Dean, Just following up on this -- wanted to thank you for your help and guidance. I've finally gotten it working with some help from our AD admins; the problem, as you suspected, was with the AD account, not the CAS configuration. In case it helps anyone else, we had previously associated the SPN we were using (HTTP/[email protected]) with a different AD service account. That account was subsequently deleted, but the SPN mapping was apparently still around in some form or another. The solution in the end was to create a new SPN and new DNS hostname for the server (not sure why we couldn't clean up the old AD entries -- perhaps someone else can offer more insight there). Using a new, clean name solved the problem.
As soon as the new SPN was registered for the new service account, and the new DNS name propagated, we started getting Kerberos tokens from users' browsers. Thanks again! - Bill On Thu, Apr 29, 2010 at 3:05 PM, Dean Heisey <[email protected]>wrote: > > Bill, > > A couple of things. First I am not using a keytab file. I have kerberos > set up on my linux boxes to use DNS to find my KDCs so when I test using > kinit I am just entering the following: > > kinit HTTP/my.server.com -- this results in the prompt Password for > HTTP/[email protected] > > The os is using my krb5.conf file to find the REALM and resolve it using > DNS > > kinit HTTP/my.server.com or kinit HTTP/[email protected] result in > the password prompt. > > If you enter a bogus password you will get the following error: > > kinit(v5): Preauthentication failed while getting initial credentials > > If your principal can not be found in the KDC you will get the following > error: > > kinit(v5): Client not found in Kerberos database while getting initial > credentials > > Since you are getting the last error when attempting to get credentials for > your SPN (HTTP/my.server.com) > you should be checking out your AD user that the SPN name is mapped to. > Once you can do a kinit HTTP/my.server.com you know that the Sun > Kerberos/AD integration is working and you can then move on to the SPNEGO > part. > > > > -- > View this message in context: > http://jasig.275507.n4.nabble.com/Problem-with-SPNEGO-Getting-NTLM-token-instead-of-Kerberos-tp1598650p2076053.html > Sent from the CAS Users mailing list archive at Nabble.com. > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- Bill Markmann Counterpoint Consulting, Inc. (p) 571-338-2455 (f) 202-403-3425 (e) [email protected] (w) http://www.counterpointconsulting.com/ -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
