Interesting problem you are having. And I do happen to agree with you. Getting SPNEGO working was a pain. Too many moving parts.
Have you independently verified that Kerberos is working for the SPN? i.e. using Kinit? I am currently in a training class until the end of the week and I don't have access to our AD servers and CAS servers to check my config....having more fun with Oracle than any one person should... I will tell you this. Any problems I had seemed to stem from the AD user that I bind as. I do remember that the names were what caused the problem I would look at your bind user where you said its set as AD Domain instead of Kerberos Realm. Try to verify that the bind user i.e. HTTP/f...@realm<mailto:HTTP/f...@realm> is working using kinit. ________________________________ From: Brian C. Hill [[email protected]] Sent: Monday, October 04, 2010 6:41 PM To: [email protected] Subject: [cas-user] SPNEGO help Hello, I have to admit that with all of the reports of how easy this was to set up for all of you, I am surprised that I am having the opposite experience: too many files, too many components, too many players (kerberos, SSL required between CAS client and CAS server, ldap, java, tomcat/jboss, spnego, AD, etc..). I suppose the biggest frustration is that even with everything set to debug, I don't really see any specific errors except for maybe this one: 2010-10-05 00:47:46,518 DEBUG [org.jasig.cas.support.spnego.web.flow.SpnegoNegociateCredentialsAction] - Authorization header not found. Sending WWW-Authenticate header I do have LDAP auth working, but ... I don't have SPNEGO working. I've tested it with both Firefox and I.E. I try connecting to a simple web page set up with mod_auth_cas, which redirects to CAS to get a ticket, which I can get with LDAP auth. But with SPNEGO, it seems that the windows credentials from my current login (yes, same AD) don't get passed to the site and I still get redirected to the CAS server, which will then not authenticate me: The credentials you provided are not supported by CAS With a tcpdump, I don't see the simple web page ask the cas server to validate the ticket being presented to it by the browser - I guess that means that it isn't getting any such credentials from the browser, which causes it to redirect to the cas login page. Note that I took out the LDAP auth from deployerConfigContext.xml to make sure that only SPNEGO would be used. I set up everything as the SPNEGO page says to. I suspect that my problem is with one of the following: 1) <property name="loginConf" value="/WEB-INF/login.conf" /> Does this have to be more explicit, like a full real path? 2) Kerberos The keys that my AD admin generated are: HTTP/<fqdn unix hostname>@<AD Domain> as opposed to HTTP/<fqdn unix hostname>@ <kerberos realm> Will this not work? 3) I saw a post in which someone came to the conclusion that the "user account can't be used for both SPN and binding the LDAP server" The format isn't the same (the kerberos user is a user@<kerberos realm>, LDAP auth user is in DN format), but the user they both reference is the same one. Am I misunderstanding something? I figure I am getting very close to making this work deployerConfigContext.xml is posted below. Thanks for any help! Brian --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- <?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans";<http://www.springframework.org/schema/beans> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";<http://www.w3.org/2001/XMLSchema-instance> xmlns:p="http://www.springframework.org/schema/p";<http://www.springframework.org/schema/p> xmlns:sec="http://www.springframework.org/schema/security";<http://www.springframework.org/schema/security> xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd";> <bean id="authenticationManager" class="org.jasig.cas.authentication.AuthenticationManagerImpl"> <property name="credentialsToPrincipalResolvers"> <list> <bean class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" /> <bean class="org.jasig.cas.support.spnego.authentication.principal.SpnegoCredentialsToPrincipalResolver" /> <bean class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" /> </list> </property> <property name="authenticationHandlers"> <list> <bean class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoAuthenticationHandler"> <property name="authentication"> <bean class="jcifs.spnego.Authentication" /> </property> <property name="principalWithDomainName" value="false" /> <property name="NTLMallowed" value="true"/> </bean> <bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"> <property name="httpClient" ref="httpClient" /> </bean> </list> </property> </bean> <sec:user-service id="userDetailsService"> <sec:user name="battags" password="notused" authorities="ROLE_ADMIN" /> </sec:user-service> <bean id="attributeRepository" class="org.jasig.services.persondir.support.StubPersonAttributeDao"> <property name="backingMap"> <map> <entry key="uid" value="uid" /> <entry key="eduPersonAffiliation" value="eduPersonAffiliation" /> <entry key="groupMembership" value="groupMembership" /> </map> </property> </bean> <bean id="serviceRegistryDao" class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl" /> <bean name="jcifsConfig" class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig"> <property name="jcifsServicePrincipal" value="[email protected]"<mailto:[email protected]> /> <property name="jcifsServicePassword" value="xxxxx" /> <property name="kerberosDebug" value="true" /> <property name="kerberosRealm" value="my.domain.tld" /> <property name="kerberosKdc" value="ad-server.my.domain.tld" /> <property name="loginConf" value="/WEB-INF/login.conf" /> </bean> </beans> -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
