A couple things to check first: - which application server are you using? - are you using a fully qualified domain name for the SPN (HTTP/ [email protected]), and accessing the server using that same fully-qualified domain? - when you test Kerberos authentication config using kinit, try it with "-t /path/to/my.keytab" option; you shouldn't have to enter a password to authenticate
...basically, you're getting an NTLM token from the browser instead of a Kerberos token; I've seen several different things which cause this (it usually takes a bit of tweaking, and then it just magically works). Cheers, - Bill On Fri, Jun 4, 2010 at 3:31 PM, German <[email protected]> wrote: > Hi: > > We are trying to setup CAS 3.4.2 with spnego, we did all the configurations > as in the example, and changed the actions in the login-webflow.xml to > reflect webflow 2.0, we can't get browsers to authenticate, this is the > relevant log section > : > > 2010-06-04 14:12:01,976 DEBUG > [org.jasig.cas.web.support.SamlArgumentExtractor] - Extractor did not > generate service. > 2010-06-04 14:12:02,000 DEBUG > [org.jasig.cas.support.spnego.web.flow.SpnegoNegociateCredentialsAction] - > Authorization header not found. Sending WWW-Authenticate header > 2010-06-04 14:12:02,277 DEBUG > [org.jasig.cas.web.support.CasArgumentExtractor] - Extractor did not > generate service. > 2010-06-04 14:12:02,277 DEBUG > [org.jasig.cas.web.support.SamlArgumentExtractor] - Extractor did not > generate service. > 2010-06-04 14:12:09,805 DEBUG > [org.jasig.cas.web.support.CasArgumentExtractor] - Extractor did not > generate service. > 2010-06-04 14:12:09,806 DEBUG > [org.jasig.cas.web.support.SamlArgumentExtractor] - Extractor did not > generate service. > 2010-06-04 14:12:09,808 DEBUG > [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - SPNEGO > Authorization header found with 56 bytes > 2010-06-04 14:12:09,809 DEBUG > [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - Obtained > token: NTLMSSP�( > > 2010-06-04 14:12:09,896 DEBUG > [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - Unable to > obtain the output token required. > 2010-06-04 14:12:09,897 DEBUG > [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - Setting > HTTP Status to 401 > 2010-06-04 14:12:09,905 DEBUG > [org.jasig.cas.web.support.CasArgumentExtractor] - Extractor did not > generate service. > 2010-06-04 14:12:09,905 DEBUG > [org.jasig.cas.web.support.SamlArgumentExtractor] - Extractor did not > generate service. > 2010-06-04 14:13:43,053 INFO > [org.jasig.cas.services.DefaultServicesManagerImpl] - Reloading registered > services. > 2010-06-04 14:13:43,054 INFO > [org.jasig.cas.services.DefaultServicesManagerImpl] - Loaded 0 services. > > All we get is the "Unable to obtain the output token required." message. We > tried with both the keytab parameters in login.conf and the password in the > deploy file. We know the credentials and keytab are good as we do the klist > -k, kinit and klist and everything works fine. Any ideas? please advise. > > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- Bill Markmann Counterpoint Consulting, Inc. (p) 571-338-2455 (f) 202-403-3425 (e) [email protected] (w) http://www.counterpointconsulting.com/ -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
