Hello,
I have to admit that with all of the reports of how easy this was to set
up for all of you, I am surprised that I am having the opposite
experience: too many files, too many components, too many players
(kerberos, SSL required between CAS client and CAS server, ldap, java,
tomcat/jboss, spnego, AD, etc..).
I suppose the biggest frustration is that even with everything set to
debug, I don't really see any specific errors except for maybe this one:
* 2010-10-05 00:47:46,518 DEBUG
[org.jasig.cas.support.spnego.web.flow.SpnegoNegociateCredentialsAction]
- Authorization header not found. Sending WWW-Authenticate header
*
I do have LDAP auth working, but ...
I don't have SPNEGO working. I've tested it with both Firefox and I.E. I
try connecting to a simple web page set up with mod_auth_cas, which
redirects to CAS to get a ticket, which I can get with LDAP auth. But
with SPNEGO, it seems that the windows credentials from my current login
(yes, same AD) don't get passed to the site and I still get redirected
to the CAS server, which will then not authenticate me:
* The credentials you provided are not supported by CAS
*With a tcpdump, I don't see the simple web page ask the cas server to
validate the ticket being presented to it by the browser - I guess that
means that it isn't getting any such credentials from the browser, which
causes it to redirect to the cas login page.
Note that I took out the LDAP auth from deployerConfigContext.xml to
make sure that only SPNEGO would be used.
I set up everything as the SPNEGO page says to.
I suspect that my problem is with one of the following:
1) <property name="loginConf" value="/WEB-INF/login.conf" />
Does this have to be more explicit, like a full real path?
2) Kerberos
The keys that my AD admin generated are:
HTTP/<fqdn unix hostname>@<AD Domain>
as opposed to
HTTP/<fqdn unix hostname>@ <kerberos realm>
Will this not work?
3) I saw a post in which someone came to the conclusion that the "user
account can't be used for both SPN and binding the LDAP server"
The format isn't the same (the kerberos user is a user@<kerberos
realm>, LDAP auth user is in DN format), but the user they both
reference is the same one.
Am I misunderstanding something?
I figure I am getting very close to making this work
deployerConfigContext.xml is posted below.
Thanks for any help!
Brian
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:p="http://www.springframework.org/schema/p";
xmlns:sec="http://www.springframework.org/schema/security";
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd";>
<bean id="authenticationManager"
class="org.jasig.cas.authentication.AuthenticationManagerImpl">
<property name="credentialsToPrincipalResolvers">
<list>
<bean
class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver"
/>
<bean
class="org.jasig.cas.support.spnego.authentication.principal.SpnegoCredentialsToPrincipalResolver"
/>
<bean
class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver"
/>
</list>
</property>
<property name="authenticationHandlers">
<list>
<bean
class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoAuthenticationHandler">
<property name="authentication">
<bean class="jcifs.spnego.Authentication" />
</property>
<property name="principalWithDomainName" value="false" />
<property name="NTLMallowed" value="true"/>
</bean>
<bean
class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler">
<property name="httpClient" ref="httpClient" />
</bean>
</list>
</property>
</bean>
<sec:user-service id="userDetailsService">
<sec:user name="battags" password="notused" authorities="ROLE_ADMIN" />
</sec:user-service>
<bean id="attributeRepository"
class="org.jasig.services.persondir.support.StubPersonAttributeDao">
<property name="backingMap">
<map>
<entry key="uid" value="uid" />
<entry key="eduPersonAffiliation" value="eduPersonAffiliation" />
<entry key="groupMembership" value="groupMembership" />
</map>
</property>
</bean>
<bean id="serviceRegistryDao"
class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl" />
<bean name="jcifsConfig"
class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig">
<property name="jcifsServicePrincipal" value="[email protected]" />
<property name="jcifsServicePassword" value="xxxxx" />
<property name="kerberosDebug" value="true" />
<property name="kerberosRealm" value="my.domain.tld" />
<property name="kerberosKdc" value="ad-server.my.domain.tld" />
<property name="loginConf" value="/WEB-INF/login.conf" />
</bean>
</beans>
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
