Hi Dean, Aye, the ticket seems to be valid. Ok, perhaps I've gotten this wrong. Here's essentially the ktpass command that was used.
ktpass.exe /out spnego.keytab /princ HTTP/[email protected] /pass * /mapuser [email protected] /ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT Once that was done, the delegation for kerberos was handled on the Delegation tab. Does that look correct? Also, ktpass was ran a few times as the AD admin I was working with got it wrong a few times. Should I wipe the accounts and begin again? Thanks, -Andy On Tue, Apr 13, 2010 at 12:22 PM, Dean Heisey <[email protected]>wrote: > > Andy, > > If you have access to your Domain Servers i.e. Active Directory machines > you could check your user that you mapped the SPN to. Meaning there is some > user account in AD whos login name is HTTP/fqdn.foo.bar. If you use > setspn > to add the SPN to the user account after its created, SPNEGO does not > work(at least not for me). The actual login name needs to be HTTP/fqdn. > > Also, did you run the ktpass command on the user you created in AD, this > sets up the crypto and also will turn on delegation. When you go back to > the admin console for AD and look at the user, you should see a delegation > tab. Be sure that you allow this user to delegate kerberos. > > Getting the user set correctly in AD seemed to be the most frustrating part > of the whole process. Once that took, the rest was simple. > > it sounds like you have the kerberos part set up correctly on the linux box > if you can use kinit. And when you use klist, you see the Kerberos ticket > for the user HTTP/fqdn, right? > -- > View this message in context: > http://n4.nabble.com/CAS-SPNEGO-Debugging-tp1838523p1838783.html > Sent from the CAS Users mailing list archive at Nabble.com. > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
