Dean, If any of this should be in our wiki, would you mind updating/add it? We don't do SPNEGO authentication here, so we rely on the kindness of others to keep that up to date :-)
Thanks! Scott On Wed, Jan 27, 2010 at 6:47 PM, Dean Heisey <[email protected]>wrote: > > Hi All, > > After picking this up and then getting pulled off and picking it up again, > I finally got SPNEGO working behind a load balancer and thought I would > share some of the things I learned to help anyone attempting to implement > something similar avoid the same mistakes I made. > > My configuration is: > > Kerberos KDC: AD running on Windows 7 servers. > 1 F5 BigIP -- HTTPS terminated at the load balancer > Two Cas servers(Clustered) behind the bigIP. -- CAS servers are currently > using memcache as the ticket registry. > Tomcat5 is the container that CAS runs in. > Server boxes are running Red Hat Enterprise Linux 5 > > One big gotcha. Spnego will not work with Windows7 clients and jdk 1.6 > and earlier. You need jdk1.7. See the following posting on the sun > forums: > http://forums.sun.com/thread.jspa?threadID=5408472 > http://forums.sun.com/thread.jspa?threadID=5408472 > > > Since I am not an Active Directory expert I will just share some of my > observations. > > 1. It seems that AD only recognises the username you create the account > with , not any other SPNs you may map to your usere name. If you create > the > spnego user account as _CAS_SERVICE, you need to specify the user name as > HTTP/<FQDN> of the machine running cas. In the case of a load balancer, > use > the FQDN of the VIP. > > 2. I created my AD CAS USER account under Active Directory Users and > Computers --> my realm -->Admin-->service. > > 3. After creating the user account, run the ktpass command on your AD > server This enables a delegation tab in the AD administrative console > where > you enable kerberos delegation. Sample syntax: > > ktpass /princ HTTP/[email protected] > /mapuser _CAS_USER /crypto RC4-HMAC-NT /ptype KRB5_NT_PRINCIPAL /pass * > > There are other supported crypto types and user principal types > however, I only had success with RC4-HMAC-NT and KRB5_NT_PRINCIPAL > > Wait a little bit to let the change propogate through the forest and > then run the setspn command to be sure the account was created correctly. > setspn -L _CAS_USER. > > You should see a listing of the SPNs associated with your _CAS_USER > account. > > > On the CAS servers. > > 1. On RHEL, you need to enable winbind and kerberos support. The > Winbind config info for RHEL is found in the samba config file smb.conf > which I found odd since you do not need to run samba to get this to work. > > 2. After enabling winbind and kerberos, you need to edit your > krb5.conf file. Since I only needed to support CAS my krb5.conf file is > bare bones and looks like this: > > [libdefaults] > default_realm = YOUR REALM > dns_lookup_realm = true > dns_lookup_kdc = true > udp_preference_limit = 1 -- sets Kerberos to always use tcp I was > having issues with udp > default_tkt_enctypes = rc4-hmac > default_tgs_enctypes = rc4-hmac > > [realms] > > YOUR REALM = { > kdc = kdc1 > kdc = kdc1 > default_domain = YOUR DOMAIN > } > > [domain_realm] --- mapping your domain to realm > YOUR DOMAIN= YOUR REALM > .YOUR DOMAIN= YOUR REALM > > > > After editing your krb5.conf file you can test the kerberos connection with > the kinit command: > > kinit HTTP/<FQDN> > > you should be prompted for the password associated with the name provided > to > kinit. If it is successful you will return to the command prompt, > otherwise the error message will be displayed. > > Now all you should have to do is follow the SPNEGO configuration directions > in the CASUM and you should be golden. > > Hope this helps > > Dean > > > > > -- > View this message in context: > http://n4.nabble.com/CAS-SPNEGO-Kerberos-LoadBalancer-ActiveDirectory-tp1312316p1312316.html > Sent from the CAS Users mailing list archive at Nabble.com. > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
