Andy, If you have access to your Domain Servers i.e. Active Directory machines you could check your user that you mapped the SPN to. Meaning there is some user account in AD whos login name is HTTP/fqdn.foo.bar. If you use setspn to add the SPN to the user account after its created, SPNEGO does not work(at least not for me). The actual login name needs to be HTTP/fqdn.
Also, did you run the ktpass command on the user you created in AD, this sets up the crypto and also will turn on delegation. When you go back to the admin console for AD and look at the user, you should see a delegation tab. Be sure that you allow this user to delegate kerberos. Getting the user set correctly in AD seemed to be the most frustrating part of the whole process. Once that took, the rest was simple. it sounds like you have the kerberos part set up correctly on the linux box if you can use kinit. And when you use klist, you see the Kerberos ticket for the user HTTP/fqdn, right? -- View this message in context: http://n4.nabble.com/CAS-SPNEGO-Debugging-tp1838523p1838783.html Sent from the CAS Users mailing list archive at Nabble.com. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
