Andrew, Won't the user still have to enter credentials to log in?
The use case I was attempting with SPNEGO and KERBEROS was: User logs in to their workstation(within the corporate network) User starts a CAS enabled webapp User does not need to enter their credentials again. If the SPNEGO fails, fall back to the LDAP authenticator( i.e. CAS with LDAP auth) Is SPNEGO the correct choice?( I did get it working with NTLM however we have since moved to AD and Kerberos so no more NTLM) Andrew Feller wrote: > > Dean, > > The main Active Directory page ( > http://www.ja-sig.org/wiki/display/CASUM/Active+Directory ) contains > links: > > SPNEGO ( http://www.ja-sig.org/wiki/display/CASUM/SPNEGO ) > LDAP ( http://www.ja-sig.org/wiki/display/CASUM/LDAP ) > Kerberos ( http://www.ja-sig.org/wiki/display/CASUM/JAAS ) > > The Kerberos documentation is pretty much what you need though I don't > think > the JAAS configuration needs to be as complicated as it is; depends on > your > AD setup. > > HTH, > A- > > > On 9/4/09 8:40 AM, "deanhe01" <[email protected]> wrote: > >> >> Andrew, >> >> Other than having no real experience using Kerberos in a project >> before >> now, ...no. I was able to get a test program using JAAS and the >> KrbLoginModule to work just fine. Can you point me to any >> documentation/wiki that contains best practices for integration with CAS? >> >> Thanks >> >> Dean >> >> >> Andrew Feller wrote: >>> >>> Dean, >>> >>> Is there any reason why you chose SPNEGO over JAAS using KrbLoginModule? >>> >>> >>> On 9/3/09 5:13 PM, "deanhe01" <[email protected]> wrote: >>> >>>> >>>> Aftyer reading through the tutorial and several threads here on the >>>> forum >>>> I >>>> have not been successful in getting CAS to auth with SPNEGO and >>>> Kerberos. >>>> >>>> Active Directory is our Kerberos Server. >>>> The service account is created >>>> ktpass has been run and the SPN mappings are correct. >>>> >>>> jcifsConfig Bean Definition: >>>> <bean name="jcifsConfig" >>>> class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConf >>>> ig >>>> "> >>>> <property name="jcifsServicePrincipal" >>>> >>>> value="CASTESTSSO/[email protected]" /> >>>> <property name="jcifsServicePassword" value="yummysushi" /> >>>> <property name="kerberosDebug" value="true" /> >>>> <property name="kerberosRealm" value="TEST.NINTENDO.COM" /> >>>> <property name="kerberosKdc" value="10.2.40.31" /> >>>> <property name="loginConf" >>>> value="c:/Program Files/Apache Software Foundation/Tomcat >>>> 6.0/webapps/cas-server-webapp-3.3.1/WEB-INF/login.conf" /> >>>> </bean> >>>> >>>> JCIFSSpnegoAuthentication handler Bean Definition: >>>> <bean >>>> class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpne >>>> go >>>> AuthenticationHandler"> >>>> <property name="authentication"> >>>> <bean class="jcifs.spnego.Authentication"/> >>>> </property> >>>> <property name="principalWithDomainName" value="false" /> >>>> <property name="NTLMallowed" value="true"/> >>>> </bean> >>>> >>>> >>>> login.conf file >>>> jcifs.spnego.initiate { >>>> com.sun.security.auth.module.Krb5LoginModule required debug=true >>>> storeKey=true}; >>>> jcifs.spnego.accept { >>>> com.sun.security.auth.module.Krb5LoginModule required debug=true >>>> storeKey=true}; >>>> >>>> >>>> Debug output: >>>> >>>> >>>> 2009-09-03 14:56:27,270 DEBUG >>>> [org.jasig.cas.support.spnego.web.flow.SpnegoCrede >>>> ntialsAction] - Action 'SpnegoCredentialsAction' beginning execution >>>> 2009-09-03 14:56:27,270 DEBUG >>>> [org.jasig.cas.support.spnego.web.flow.SpnegoCrede >>>> ntialsAction] - SPNEGO Authorization header found with 2820 bytes >>>> 2009-09-03 14:56:27,270 DEBUG >>>> [org.jasig.cas.support.spnego.web.flow.SpnegoCrede >>>> ntialsAction] - Obtained token: `=♠♠+♠☺♣♣☻ 10- $0"♠ *+H,÷↕☺☻☻♠ >>>> *+H+÷↕☺☻ >>>> ☻♠ >>>> +♠☺♦☺,7☻☻ ...... >>>> ...... >>>> ...... >>>> >>>> 2009-09-03 14:56:27,270 DEBUG >>>> [org.jasig.cas.CentralAuthenticationServiceImpl] - >>>> Attempting to create TicketGrantingTicket for Principal is null >>>> 2009-09-03 14:56:27,286 DEBUG >>>> [org.jasig.cas.support.spnego.web.flow.SpnegoCrede >>>> ntialsAction] - Unable to obtain the output token required. >>>> 2009-09-03 14:56:27,286 DEBUG >>>> [org.jasig.cas.support.spnego.web.flow.SpnegoCrede >>>> ntialsAction] - Setting HTTP Status to 401 >>>> 2009-09-03 14:56:27,286 DEBUG >>>> [org.jasig.cas.support.spnego.web.flow.SpnegoCrede >>>> ntialsAction] - Action 'SpnegoCredentialsAction' completed execution; >>>> result >>>> is >>>> 'error' >>>> >>>> >>>> The app then falls back to ldap authorization. I see the token but, >>>> for >>>> what ever reason, Kerberos is not happening. >>>> >>>> Any help is much appreciated >>>> >>>> Dean >>> >>> -- >>> Andrew Feller, Business System Programmer >>> LSU University Information Services >>> 200 Frey Computing Services Center >>> Baton Rouge, LA 70803 >>> Office: 225.578.3737 >>> Fax: 225.578.6400 >>> >>> >>> >>> -- >>> You are currently subscribed to [email protected] as: >>> [email protected] >>> To unsubscribe, change settings or access archives, see >>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>> >>> >>> > > -- > Andrew Feller, Business System Programmer > LSU University Information Services > 200 Frey Computing Services Center > Baton Rouge, LA 70803 > Office: 225.578.3737 > Fax: 225.578.6400 > > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > -- View this message in context: http://www.nabble.com/SPNEGO-and-Kerberos-question....-tp25285010p25303506.html Sent from the CAS Users mailing list archive at Nabble.com. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
