Dean, Thanks for those notes -- I'm also in the middle of debugging an SPNEGO problem, and your note about jdk7 is interesting to me... does that only apply to Windows clients? I'm also using AD as my kdc; everything had been working for SPNEGO authentication (on Solaris, with JBoss and JDK5) until recently, but isn't working anymore... I'm wondering if I need to apply the fix from the Sun forum you posted to InitialToken? Thoughts?
Thanks! - Bill On Tue, Apr 13, 2010 at 12:19 PM, Dean Heisey <[email protected]>wrote: > > Hi Andy, > > You might try looking here as well although I will admit that the wiki is > weighted to SPNEGO against Active Directory but its a good starting point: > > http://www.ja-sig.org/wiki/display/CASUM/SPNEGO > > You will need to configure CAS to user SPNEGO. In your > deployerConfigContext.xml file be sure to include the following: > > 1) In the credentialsToPrincipalResolvers section add the following bean to > the list: > > <bean > > > class="org.jasig.cas.support.spnego.authentication.principal.SpnegoCredentialsToPrincipalResolver" > /> > > 2) In the authenticationHandlers section add the following bean: > > <bean > > > class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoAuthenticationHandler"> > <property name="authentication"> > <bean class="jcifs.spnego.Authentication" /> > </property> > <property name="principalWithDomainName" value="false" /> > <property name="NTLMallowed" value="false" /> > </bean> > > > Then ....you need to do the following, again I have to use Active > Directory > as my kerberos kdc so this explains what I had to do to get it working > against AD: > > My configuration is: > > Kerberos KDC: AD running on Windows 7 servers. > 1 F5 BigIP -- HTTPS terminated at the load balancer > Two Cas servers(Clustered) behind the bigIP. -- CAS servers are currently > using JBossCache as the ticket registry. > Tomcat5 is the container that CAS runs in. > Server boxes are running Red Hat Enterprise Linux 5 > > One big gotcha. Spnego will not work with Windows7 clients and jdk 1.6 > and earlier. You need jdk1.7. See the following posting on the sun > forums: > http://forums.sun.com/thread.jspa?threadID=5408472 > http://forums.sun.com/thread.jspa?threadID=5408472 > > > Since I am not an Active Directory expert I will just share some of my > observations. > > 1. It seems that AD only recognises the username you create the account > with , not any other SPNs you may map to your usere name. If you create > the > spnego user account as _CAS_SERVICE, you need to specify the user name as > HTTP/<FQDN> of the machine running cas. In the case of a load balancer, > use > the FQDN of the VIP. > > 2. I created my AD CAS USER account under Active Directory Users and > Computers --> my realm -->Admin-->service. > > 3. After creating the user account, run the ktpass command on your AD > server This enables a delegation tab in the AD administrative console > where > you enable kerberos delegation. Sample syntax: > > ktpass /princ HTTP/[email protected] > /mapuser _CAS_USER /crypto RC4-HMAC-NT /ptype KRB5_NT_PRINCIPAL /pass * > > There are other supported crypto types and user principal types > however, I only had success with RC4-HMAC-NT and KRB5_NT_PRINCIPAL > > Wait a little bit to let the change propogate through the forest and > then run the setspn command to be sure the account was created correctly. > setspn -L _CAS_USER. > > You should see a listing of the SPNs associated with your _CAS_USER > account. > > > On the CAS servers. > > 1. On RHEL, you need to enable winbind and kerberos support. The > Winbind config info for RHEL is found in the samba config file smb.conf > which I found odd since you do not need to run samba to get this to work. > > 2. After enabling winbind and kerberos, you need to edit your > krb5.conf file. Since I only needed to support CAS my krb5.conf file is > bare bones and looks like this: > > [libdefaults] > default_realm = YOUR REALM > dns_lookup_realm = true > dns_lookup_kdc = true > udp_preference_limit = 1 -- sets Kerberos to always use tcp I was > having issues with udp > default_tkt_enctypes = rc4-hmac > default_tgs_enctypes = rc4-hmac > > [realms] > > YOUR REALM = { > kdc = kdc1 > kdc = kdc1 > default_domain = YOUR DOMAIN > } > > [domain_realm] --- mapping your domain to realm > YOUR DOMAIN= YOUR REALM > .YOUR DOMAIN= YOUR REALM > > > > After editing your krb5.conf file you can test the kerberos connection with > the kinit command: > > kinit HTTP/<FQDN> > > you should be prompted for the password associated with the name provided > to > kinit. If it is successful you will return to the command prompt, > otherwise the error message will be displayed. > > Now all you should have to do is follow the SPNEGO configuration directions > in the CASUM and you should be golden. > > Hope this helps > > Dean > -- > View this message in context: > http://n4.nabble.com/CAS-SPNEGO-Debugging-tp1838523p1838682.html > Sent from the CAS Users mailing list archive at Nabble.com. > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- Bill Markmann Counterpoint Consulting, Inc. (p) 571-338-2455 (f) 202-403-3425 (e) [email protected] (w) http://www.counterpointconsulting.com/ -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
