Dean, Thanks for the guidance. I talked to the AD admins and they did generate the keytab from domain controller (the same machine that is listed as the KDC in my kerberos config). So, still no luck there. Also, if delegation weren't working properly, I wouldn't even be able to authenticate using 'kinit', right? In my (possibly flawed) mental model of how this all works, once I have 'kinit' working, everything is good from the Kerberos / AD side of the equation, and we just need to focus on getting the app server -> browser communication working properly. Am I thinking about this wrong? What factors actually affect whether the SPNEGO login action gets NTLM vs Kerberos data? I've read through the source of SpnegoCredentialsAction, and it looks like it gets one or the other -- what's actually determining which is sent?
Thanks, - Bill On Fri, Mar 19, 2010 at 7:53 PM, Dean Heisey <[email protected]>wrote: > > I ran into something like this where the kerberos was not working with my > AD, > When you regenerated your keytab for the new AD user/spn did you run the > ktpass on your Active Directory DOmain server? That gives you access to > the > Delegation tab on the AD user and computer administrator tab. Go check the > CAS User manual SPNEGO section. I updated it recently to include my > experiences. > > Dean > -- > View this message in context: > http://n4.nabble.com/Problem-with-SPNEGO-Getting-NTLM-token-instead-of-Kerberos-tp1598650p1629470.html > Sent from the CAS Users mailing list archive at Nabble.com. > > -- > You are currently subscribed to [email protected] as: [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- Bill Markmann Counterpoint Consulting, Inc. (p) 571-338-2455 (f) 202-403-3425 (e) [email protected] (w) http://www.counterpointconsulting.com/ -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
