To get CAS and SPNEGO and Kerberos working requires patience and a willingness to tinker with configuration. I am outlining the steps I had to take to get this working in my configuration, your mileage may vary.
For a basic description of what happens between the browser and CAS during a SPNEGO request see the CASUM for SPNEGO: http://www.ja-sig.org/wiki/display/CASUM/SPNEGO http://www.ja-sig.org/wiki/display/CASUM/SPNEGO For SPNEGO to work each application must have a service principal registered at the kerberos server, in our case the application is CAS and we need a service user(principal). The SPN must be in the following format: HTTP/<fully qualified domain name> -- The WWW-Authenticate: Negotiate inserts HTTP/<FQDN> into the SPNEGO token it returns to the client. If you turn on debug in the CAS server for cas jcifs and you can see the spnego token in the log. Steps to create a CAS_USER in Active Directory on Windows 1. Open the Active Directory Users and Computers admin console 2. Create a user, setting the user logon name to HTTP/<fully qualified domain name of the server hosting cas> 3. Enter a password, be sure to select the user cannot change password and password never expires options. 4. After creating the user, open the user properties editor by double clicking on the user you just created. 5. on the Account tab, set the user logon name(pre-Windows 2000) to your user name i.e if you just created a user named CAS_SERVICE, set the pre- win2k name to CAS_SERVICE. 6. Apply the property change. 7. Run the ktpass command from the command line to create the SPN mapping of HTTP/<FQDN> to your cas user. ktpass /princ HTTP/my.host....@my DOMAIN /mapuser <my cas user>@MY DOMAIN /ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT /pass * 8. After running this command double click on the user in the Active Directory Users and Computers admin console. 9. Click on the delegation tab( this shows up after running ktpass) select the Trust this user for delegation to any service(Kerberos only) 10. Apply the changes. Configure your CAS host OS for kerberos Since my CAS servers run in tomcat on RedHat Enterprise Linux servers, these steps are specific to that environment. Red Hat requires that you enable kerberos support and winbind support. Use the System-->Administration-->Authentication-->Authentication Tab available from the system menu or, just edit the /etc/krb5.conf file by hand. The krb5.conf file should look something like this: i use dns to look up the realm and kdc and do not use a keytab file. [libdefaults] default_realm = KERBEROS REALM dns_lookup_realm = true dns_lookup_kdc = true udp_preference_limit = 1 default_tkt_enctypes = rc4-hmac default_tgs_enctypes = rc4-hmac [realms] NOA.NINTENDO.COM = { kdc = FQDN of kdc kdc = FQDN of kdc ( one line for each KDC you have in your realm) default_domain = MY DOMAIN( in my case this is my Windows domain since I am using AD, I have three that I use, one for dev, one for test, and our prod domain.. } [domain_realm] -- this is the windows domain to kerberos realm mapping my.domain = MY KERBEROS REALM The default tkt and tgs enctypes need to be set to rc4-hmac. Windows Server 2008 supports encryption up to 256 aes however, not all Kerberos clients do, including the CAS server Kerberos client. The encryption is forced down to rc4-hmac for compatibility with CAS. The udp_preference_limit=1 forces that TCP is used instead of UDP. For Windows Server 2003 the packet size was small enough, the upgrade to Server 2008 increased the packet size and forced another request to the kdc for credentials because the first one was too big. Force TCP to reduce network traffic. For RedHat, the /etc/samba/smb.conf file should have the following auth config options set : workgroup = <Your Windows Domain> security = ads -- specifies to use active directory After all this you can test Kerberos connectivity with the kinit command: kinit <the name you mapped in step 7 above> you will be prompted for the password, enter it and if everything works correctlyt the kinit command returns without an error, user klist to list the known kerberos keys, you should see the principal set to your user. Configure your CAS server Now you are ready to configure your cas server. you will need to create a file called login.conf. it should look like this: jcifs.spnego.initiate { com.sun.security.auth.module.Krb5LoginModule required debug=false storeKey=true; }; jcifs.spnego.accept { com.sun.security.auth.module.Krb5LoginModule required debug=false storeKey=true; }; In your CAS deployerConfigContext.xml do the following: add the SpnegoCredentialsToPrincipalResolver bean to your list of credentialToPrincipalResolvers <bean class="org.jasig.cas.support.spnego.authentication.principal.SpnegoCredentialsToPrincipalResolver" /> add the JCIFSSpnegoAuthenticationHandler bean to your list of authenticationHandlers <bean class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoAuthenticationHandler"> <property name="authentication"> <bean class="jcifs.spnego.Authentication" /> </property> <property name="principalWithDomainName" value="false" /> <property name="NTLMallowed" value="false" /> </bean> Finally, add the JCIFSConfig bean to your deployerConfigContext. <bean name="jcifsConfig" class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig"> <property name="jcifsServicePrincipal" value="${cas.jcifs.service.principal}" /> <property name="jcifsServicePassword" value="${cas.jcifs.service.password}"/> <property name="kerberosDebug" value="${cas.jcifs.kerberos.debug}" /> <property name="kerberosConf" value="${cas.kerberos.conf.path}" /> <property name="loginConf" value="${cas.jcifs.login.conf.path}" /> </bean> jcifsServicePrincipal and jcifsServicePassword are the user name you created in active directory and its passowrd. kerberosConf is the absolute path to the location of your krb5.conf file loginConf is the absolute path to the location of your login.conf file. Good luck and I hope this helps. -- View this message in context: http://n4.nabble.com/CAS-SPNEGO-authentication-always-right-with-IE-tp1568991p1584847.html Sent from the CAS Users mailing list archive at Nabble.com. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
