Brian, Two things:
- I've had better luck getting SPNEGO working with a fully-qualified domain name (ie. "dublin.your.domain" instead of "dublin") - are you sure you have the log4j setting turned to DEBUG for the org.jasig.cas.support.spnego package? I think if that handler is registered and being called on login, you'd be getting more logging from the negotiate action (and you might want to double-check your login-webflow.xml and deployerConfigContext.xml against the user manual) -- the HTTP exchange you posted before looks right, but I'm surprised you're not getting more info in the log from those classes. As the for that "may override" message, J2EE servers are pretty varied in their configuration steps for login config... note how there are specific instructions for getting JBoss to work -- GlassFish might have its own unique steps here that no one has noted in the manual. Your best bet is to search their docs for Krb5LoginModule or Kerberos or the like. - Bill On Fri, May 28, 2010 at 7:44 PM, Brian Shacklett <[email protected]>wrote: > I finally got a chance to collect the logging you requested. > > I think my problem might have something to do with this line: > > 2010-05-28 16:39:09,385 WARN > [org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig] - > found login config in system property, may overide : > c:\glassfishv3\glassfish\domains\domain1\applications\cas-server-webapp-3.3.5\WEB-INF\login.conf > > I don't understand what it means by system property. > > > Here is the rest of the output: > > org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler > is only to be used in a testing environment. NEVER enable this in a > production environment. > 2010-05-28 16:39:08,964 INFO > [org.jasig.cas.util.AutowiringSchedulerFactoryBean] - Starting Quartz > Scheduler now > 2010-05-28 16:39:09,385 WARN > [org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig] - > found login config in system property, may overide : > c:\glassfishv3\glassfish\domains\domain1\applications\cas-server-webapp-3.3.5\WEB-INF\login.conf > 2010-05-28 16:39:11,023 INFO > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - FormObjectClass not > set. Using default class of > org.jasig.cas.authentication.principal.UsernamePasswordCredentials with > formObjectName credentials and validator > org.jasig.cas.validation.UsernamePasswordCredentialsValidator. > 2010-05-28 16:39:22,895 INFO > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - FormObjectClass not > set. Using default class of > org.jasig.cas.authentication.principal.UsernamePasswordCredentials with > formObjectName credentials and validator > org.jasig.cas.validation.UsernamePasswordCredentialsValidator. > 2010-05-28 16:39:23,254 DEBUG > [org.jasig.cas.web.flow.InitialFlowSetupAction] - Action > 'InitialFlowSetupAction' beginning execution > 2010-05-28 16:39:23,254 INFO > [org.jasig.cas.web.flow.InitialFlowSetupAction] - Setting path for cookies > to: /cas > 2010-05-28 16:39:23,269 DEBUG > [org.jasig.cas.web.flow.InitialFlowSetupAction] - Action > 'InitialFlowSetupAction' completed execution; result is 'success' > 2010-05-28 16:39:23,301 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Action > 'AuthenticationViaFormAction' beginning execution > 2010-05-28 16:39:23,301 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Executing setupForm > 2010-05-28 16:39:23,301 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Creating new form > object with name 'credentials' > 2010-05-28 16:39:23,301 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Creating new instance > of form object class [class > org.jasig.cas.authentication.principal.UsernamePasswordCredentials] > 2010-05-28 16:39:23,301 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Putting form object > of type [class > org.jasig.cas.authentication.principal.UsernamePasswordCredentials] in scope > Flow with name 'credentials' > 2010-05-28 16:39:23,301 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Creating new form > errors for object with name 'credentials' > 2010-05-28 16:39:23,316 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - No property editor > registrar set, no custom editors to register > 2010-05-28 16:39:23,332 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Putting form errors > instance in scope Flash > 2010-05-28 16:39:23,332 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Action > 'AuthenticationViaFormAction' completed execution; result is 'success' > 2010-05-28 16:39:23,332 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Action > 'AuthenticationViaFormAction' beginning execution > 2010-05-28 16:39:23,332 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Action > 'AuthenticationViaFormAction' completed execution; result is 'success' > 2010-05-28 16:39:25,906 INFO > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - FormObjectClass not > set. Using default class of > org.jasig.cas.authentication.principal.UsernamePasswordCredentials with > formObjectName credentials and validator > org.jasig.cas.validation.UsernamePasswordCredentialsValidator. > 2010-05-28 16:39:25,921 DEBUG > [org.jasig.cas.web.flow.InitialFlowSetupAction] - Action > 'InitialFlowSetupAction' beginning execution > 2010-05-28 16:39:25,921 INFO > [org.jasig.cas.web.flow.InitialFlowSetupAction] - Setting path for cookies > to: /cas > 2010-05-28 16:39:25,921 DEBUG > [org.jasig.cas.web.flow.InitialFlowSetupAction] - Action > 'InitialFlowSetupAction' completed execution; result is 'success' > 2010-05-28 16:39:26,046 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Action > 'AuthenticationViaFormAction' beginning execution > 2010-05-28 16:39:26,046 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Executing setupForm > 2010-05-28 16:39:26,046 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Creating new form > object with name 'credentials' > 2010-05-28 16:39:26,046 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Creating new instance > of form object class [class > org.jasig.cas.authentication.principal.UsernamePasswordCredentials] > 2010-05-28 16:39:26,062 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Putting form object > of type [class > org.jasig.cas.authentication.principal.UsernamePasswordCredentials] in scope > Flow with name 'credentials' > 2010-05-28 16:39:26,062 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Creating new form > errors for object with name 'credentials' > 2010-05-28 16:39:26,062 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - No property editor > registrar set, no custom editors to register > 2010-05-28 16:39:26,062 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Putting form errors > instance in scope Flash > 2010-05-28 16:39:26,062 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Action > 'AuthenticationViaFormAction' completed execution; result is 'success' > 2010-05-28 16:39:26,062 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Action > 'AuthenticationViaFormAction' beginning execution > 2010-05-28 16:39:26,062 DEBUG > [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Action > 'AuthenticationViaFormAction' completed execution; result is 'success' > 2010-05-28 16:39:28,386 INFO > [org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] - > Starting cleaning of expired tickets from ticket registry at [Fri May 28 > 16:39:28 PDT 2010] > 2010-05-28 16:39:28,386 INFO > [org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] - 0 > found to be removed. Removing now. > 2010-05-28 16:39:28,386 INFO > [org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] - > Finished cleaning of expired tickets from ticket registry at [Fri May 28 > 16:39:28 PDT 2010] > 2010-05-28 16:40:23,095 INFO > [org.jasig.cas.services.DefaultServicesManagerImpl] - Reloading registered > services. > 2010-05-28 16:40:23,095 INFO > [org.jasig.cas.services.DefaultServicesManagerImpl] - Loaded 0 services. > 2010-05-28 16:41:08,460 INFO > [org.jasig.cas.services.DefaultServicesManagerImpl] - Reloading registered > services. > 2010-05-28 16:41:08,460 INFO > [org.jasig.cas.services.DefaultServicesManagerImpl] - Loaded 0 services. > > > > > On 5/15/10 6:19 AM, William Markmann wrote: > > Brian, > > It would be helpful to see what's actually happening on the CAS webapp > side. In particular, the logging from > the org/jasig/cas/support/spnego/web/flow/* classes can be helpful to see > what's going on. Have you changed the CAS webapp's log4j.properties so > you're getting DEBUG output from those classes? > > - Bill > > On Sat, May 15, 2010 at 12:53 AM, Brian Shacklett < > [email protected]> wrote: > >> I'm currently running CAS 3.3.5 and attempting to get SPNEGO >> authentication working. I'm planning to use CAS as an intermediary between >> JAMWiki and Active directory. >> >> I've gone through the guide at >> http://www.ja-sig.org/wiki/display/CASUM/SPNEGO and it appears that CAS >> is attempting to perform a kerberos login for me, but I eventually get >> thrown back to the forms-based login screen. >> >> I've been following the cas.log file, but it doesn't seem to have anything >> interesting in it. Glassfish's server.log and jvm.log files don't have >> anything of interest either. >> >> >> Here is my partially sanitised jcifsConfig. I'm a bit unsure about the >> loginConf directive: >> >> <bean name="jcifsConfig" >> class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig"> >> <property name="jcifsServicePrincipal" >> value="HTTP/[email protected]"<HTTP/[email protected]>/> >> <property name="jcifsServicePassword" value="password" /> >> <property name="kerberosDebug" value="true" /> >> <property name="kerberosRealm" value="KERBEROS.REALM" /> >> <property name="kerberosKdc" value="192.168.1.25" /> >> <property name="loginConf" >> value="c:\glassfishv3\glassfish\domains\domain1\applications\cas-server-webapp-3.3.5\WEB-INF\login.conf" >> /> >> </bean> >> >> >> >> Here are the relevant headers captured from a login attempt: >> >> http://dublin:8080/cas/login >> >> GET /cas/login HTTP/1.1 >> Host: dublin:8080 >> User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; >> rv:1.9.2.4) Gecko/20100503 Firefox/3.6.4 AutoPager/0.6.0.28 AutoPager/ >> 0.6.0.28 >> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 >> Accept-Language: en-us,en;q=0.5 >> Accept-Encoding: gzip,deflate >> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 >> Keep-Alive: 115 >> Connection: keep-alive >> X-AutoPager: 0.6.0.28 >> Cookie: JSESSIONID=a39183b8d223cff15fd6e5b099fa; >> treeForm:tree-hi=treeForm:tree:applications; >> JSESSIONID=a07370534c602d94f15d3c49e883 >> Cache-Control: max-age=0 >> >> HTTP/1.1 401 Unauthorized >> X-Powered-By: JSP/2.1 >> Server: GlassFish v3 >> Pragma: no-cache >> Expires: Thu, 01 Jan 1970 00:00:00 GMT >> Cache-Control: no-cache, no-store >> WWW-Authenticate: Negotiate >> Set-Cookie: JSESSIONID=a451bfdb7fa1827c6c85fba528a4; Path=/cas >> Content-Type: text/html;charset=UTF-8 >> Content-Language: en-US >> Transfer-Encoding: chunked >> Date: Sat, 15 May 2010 04:42:20 GMT >> ---------------------------------------------------------- >> http://dublin:8080/cas/login >> >> GET /cas/login HTTP/1.1 >> Host: dublin:8080 >> User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; >> rv:1.9.2.4) Gecko/20100503 Firefox/3.6.4 AutoPager/0.6.0.28 AutoPager/ >> 0.6.0.28 AutoPager/0.6.0.28 >> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 >> Accept-Language: en-us,en;q=0.5 >> Accept-Encoding: gzip,deflate >> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 >> Keep-Alive: 115 >> Connection: keep-alive >> X-AutoPager: 0.6.0.28 >> Cookie: JSESSIONID=a451bfdb7fa1827c6c85fba528a4; >> treeForm:tree-hi=treeForm:tree:applications; >> JSESSIONID=a07370534c602d94f15d3c49e883 >> Cache-Control: max-age=0, max-age=0 >> Authorization: Negotiate >> [BIG LONG KEY HERE] >> >> HTTP/1.1 401 Unauthorized >> X-Powered-By: JSP/2.1 >> Server: GlassFish v3 >> Pragma: no-cache >> Expires: Thu, 01 Jan 1970 00:00:00 GMT >> Cache-Control: no-cache, no-store >> Content-Type: text/html;charset=UTF-8 >> Content-Language: en-US >> Transfer-Encoding: chunked >> Date: Sat, 15 May 2010 04:42:20 GMT >> >> -- >> <BR> >> You are currently subscribed to [email protected] as: >> [email protected] >> <BR> >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> > > > > -- > Bill Markmann > > Counterpoint Consulting, Inc. > (p) 571-338-2455 > (f) 202-403-3425 > (e) [email protected] > (w) http://www.counterpointconsulting.com/ > > -- > You are currently subscribed to [email protected] as: > [email protected] > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > -- Bill Markmann Counterpoint Consulting, Inc. (p) 571-338-2455 (f) 202-403-3425 (e) [email protected] (w) http://www.counterpointconsulting.com/ -- <BR> You are currently subscribed to [email protected] as: [email protected] <BR> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
