Hello all, I've run into this problem before and eventually worked it out, but this time the problem seems to not respond to the same fix. First, some background: I had a working SSO solution using CAS / custom JBoss app / SPNEGO / Active Directory. JBoss (with custom app and CAS) are running on a Solaris box; I'm authenticating against an Active Directory domain. This worked for a year or so (after some initial setup help from the good folks on this list). We changed the password of the SPN account in AD, regenerated the keytab (same options as last time), replaced the keytab on the Solaris box... and everything stopped working.
So, we started over, following the notes we made last time this was successfully configured and hints found on various webpages (from the CAS SPNEGO page, mailing list posts, etc); we keep running into the same issue, however... When a user hits the CAS authentication service, SpnegoCredentialsAction gets an NTLM token instead of Kerberos data. This was happening last time I set this up because I hadn't generated the keytab for the fully-qualified domain name of the app server, but this time I did that. What else could cause this? I'm able to verify that I can do Kerberos exchanges from the app server from the command line (using 'kinit')... Here's what I did: Step 1 - Generate the keytab: C:\Documents and Settings\ad.admin.user>ktpass.exe /out MYSPNAcct.keytab /princ HTTP/[email protected] /pass * /mapuser [email protected] /ptype krb5_nt_principal /crypto DES-CBC-CRC Targeting domain controller: kdcserver.my.realm Successfully mapped HTTP/appserver.my.realm to MYSPNAcct. Type the password for HTTP/appserver.my.realm: Type the password again to confirm: Key created. Output keytab to MYSPNAcct.keytab: Keytab version: 0x502 keysize 57 HTTP/[email protected] ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x1 (DES-CBC-CRC) keylength 8 (0x6e9e40340b86f831) Account MYSPNAcct has been set for DES-only encryption. Step 2 - take that keytab file, and put it in my Solaris user's home directory (same user that runs JBoss) Step 3 - modify ~/krb5.conf to contain the following (and set KRB5_CONFIG to point to it): ... [libdefaults] ticket_lifetime = 24000 default_realm = MY.REALM default_keytab_name = /opt/myapp/MYSPNAcct.keytab dns_lookup_realm = false dns_lookup_kdc = false default_tkt_enctypes = des-cbc-crc des-cbc-md5 default_tgs_enctypes = des-cbc-crc des-cbc-md5 [realms] MY.REALM = { kdc = kdcserver.my.realm } [domain_realm] .my.realm = MY.REALM my.realm = MY.REALM ... Step 4 - make sure kerberos is working at OS level: svcu...@appserver(~)> klist -k Keytab name: FILE:/opt/myapp/MYSPNAcct.keytab KVNO Principal ---- -------------------------------------------------------------------------- 14 HTTP/[email protected] svcu...@appserver(~)> kinit [email protected] Password for [email protected]: localhost: RPC: Rpcbind failure - RPC: Success kinit: no ktkt_warnd warning possible svcu...@appserver(~/)> klist Ticket cache: FILE:/tmp/krb5cc_3003 Default principal: [email protected] Valid starting Expires Service principal 18/03/2010 13:02 18/03/2010 23:02 krbtgt/[email protected] renew until 25/03/2010 13:02 Step 5 - Configure app server: didn't really have to do anything here, since it had all been working previously (nothing changed on the CAS side or app server side... I should note that I'm using JBoss, and it has its own security manager config, which is set up appropriately). Step 6 - hit CAS-protected site.... this is what I get in the logs (you can see it gets an NTLM token at (2010-03-18 16:39:15,138), and then the SPNEGO authenticator fails and we fall back to form authentication): 2010-03-18 16:39:15,068 [http-0.0.0.0-8443-1] DEBUG org.jasig.cas.web.flow.InitialFlowSetupAction - Action 'InitialFlowSetupAction' beginning execution 2010-03-18 16:39:15,069 [http-0.0.0.0-8443-1] DEBUG org.jasig.cas.web.support.CasArgumentExtractor - Extractor generated service for: http://appserver.my.realm/suite/portal/ssodetect.do 2010-03-18 16:39:15,069 [http-0.0.0.0-8443-1] DEBUG org.jasig.cas.web.flow.InitialFlowSetupAction - Placing service in FlowScope: http://appserver.my.realm/suite/portal/ssodetect.do 2010-03-18 16:39:15,070 [http-0.0.0.0-8443-1] DEBUG org.jasig.cas.web.flow.InitialFlowSetupAction - Action 'InitialFlowSetupAction' completed execution; result is 'success' 2010-03-18 16:39:15,071 [http-0.0.0.0-8443-1] DEBUG org.jasig.cas.support.spnego.web.flow.SpnegoNegociateCredentialsAction - Action 'SpnegoNegociateCredentialsAction' beginning execution 2010-03-18 16:39:15,071 [http-0.0.0.0-8443-1] DEBUG org.jasig.cas.support.spnego.web.flow.SpnegoNegociateCredentialsAction - Authorization header not found. Sending WWW-Authenticate header 2010-03-18 16:39:15,072 [http-0.0.0.0-8443-1] DEBUG org.jasig.cas.support.spnego.web.flow.SpnegoNegociateCredentialsAction - Action 'SpnegoNegociateCredentialsAction' completed execution; result is 'success' 2010-03-18 16:39:15,072 [http-0.0.0.0-8443-1] DEBUG org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction - Action 'SpnegoCredentialsAction' beginning execution 2010-03-18 16:39:15,072 [http-0.0.0.0-8443-1] DEBUG org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction - Action 'SpnegoCredentialsAction' completed execution; result is 'error' 2010-03-18 16:39:15,073 [http-0.0.0.0-8443-1] DEBUG org.jasig.cas.web.flow.AuthenticationViaFormAction - Action 'AuthenticationViaFormAction' beginning execution 2010-03-18 16:39:15,073 [http-0.0.0.0-8443-1] DEBUG org.jasig.cas.web.flow.AuthenticationViaFormAction - Executing setupForm 2010-03-18 16:39:15,074 [http-0.0.0.0-8443-1] DEBUG org.jasig.cas.web.flow.AuthenticationViaFormAction - Creating new form object with name 'credentials' 2010-03-18 16:39:15,074 [http-0.0.0.0-8443-1] DEBUG org.jasig.cas.web.flow.AuthenticationViaFormAction - Creating new instance of form object class [class org.jasig.cas.authentication.principal.UsernamePasswordCredentials] 2010-03-18 16:39:15,074 [http-0.0.0.0-8443-1] DEBUG org.jasig.cas.web.flow.AuthenticationViaFormAction - Putting form object of type [class org.jasig.cas.authentication.principal.UsernamePasswordCredentials] in scope Flow with name 'credentials' 2010-03-18 16:39:15,075 [http-0.0.0.0-8443-1] DEBUG org.jasig.cas.web.flow.AuthenticationViaFormAction - Creating new form errors for object with name 'credentials' 2010-03-18 16:39:15,075 [http-0.0.0.0-8443-1] DEBUG org.jasig.cas.web.flow.AuthenticationViaFormAction - No property editor registrar set, no custom editors to register 2010-03-18 16:39:15,075 [http-0.0.0.0-8443-1] DEBUG org.jasig.cas.web.flow.AuthenticationViaFormAction - Putting form errors instance in scope Flash 2010-03-18 16:39:15,076 [http-0.0.0.0-8443-1] DEBUG org.jasig.cas.web.flow.AuthenticationViaFormAction - Action 'AuthenticationViaFormAction' completed execution; result is 'success' 2010-03-18 16:39:15,076 [http-0.0.0.0-8443-1] DEBUG org.jasig.cas.web.flow.AuthenticationViaFormAction - Action 'AuthenticationViaFormAction' beginning execution 2010-03-18 16:39:15,077 [http-0.0.0.0-8443-1] DEBUG org.jasig.cas.web.flow.AuthenticationViaFormAction - Action 'AuthenticationViaFormAction' completed execution; result is 'success' 2010-03-18 16:39:15,133 [http-0.0.0.0-8443-1] DEBUG org.jasig.cas.web.flow.InitialFlowSetupAction - Action 'InitialFlowSetupAction' beginning execution 2010-03-18 16:39:15,134 [http-0.0.0.0-8443-1] DEBUG org.jasig.cas.web.support.CasArgumentExtractor - Extractor generated service for: http://appserver.my.realm/suite/portal/ssodetect.do 2010-03-18 16:39:15,134 [http-0.0.0.0-8443-1] DEBUG org.jasig.cas.web.flow.InitialFlowSetupAction - Placing service in FlowScope: http://appserver.my.realm/suite/portal/ssodetect.do 2010-03-18 16:39:15,135 [http-0.0.0.0-8443-1] DEBUG org.jasig.cas.web.flow.InitialFlowSetupAction - Action 'InitialFlowSetupAction' completed execution; result is 'success' 2010-03-18 16:39:15,136 [http-0.0.0.0-8443-1] DEBUG org.jasig.cas.support.spnego.web.flow.SpnegoNegociateCredentialsAction - Action 'SpnegoNegociateCredentialsAction' beginning execution 2010-03-18 16:39:15,136 [http-0.0.0.0-8443-1] DEBUG org.jasig.cas.support.spnego.web.flow.SpnegoNegociateCredentialsAction - Action 'SpnegoNegociateCredentialsAction' completed execution; result is 'success' 2010-03-18 16:39:15,137 [http-0.0.0.0-8443-1] DEBUG org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction - Action 'SpnegoCredentialsAction' beginning execution 2010-03-18 16:39:15,137 [http-0.0.0.0-8443-1] DEBUG org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction - SPNEGO Authorization header found with 56 bytes 2010-03-18 16:39:15,138 [http-0.0.0.0-8443-1] DEBUG org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction - Obtained token: NTLMSSP... 2010-03-18 16:39:15,138 [http-0.0.0.0-8443-1] DEBUG org.jasig.cas.CentralAuthenticationServiceImpl - Attempting to create TicketGrantingTicket for Principal is null 2010-03-18 16:39:15,144 [http-0.0.0.0-8443-1] DEBUG org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction - Unable to obtain the output token required. 2010-03-18 16:39:15,144 [http-0.0.0.0-8443-1] DEBUG org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction - Setting HTTP Status to 401 2010-03-18 16:39:15,144 [http-0.0.0.0-8443-1] DEBUG org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction - Action 'SpnegoCredentialsAction' completed execution; result is 'error' 2010-03-18 16:39:15,145 [http-0.0.0.0-8443-1] DEBUG org.jasig.cas.web.flow.AuthenticationViaFormAction - Action 'AuthenticationViaFormAction' beginning execution 2010-03-18 16:39:15,145 [http-0.0.0.0-8443-1] DEBUG org.jasig.cas.web.flow.AuthenticationViaFormAction - Executing setupForm Has anyone else encountered a similar problem? Why would we not be getting a Kerberos exchange happening? Any thoughts / hints / input would be appreciated. Thanks in advance! -- Bill Markmann Counterpoint Consulting, Inc. (p) 571-338-2455 (f) 202-403-3425 (e) [email protected] (w) http://www.counterpointconsulting.com/ -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
