Hi All,
After picking this up and then getting pulled off and picking it up again,
I finally got SPNEGO working behind a load balancer and thought I would
share some of the things I learned to help anyone attempting to implement
something similar avoid the same mistakes I made.
My configuration is:
Kerberos KDC: AD running on Windows 7 servers.
1 F5 BigIP -- HTTPS terminated at the load balancer
Two Cas servers(Clustered) behind the bigIP. -- CAS servers are currently
using memcache as the ticket registry.
Tomcat5 is the container that CAS runs in.
Server boxes are running Red Hat Enterprise Linux 5
One big gotcha. Spnego will not work with Windows7 clients and jdk 1.6
and earlier. You need jdk1.7. See the following posting on the sun forums:
http://forums.sun.com/thread.jspa?threadID=5408472
http://forums.sun.com/thread.jspa?threadID=5408472
Since I am not an Active Directory expert I will just share some of my
observations.
1. It seems that AD only recognises the username you create the account
with , not any other SPNs you may map to your usere name. If you create the
spnego user account as _CAS_SERVICE, you need to specify the user name as
HTTP/<FQDN> of the machine running cas. In the case of a load balancer, use
the FQDN of the VIP.
2. I created my AD CAS USER account under Active Directory Users and
Computers --> my realm -->Admin-->service.
3. After creating the user account, run the ktpass command on your AD
server This enables a delegation tab in the AD administrative console where
you enable kerberos delegation. Sample syntax:
ktpass /princ HTTP/[email protected]
/mapuser _CAS_USER /crypto RC4-HMAC-NT /ptype KRB5_NT_PRINCIPAL /pass *
There are other supported crypto types and user principal types
however, I only had success with RC4-HMAC-NT and KRB5_NT_PRINCIPAL
Wait a little bit to let the change propogate through the forest and
then run the setspn command to be sure the account was created correctly.
setspn -L _CAS_USER.
You should see a listing of the SPNs associated with your _CAS_USER
account.
On the CAS servers.
1. On RHEL, you need to enable winbind and kerberos support. The
Winbind config info for RHEL is found in the samba config file smb.conf
which I found odd since you do not need to run samba to get this to work.
2. After enabling winbind and kerberos, you need to edit your
krb5.conf file. Since I only needed to support CAS my krb5.conf file is
bare bones and looks like this:
[libdefaults]
default_realm = YOUR REALM
dns_lookup_realm = true
dns_lookup_kdc = true
udp_preference_limit = 1 -- sets Kerberos to always use tcp I was
having issues with udp
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
[realms]
YOUR REALM = {
kdc = kdc1
kdc = kdc1
default_domain = YOUR DOMAIN
}
[domain_realm] --- mapping your domain to realm
YOUR DOMAIN= YOUR REALM
.YOUR DOMAIN= YOUR REALM
After editing your krb5.conf file you can test the kerberos connection with
the kinit command:
kinit HTTP/<FQDN>
you should be prompted for the password associated with the name provided to
kinit. If it is successful you will return to the command prompt,
otherwise the error message will be displayed.
Now all you should have to do is follow the SPNEGO configuration directions
in the CASUM and you should be golden.
Hope this helps
Dean
--
View this message in context:
http://n4.nabble.com/CAS-SPNEGO-Kerberos-LoadBalancer-ActiveDirectory-tp1312316p1312316.html
Sent from the CAS Users mailing list archive at Nabble.com.
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
