IMHO that's correct. We are using the same scenario, involving about ten
casified apps. User do not need to log but his workstation.
Dean, check if your AD server fully qualified name can be resolved; DNS
must work, direct and inverse. Check for aliases in hosts file if any
and remove it (it's better not to use hosts file if possible).
Regards.
Juan Manuel Rodríguez.
deanhe01 escribió:
Andrew,
Won't the user still have to enter credentials to log in?
The use case I was attempting with SPNEGO and KERBEROS was:
User logs in to their workstation(within the corporate network)
User starts a CAS enabled webapp
User does not need to enter their credentials again.
If the SPNEGO fails, fall back to the LDAP authenticator( i.e. CAS with
LDAP auth)
Is SPNEGO the correct choice?( I did get it working with NTLM however we
have since moved to AD and Kerberos so no more NTLM)
Andrew Feller wrote:
Dean,
The main Active Directory page (
http://www.ja-sig.org/wiki/display/CASUM/Active+Directory ) contains
links:
SPNEGO ( http://www.ja-sig.org/wiki/display/CASUM/SPNEGO )
LDAP ( http://www.ja-sig.org/wiki/display/CASUM/LDAP )
Kerberos ( http://www.ja-sig.org/wiki/display/CASUM/JAAS )
The Kerberos documentation is pretty much what you need though I don't
think
the JAAS configuration needs to be as complicated as it is; depends on
your
AD setup.
HTH,
A-
On 9/4/09 8:40 AM, "deanhe01" <[email protected]> wrote:
Andrew,
Other than having no real experience using Kerberos in a project
before
now, ...no. I was able to get a test program using JAAS and the
KrbLoginModule to work just fine. Can you point me to any
documentation/wiki that contains best practices for integration with CAS?
Thanks
Dean
Andrew Feller wrote:
Dean,
Is there any reason why you chose SPNEGO over JAAS using KrbLoginModule?
On 9/3/09 5:13 PM, "deanhe01" <[email protected]> wrote:
Aftyer reading through the tutorial and several threads here on the
forum
I
have not been successful in getting CAS to auth with SPNEGO and
Kerberos.
Active Directory is our Kerberos Server.
The service account is created
ktpass has been run and the SPN mappings are correct.
jcifsConfig Bean Definition:
<bean name="jcifsConfig"
class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConf
ig
">
<property name="jcifsServicePrincipal"
value="CASTESTSSO/[email protected]" />
<property name="jcifsServicePassword" value="yummysushi" />
<property name="kerberosDebug" value="true" />
<property name="kerberosRealm" value="TEST.NINTENDO.COM" />
<property name="kerberosKdc" value="10.2.40.31" />
<property name="loginConf"
value="c:/Program Files/Apache Software Foundation/Tomcat
6.0/webapps/cas-server-webapp-3.3.1/WEB-INF/login.conf" />
</bean>
JCIFSSpnegoAuthentication handler Bean Definition:
<bean
class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpne
go
AuthenticationHandler">
<property name="authentication">
<bean class="jcifs.spnego.Authentication"/>
</property>
<property name="principalWithDomainName" value="false" />
<property name="NTLMallowed" value="true"/>
</bean>
login.conf file
jcifs.spnego.initiate {
com.sun.security.auth.module.Krb5LoginModule required debug=true
storeKey=true};
jcifs.spnego.accept {
com.sun.security.auth.module.Krb5LoginModule required debug=true
storeKey=true};
Debug output:
2009-09-03 14:56:27,270 DEBUG
[org.jasig.cas.support.spnego.web.flow.SpnegoCrede
ntialsAction] - Action 'SpnegoCredentialsAction' beginning execution
2009-09-03 14:56:27,270 DEBUG
[org.jasig.cas.support.spnego.web.flow.SpnegoCrede
ntialsAction] - SPNEGO Authorization header found with 2820 bytes
2009-09-03 14:56:27,270 DEBUG
[org.jasig.cas.support.spnego.web.flow.SpnegoCrede
ntialsAction] - Obtained token: `=♠♠+♠☺♣♣☻ 10- $0"♠ *+H,÷↕☺☻☻♠
*+H+÷↕☺☻
☻♠
+♠☺♦☺,7☻☻ ......
......
......
2009-09-03 14:56:27,270 DEBUG
[org.jasig.cas.CentralAuthenticationServiceImpl] -
Attempting to create TicketGrantingTicket for Principal is null
2009-09-03 14:56:27,286 DEBUG
[org.jasig.cas.support.spnego.web.flow.SpnegoCrede
ntialsAction] - Unable to obtain the output token required.
2009-09-03 14:56:27,286 DEBUG
[org.jasig.cas.support.spnego.web.flow.SpnegoCrede
ntialsAction] - Setting HTTP Status to 401
2009-09-03 14:56:27,286 DEBUG
[org.jasig.cas.support.spnego.web.flow.SpnegoCrede
ntialsAction] - Action 'SpnegoCredentialsAction' completed execution;
result
is
'error'
The app then falls back to ldap authorization. I see the token but,
for
what ever reason, Kerberos is not happening.
Any help is much appreciated
Dean
--
Andrew Feller, Business System Programmer
LSU University Information Services
200 Frey Computing Services Center
Baton Rouge, LA 70803
Office: 225.578.3737
Fax: 225.578.6400
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
Andrew Feller, Business System Programmer
LSU University Information Services
200 Frey Computing Services Center
Baton Rouge, LA 70803
Office: 225.578.3737
Fax: 225.578.6400
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
