Dean, So, I've verified that the kerberos transaction isn't even taking place. I just did this with a simple "tcpdump" did a kinit ... could see the transactions... but when I try to login via CAS, not a blip for kerberos in the tcpdump output.
RHEL5 + Winbind was mentioned before. Can you elaborate on the setup with regards to that, please? I'm wondering if having that not in place is the problem. Thanks, -Andy On Tue, Apr 13, 2010 at 11:19 AM, Dean Heisey <[email protected]>wrote: > > Hi Andy, > > You might try looking here as well although I will admit that the wiki is > weighted to SPNEGO against Active Directory but its a good starting point: > > http://www.ja-sig.org/wiki/display/CASUM/SPNEGO > > You will need to configure CAS to user SPNEGO. In your > deployerConfigContext.xml file be sure to include the following: > > 1) In the credentialsToPrincipalResolvers section add the following bean to > the list: > > <bean > > > class="org.jasig.cas.support.spnego.authentication.principal.SpnegoCredentialsToPrincipalResolver" > /> > > 2) In the authenticationHandlers section add the following bean: > > <bean > > > class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoAuthenticationHandler"> > <property name="authentication"> > <bean class="jcifs.spnego.Authentication" /> > </property> > <property name="principalWithDomainName" value="false" /> > <property name="NTLMallowed" value="false" /> > </bean> > > > Then ....you need to do the following, again I have to use Active > Directory > as my kerberos kdc so this explains what I had to do to get it working > against AD: > > My configuration is: > > Kerberos KDC: AD running on Windows 7 servers. > 1 F5 BigIP -- HTTPS terminated at the load balancer > Two Cas servers(Clustered) behind the bigIP. -- CAS servers are currently > using JBossCache as the ticket registry. > Tomcat5 is the container that CAS runs in. > Server boxes are running Red Hat Enterprise Linux 5 > > One big gotcha. Spnego will not work with Windows7 clients and jdk 1.6 > and earlier. You need jdk1.7. See the following posting on the sun > forums: > http://forums.sun.com/thread.jspa?threadID=5408472 > http://forums.sun.com/thread.jspa?threadID=5408472 > > > Since I am not an Active Directory expert I will just share some of my > observations. > > 1. It seems that AD only recognises the username you create the account > with , not any other SPNs you may map to your usere name. If you create > the > spnego user account as _CAS_SERVICE, you need to specify the user name as > HTTP/<FQDN> of the machine running cas. In the case of a load balancer, > use > the FQDN of the VIP. > > 2. I created my AD CAS USER account under Active Directory Users and > Computers --> my realm -->Admin-->service. > > 3. After creating the user account, run the ktpass command on your AD > server This enables a delegation tab in the AD administrative console > where > you enable kerberos delegation. Sample syntax: > > ktpass /princ HTTP/[email protected] > /mapuser _CAS_USER /crypto RC4-HMAC-NT /ptype KRB5_NT_PRINCIPAL /pass * > > There are other supported crypto types and user principal types > however, I only had success with RC4-HMAC-NT and KRB5_NT_PRINCIPAL > > Wait a little bit to let the change propogate through the forest and > then run the setspn command to be sure the account was created correctly. > setspn -L _CAS_USER. > > You should see a listing of the SPNs associated with your _CAS_USER > account. > > > On the CAS servers. > > 1. On RHEL, you need to enable winbind and kerberos support. The > Winbind config info for RHEL is found in the samba config file smb.conf > which I found odd since you do not need to run samba to get this to work. > > 2. After enabling winbind and kerberos, you need to edit your > krb5.conf file. Since I only needed to support CAS my krb5.conf file is > bare bones and looks like this: > > [libdefaults] > default_realm = YOUR REALM > dns_lookup_realm = true > dns_lookup_kdc = true > udp_preference_limit = 1 -- sets Kerberos to always use tcp I was > having issues with udp > default_tkt_enctypes = rc4-hmac > default_tgs_enctypes = rc4-hmac > > [realms] > > YOUR REALM = { > kdc = kdc1 > kdc = kdc1 > default_domain = YOUR DOMAIN > } > > [domain_realm] --- mapping your domain to realm > YOUR DOMAIN= YOUR REALM > .YOUR DOMAIN= YOUR REALM > > > > After editing your krb5.conf file you can test the kerberos connection with > the kinit command: > > kinit HTTP/<FQDN> > > you should be prompted for the password associated with the name provided > to > kinit. If it is successful you will return to the command prompt, > otherwise the error message will be displayed. > > Now all you should have to do is follow the SPNEGO configuration directions > in the CASUM and you should be golden. > > Hope this helps > > Dean > -- > View this message in context: > http://n4.nabble.com/CAS-SPNEGO-Debugging-tp1838523p1838682.html > Sent from the CAS Users mailing list archive at Nabble.com. > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
