Hi Brian -- agreed, this can be a little finicky to get working, and it's not clear when it's not working what the problem is. That said, I've set it up in a few different environments now, and have eventually always gotten it working. So, persistence pays off.
You mentioned "tomcat/jboss" -- if you're using JBoss, it seems to ignore the "loginConf" value set in deployerConfigContext.xml... see the note at the bottom of https://wiki.jasig.org/display/CASUM/SPNEGO called "Changed for JBoss". Second, there is usually a second client-server interaction after the log statement you mentioned ("Authorization header not found. Sending WWW-Authenticate header"); look a bit below that in the log and see if that same class outputs any logging about obtaining a "token". Third, I have to agree with Dean that the problem usually lies with the AD principal configuration... make sure that you can do something like the following: kinit -V -k -t myspnaccount.keytab HTTP/[email protected] ...if you're not using a keytab, leave off the "-k -t myspnaccount.keytab" option and provide a password when prompted. If you can authenticate successfully, then your AD side is probably OK and you'll need to fiddle with the CAS / app server config. - Bill On Mon, Oct 4, 2010 at 9:41 PM, Brian C. Hill <[email protected]> wrote: > Hello, > > I have to admit that with all of the reports of how easy this was to set up > for all of you, I am surprised that I am having the opposite experience: too > many files, too many components, too many players (kerberos, SSL required > between CAS client and CAS server, ldap, java, tomcat/jboss, spnego, AD, > etc..). > > I suppose the biggest frustration is that even with everything set to > debug, I don't really see any specific errors except for maybe this one: > > * 2010-10-05 00:47:46,518 DEBUG > [org.jasig.cas.support.spnego.web.flow.SpnegoNegociateCredentialsAction] - > Authorization header not found. Sending WWW-Authenticate header > * > I do have LDAP auth working, but ... > > I don't have SPNEGO working. I've tested it with both Firefox and I.E. I > try connecting to a simple web page set up with mod_auth_cas, which > redirects to CAS to get a ticket, which I can get with LDAP auth. But with > SPNEGO, it seems that the windows credentials from my current login (yes, > same AD) don't get passed to the site and I still get redirected to the CAS > server, which will then not authenticate me: > > * The credentials you provided are not supported by CAS > > *With a tcpdump, I don't see the simple web page ask the cas server to > validate the ticket being presented to it by the browser - I guess that > means that it isn't getting any such credentials from the browser, which > causes it to redirect to the cas login page. > > Note that I took out the LDAP auth from deployerConfigContext.xml to make > sure that only SPNEGO would be used. > > I set up everything as the SPNEGO page says to. > > I suspect that my problem is with one of the following: > > 1) <property name="loginConf" value="/WEB-INF/login.conf" /> > > Does this have to be more explicit, like a full real path? > > 2) Kerberos > > The keys that my AD admin generated are: > > HTTP/<fqdn unix hostname>@<AD Domain> > > as opposed to > > HTTP/<fqdn unix hostname>@ <kerberos realm> > > Will this not work? > > 3) I saw a post in which someone came to the conclusion that the "user > account can't be used for both SPN and binding the LDAP server" > > The format isn't the same (the kerberos user is a user@<kerberos > realm>, LDAP auth user is in DN format), but the user they both reference is > the same one. > > Am I misunderstanding something? > > I figure I am getting very close to making this work > deployerConfigContext.xml is posted below. > > Thanks for any help! > > Brian > > > --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > > > <?xml version="1.0" encoding="UTF-8"?> > <beans > xmlns="http://www.springframework.org/schema/beans";<http://www.springframework.org/schema/beans> > > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";<http://www.w3.org/2001/XMLSchema-instance> > > xmlns:p="http://www.springframework.org/schema/p";<http://www.springframework.org/schema/p> > > xmlns:sec="http://www.springframework.org/schema/security";<http://www.springframework.org/schema/security> > xsi:schemaLocation="http://www.springframework.org/schema/beans > http://www.springframework.org/schema/beans/spring-beans-3.0.xsd > http://www.springframework.org/schema/security > http://www.springframework.org/schema/security/spring-security-3.0.xsd";> > > <bean id="authenticationManager" > > class="org.jasig.cas.authentication.AuthenticationManagerImpl"> > <property name="credentialsToPrincipalResolvers"> > <list> > <bean > > class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" > /> > <bean > > class="org.jasig.cas.support.spnego.authentication.principal.SpnegoCredentialsToPrincipalResolver" > /> > <bean > > class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" > /> > </list> > </property> > <property name="authenticationHandlers"> > <list> > <bean > class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoAuthenticationHandler"> > <property name="authentication"> > <bean > class="jcifs.spnego.Authentication" /> > </property> > <property > name="principalWithDomainName" value="false" /> > <property name="NTLMallowed" > value="true"/> > </bean> > <bean > class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"> > <property name="httpClient" > ref="httpClient" /> > </bean> > </list> > </property> > </bean> > > <sec:user-service id="userDetailsService"> > <sec:user name="battags" password="notused" > authorities="ROLE_ADMIN" /> > </sec:user-service> > > <bean id="attributeRepository" > > class="org.jasig.services.persondir.support.StubPersonAttributeDao"> > <property name="backingMap"> > <map> > <entry key="uid" value="uid" /> > <entry key="eduPersonAffiliation" > value="eduPersonAffiliation" /> > <entry key="groupMembership" > value="groupMembership" /> > </map> > </property> > </bean> > > <bean id="serviceRegistryDao" > class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl" /> > > <bean name="jcifsConfig" > class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig"> > <property name="jcifsServicePrincipal" value= > "[email protected]" <[email protected]> /> > <property name="jcifsServicePassword" value="xxxxx" /> > <property name="kerberosDebug" value="true" /> > <property name="kerberosRealm" value="my.domain.tld" /> > <property name="kerberosKdc" > value="ad-server.my.domain.tld" /> > <property name="loginConf" value="/WEB-INF/login.conf" /> > </bean> > > </beans> > > > -- > You are currently subscribed to [email protected] as: > [email protected] > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- Bill Markmann Counterpoint Consulting, Inc. (p) 571-338-2455 (f) 202-403-3425 (e) [email protected] (w) http://www.counterpointconsulting.com/ -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
