Hi Andy, You might try looking here as well although I will admit that the wiki is weighted to SPNEGO against Active Directory but its a good starting point:
http://www.ja-sig.org/wiki/display/CASUM/SPNEGO You will need to configure CAS to user SPNEGO. In your deployerConfigContext.xml file be sure to include the following: 1) In the credentialsToPrincipalResolvers section add the following bean to the list: <bean class="org.jasig.cas.support.spnego.authentication.principal.SpnegoCredentialsToPrincipalResolver" /> 2) In the authenticationHandlers section add the following bean: <bean class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoAuthenticationHandler"> <property name="authentication"> <bean class="jcifs.spnego.Authentication" /> </property> <property name="principalWithDomainName" value="false" /> <property name="NTLMallowed" value="false" /> </bean> Then ....you need to do the following, again I have to use Active Directory as my kerberos kdc so this explains what I had to do to get it working against AD: My configuration is: Kerberos KDC: AD running on Windows 7 servers. 1 F5 BigIP -- HTTPS terminated at the load balancer Two Cas servers(Clustered) behind the bigIP. -- CAS servers are currently using JBossCache as the ticket registry. Tomcat5 is the container that CAS runs in. Server boxes are running Red Hat Enterprise Linux 5 One big gotcha. Spnego will not work with Windows7 clients and jdk 1.6 and earlier. You need jdk1.7. See the following posting on the sun forums: http://forums.sun.com/thread.jspa?threadID=5408472 http://forums.sun.com/thread.jspa?threadID=5408472 Since I am not an Active Directory expert I will just share some of my observations. 1. It seems that AD only recognises the username you create the account with , not any other SPNs you may map to your usere name. If you create the spnego user account as _CAS_SERVICE, you need to specify the user name as HTTP/<FQDN> of the machine running cas. In the case of a load balancer, use the FQDN of the VIP. 2. I created my AD CAS USER account under Active Directory Users and Computers --> my realm -->Admin-->service. 3. After creating the user account, run the ktpass command on your AD server This enables a delegation tab in the AD administrative console where you enable kerberos delegation. Sample syntax: ktpass /princ HTTP/[email protected] /mapuser _CAS_USER /crypto RC4-HMAC-NT /ptype KRB5_NT_PRINCIPAL /pass * There are other supported crypto types and user principal types however, I only had success with RC4-HMAC-NT and KRB5_NT_PRINCIPAL Wait a little bit to let the change propogate through the forest and then run the setspn command to be sure the account was created correctly. setspn -L _CAS_USER. You should see a listing of the SPNs associated with your _CAS_USER account. On the CAS servers. 1. On RHEL, you need to enable winbind and kerberos support. The Winbind config info for RHEL is found in the samba config file smb.conf which I found odd since you do not need to run samba to get this to work. 2. After enabling winbind and kerberos, you need to edit your krb5.conf file. Since I only needed to support CAS my krb5.conf file is bare bones and looks like this: [libdefaults] default_realm = YOUR REALM dns_lookup_realm = true dns_lookup_kdc = true udp_preference_limit = 1 -- sets Kerberos to always use tcp I was having issues with udp default_tkt_enctypes = rc4-hmac default_tgs_enctypes = rc4-hmac [realms] YOUR REALM = { kdc = kdc1 kdc = kdc1 default_domain = YOUR DOMAIN } [domain_realm] --- mapping your domain to realm YOUR DOMAIN= YOUR REALM .YOUR DOMAIN= YOUR REALM After editing your krb5.conf file you can test the kerberos connection with the kinit command: kinit HTTP/<FQDN> you should be prompted for the password associated with the name provided to kinit. If it is successful you will return to the command prompt, otherwise the error message will be displayed. Now all you should have to do is follow the SPNEGO configuration directions in the CASUM and you should be golden. Hope this helps Dean -- View this message in context: http://n4.nabble.com/CAS-SPNEGO-Debugging-tp1838523p1838682.html Sent from the CAS Users mailing list archive at Nabble.com. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
