Hmm... Ok, I have all of those configured... except that I had "NTLMallowed" as true... though I'm not sure that's the problem since the kerberos transaction doesn't appear to be working at all. I've confirmed that this doesn't help...
I've gone over that documentation and I believe I have configured everything properly on both the AD side and the CAS server. I am able to do a successful kinit with HTTP/fqdn.foo.bar ... even without the winbind stuff in Samba. I'm just generally at a loss at this point, since I've followed the documentation as closely as possible. Concerning the Win7 issues, that is the OS that I'm trying to test this with... but I'm using Firefox to work around the IE8 issues. The CASUM document for SPNEGO shows that the only modification to Firefox is the addition of the trusted URI... which is the CAS server itself, yes? Are there other modifications to Firefox necessary to get it to play nicely with SPNEGO? What other information can I tell you to further the troubleshooting? Thanks, -Andy On Tue, Apr 13, 2010 at 11:19 AM, Dean Heisey <[email protected]>wrote: > > Hi Andy, > > You might try looking here as well although I will admit that the wiki is > weighted to SPNEGO against Active Directory but its a good starting point: > > http://www.ja-sig.org/wiki/display/CASUM/SPNEGO > > You will need to configure CAS to user SPNEGO. In your > deployerConfigContext.xml file be sure to include the following: > > 1) In the credentialsToPrincipalResolvers section add the following bean to > the list: > > <bean > > > class="org.jasig.cas.support.spnego.authentication.principal.SpnegoCredentialsToPrincipalResolver" > /> > > 2) In the authenticationHandlers section add the following bean: > > <bean > > > class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoAuthenticationHandler"> > <property name="authentication"> > <bean class="jcifs.spnego.Authentication" /> > </property> > <property name="principalWithDomainName" value="false" /> > <property name="NTLMallowed" value="false" /> > </bean> > > > Then ....you need to do the following, again I have to use Active > Directory > as my kerberos kdc so this explains what I had to do to get it working > against AD: > > My configuration is: > > Kerberos KDC: AD running on Windows 7 servers. > 1 F5 BigIP -- HTTPS terminated at the load balancer > Two Cas servers(Clustered) behind the bigIP. -- CAS servers are currently > using JBossCache as the ticket registry. > Tomcat5 is the container that CAS runs in. > Server boxes are running Red Hat Enterprise Linux 5 > > One big gotcha. Spnego will not work with Windows7 clients and jdk 1.6 > and earlier. You need jdk1.7. See the following posting on the sun > forums: > http://forums.sun.com/thread.jspa?threadID=5408472 > http://forums.sun.com/thread.jspa?threadID=5408472 > > > Since I am not an Active Directory expert I will just share some of my > observations. > > 1. It seems that AD only recognises the username you create the account > with , not any other SPNs you may map to your usere name. If you create > the > spnego user account as _CAS_SERVICE, you need to specify the user name as > HTTP/<FQDN> of the machine running cas. In the case of a load balancer, > use > the FQDN of the VIP. > > 2. I created my AD CAS USER account under Active Directory Users and > Computers --> my realm -->Admin-->service. > > 3. After creating the user account, run the ktpass command on your AD > server This enables a delegation tab in the AD administrative console > where > you enable kerberos delegation. Sample syntax: > > ktpass /princ HTTP/[email protected] > /mapuser _CAS_USER /crypto RC4-HMAC-NT /ptype KRB5_NT_PRINCIPAL /pass * > > There are other supported crypto types and user principal types > however, I only had success with RC4-HMAC-NT and KRB5_NT_PRINCIPAL > > Wait a little bit to let the change propogate through the forest and > then run the setspn command to be sure the account was created correctly. > setspn -L _CAS_USER. > > You should see a listing of the SPNs associated with your _CAS_USER > account. > > > On the CAS servers. > > 1. On RHEL, you need to enable winbind and kerberos support. The > Winbind config info for RHEL is found in the samba config file smb.conf > which I found odd since you do not need to run samba to get this to work. > > 2. After enabling winbind and kerberos, you need to edit your > krb5.conf file. Since I only needed to support CAS my krb5.conf file is > bare bones and looks like this: > > [libdefaults] > default_realm = YOUR REALM > dns_lookup_realm = true > dns_lookup_kdc = true > udp_preference_limit = 1 -- sets Kerberos to always use tcp I was > having issues with udp > default_tkt_enctypes = rc4-hmac > default_tgs_enctypes = rc4-hmac > > [realms] > > YOUR REALM = { > kdc = kdc1 > kdc = kdc1 > default_domain = YOUR DOMAIN > } > > [domain_realm] --- mapping your domain to realm > YOUR DOMAIN= YOUR REALM > .YOUR DOMAIN= YOUR REALM > > > > After editing your krb5.conf file you can test the kerberos connection with > the kinit command: > > kinit HTTP/<FQDN> > > you should be prompted for the password associated with the name provided > to > kinit. If it is successful you will return to the command prompt, > otherwise the error message will be displayed. > > Now all you should have to do is follow the SPNEGO configuration directions > in the CASUM and you should be golden. > > Hope this helps > > Dean > -- > View this message in context: > http://n4.nabble.com/CAS-SPNEGO-Debugging-tp1838523p1838682.html > Sent from the CAS Users mailing list archive at Nabble.com. > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
