It is also worth putting wireshark on a client and checking the SPNEGO is happening from the client side.
If you are using firefox ensure the auth trusted uri's is configured for your domain other wise it will not attempt to do the SPNEGO. Greg On 6 October 2010 15:55, William Markmann <[email protected]>wrote: > Hi Brian -- agreed, this can be a little finicky to get working, and it's > not clear when it's not working what the problem is. That said, I've set it > up in a few different environments now, and have eventually always gotten it > working. So, persistence pays off. > > You mentioned "tomcat/jboss" -- if you're using JBoss, it seems to ignore > the "loginConf" value set in deployerConfigContext.xml... see the note at > the bottom of https://wiki.jasig.org/display/CASUM/SPNEGO called "Changed > for JBoss". > > Second, there is usually a second client-server interaction after the log > statement you mentioned ("Authorization header not found. Sending > WWW-Authenticate header"); look a bit below that in the log and see if that > same class outputs any logging about obtaining a "token". > > Third, I have to agree with Dean that the problem usually lies with the AD > principal configuration... make sure that you can do something like the > following: > > kinit -V -k -t myspnaccount.keytab HTTP/mytomcatserver.domain.com@ > DOMAIN.COM > > ...if you're not using a keytab, leave off the "-k -t myspnaccount.keytab" > option and provide a password when prompted. If you can authenticate > successfully, then your AD side is probably OK and you'll need to fiddle > with the CAS / app server config. > > - Bill > > On Mon, Oct 4, 2010 at 9:41 PM, Brian C. Hill <[email protected]> wrote: > >> Hello, >> >> I have to admit that with all of the reports of how easy this was to set >> up for all of you, I am surprised that I am having the opposite experience: >> too many files, too many components, too many players (kerberos, SSL >> required between CAS client and CAS server, ldap, java, tomcat/jboss, >> spnego, AD, etc..). >> >> I suppose the biggest frustration is that even with everything set to >> debug, I don't really see any specific errors except for maybe this one: >> >> * 2010-10-05 00:47:46,518 DEBUG >> [org.jasig.cas.support.spnego.web.flow.SpnegoNegociateCredentialsAction] - >> Authorization header not found. Sending WWW-Authenticate header >> * >> I do have LDAP auth working, but ... >> >> I don't have SPNEGO working. I've tested it with both Firefox and I.E. I >> try connecting to a simple web page set up with mod_auth_cas, which >> redirects to CAS to get a ticket, which I can get with LDAP auth. But with >> SPNEGO, it seems that the windows credentials from my current login (yes, >> same AD) don't get passed to the site and I still get redirected to the CAS >> server, which will then not authenticate me: >> >> * The credentials you provided are not supported by CAS >> >> *With a tcpdump, I don't see the simple web page ask the cas server to >> validate the ticket being presented to it by the browser - I guess that >> means that it isn't getting any such credentials from the browser, which >> causes it to redirect to the cas login page. >> >> Note that I took out the LDAP auth from deployerConfigContext.xml to make >> sure that only SPNEGO would be used. >> >> I set up everything as the SPNEGO page says to. >> >> I suspect that my problem is with one of the following: >> >> 1) <property name="loginConf" value="/WEB-INF/login.conf" /> >> >> Does this have to be more explicit, like a full real path? >> >> 2) Kerberos >> >> The keys that my AD admin generated are: >> >> HTTP/<fqdn unix hostname>@<AD Domain> >> >> as opposed to >> >> HTTP/<fqdn unix hostname>@ <kerberos realm> >> >> Will this not work? >> >> 3) I saw a post in which someone came to the conclusion that the "user >> account can't be used for both SPN and binding the LDAP server" >> >> The format isn't the same (the kerberos user is a user@<kerberos >> realm>, LDAP auth user is in DN format), but the user they both reference is >> the same one. >> >> Am I misunderstanding something? >> >> I figure I am getting very close to making this work >> deployerConfigContext.xml is posted below. >> >> Thanks for any help! >> >> Brian >> >> >> --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- >> >> >> <?xml version="1.0" encoding="UTF-8"?> >> <beans >> xmlns="http://www.springframework.org/schema/beans";<http://www.springframework.org/schema/beans> >> >> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";<http://www.w3.org/2001/XMLSchema-instance> >> >> xmlns:p="http://www.springframework.org/schema/p";<http://www.springframework.org/schema/p> >> >> xmlns:sec="http://www.springframework.org/schema/security";<http://www.springframework.org/schema/security> >> xsi:schemaLocation="http://www.springframework.org/schema/beans >> http://www.springframework.org/schema/beans/spring-beans-3.0.xsd >> http://www.springframework.org/schema/security >> http://www.springframework.org/schema/security/spring-security-3.0.xsd";> >> >> <bean id="authenticationManager" >> >> class="org.jasig.cas.authentication.AuthenticationManagerImpl"> >> <property name="credentialsToPrincipalResolvers"> >> <list> >> <bean >> >> class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" >> /> >> <bean >> >> class="org.jasig.cas.support.spnego.authentication.principal.SpnegoCredentialsToPrincipalResolver" >> /> >> <bean >> >> class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" >> /> >> </list> >> </property> >> <property name="authenticationHandlers"> >> <list> >> <bean >> class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoAuthenticationHandler"> >> <property name="authentication"> >> <bean >> class="jcifs.spnego.Authentication" /> >> </property> >> <property >> name="principalWithDomainName" value="false" /> >> <property name="NTLMallowed" >> value="true"/> >> </bean> >> <bean >> class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"> >> <property name="httpClient" >> ref="httpClient" /> >> </bean> >> </list> >> </property> >> </bean> >> >> <sec:user-service id="userDetailsService"> >> <sec:user name="battags" password="notused" >> authorities="ROLE_ADMIN" /> >> </sec:user-service> >> >> <bean id="attributeRepository" >> >> class="org.jasig.services.persondir.support.StubPersonAttributeDao"> >> <property name="backingMap"> >> <map> >> <entry key="uid" value="uid" /> >> <entry key="eduPersonAffiliation" >> value="eduPersonAffiliation" /> >> <entry key="groupMembership" >> value="groupMembership" /> >> </map> >> </property> >> </bean> >> >> <bean id="serviceRegistryDao" >> class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl" /> >> >> <bean name="jcifsConfig" >> class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig"> >> <property name="jcifsServicePrincipal" value= >> "[email protected]" <[email protected]> /> >> <property name="jcifsServicePassword" value="xxxxx" /> >> <property name="kerberosDebug" value="true" /> >> <property name="kerberosRealm" value="my.domain.tld" /> >> <property name="kerberosKdc" >> value="ad-server.my.domain.tld" /> >> <property name="loginConf" value="/WEB-INF/login.conf" /> >> </bean> >> >> </beans> >> >> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> >> >> >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> > > > -- > Bill Markmann > > Counterpoint Consulting, Inc. > (p) 571-338-2455 > (f) 202-403-3425 > (e) [email protected] > (w) http://www.counterpointconsulting.com/ > > -- > You are currently subscribed to [email protected] as: [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
