> [org.jasig.cas.support.spnego.web.flow.SpnegoCrede >>> ntialsAction] - Unable to obtain the output token required. >>> 2009-09-03 14:56:27,286 DEBUG >>> [org.jasig.cas.support.spnego.web.flow.SpnegoCrede >>> ntialsAction] - Setting HTTP Status to 401 >>> 2009-09-03 14:56:27,286 DEBUG >>> [org.jasig.cas.support.spnego.web.flow.SpnegoCrede >>> ntialsAction] - Action 'SpnegoCredentialsAction' completed execution; >>> result >>> is >>> 'error' >>> >>> >>> The app then falls back to ldap authorization. I see the token but, for >>> what ever reason, Kerberos is not happening. >>> >>> Any help is much appreciated >>> >>> Dean >> >> -- >> Andrew Feller, Business System Programmer >> LSU University Information Services >> 200 Frey Computing Services Center >> Baton Rouge, LA 70803 >> Office: 225.578.3737 >> Fax: 225.578.6400 >> >> >> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> >> -- Andrew Feller, Business System Programmer LSU University Information Services 200 Frey Computing Services Center Baton Rouge, LA 70803 Office: 225.578.3737 Fax: 225.578.6400 -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
