Yeah, I've definitely had (some variant of) this problem before. What is happening here is that you're getting an NTLM token instead of a Kerberos token from the client during the challenge / response. (The "nego" part of SPNEGO means "negotiate", so it's up to the client to decide what to send.) The reasons this happens are not always straight-forward or obvious, unfortunately.
The two simplest reasons I've seen are that: 1) you're hitting the server using a name that doesn't match " your.server.virginia.edu" in HTTP/[email protected]; or 2) once you've mapped more than one SPN to your Active Directory service account, everything seems to break. I see two domains listed in the log: DARDEN.VIRGINIA.EDU and LLVDARDEN.VIRGINIA.EDU -- are you trying to use both those names for the same SSO server? The second one is a little harder to sort out -- there's some poorly-documented relationship between SPNs, AD accounts, and DNS names that has caused me grief setting this up in the past... - Bill On Mon, Feb 14, 2011 at 3:19 PM, Healey, Thomas <[email protected] > wrote: > Done. > The results are as follows: > 2011-02-14 15:04:33,451 DEBUG > [org.springframework.webflow.engine.ActionExecutor] - Executing > [AnnotatedAction@9e0c2d targetAction = > org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction@318293, > attributes = map[[empty]]] in state 'spnego' of flow 'login-webflow' > 2011-02-14 15:04:33,451 DEBUG > [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - Action > 'SpnegoCredentialsAction' beginning execution > 2011-02-14 15:04:33,451 DEBUG > [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - SPNEGO > Authorization header found with 56 bytes > 2011-02-14 15:04:33,451 DEBUG > [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - Obtained > token: NTLMSSP � � � > 2011-02-14 15:04:33,451 DEBUG > [org.jasig.cas.CentralAuthenticationServiceImpl] - Attempting to create > TicketGrantingTicket for Principal is null > 2011-02-14 15:04:33,529 DEBUG > [org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoAuthenticationHandler] > - Setting nextToken in credentials > 2011-02-14 15:04:33,529 DEBUG > [org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoAuthenticationHandler] > - Principal is null, the processing of the SPNEGO Token failed > 2011-02-14 15:04:33,529 INFO > [org.jasig.cas.authentication.AuthenticationManagerImpl] - > AuthenticationHandler: > org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoAuthenticationHandler > failed to authenticate the user which provided the following credentials: > Principal is null > 2011-02-14 15:04:33,529 DEBUG > [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - Obtained > output token: NTLMSSP &&0 ?�,���,��LLVDARDEN.VIRGINIA.EDU & > DARDEN.VIRGINIA.EDU JCIFS59_15_9A > 2011-02-14 15:04:33,529 DEBUG > [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - Setting > HTTP Status to 401 > 2011-02-14 15:04:33,529 DEBUG > [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - Action > 'SpnegoCredentialsAction' completed execution; result is 'error' > 2011-02-14 15:04:33,529 DEBUG > [org.springframework.webflow.engine.impl.RequestControlContextImpl] - > Signaling event 'error' in state 'spnego' of flow 'login-webflow' > > Bill, > A google of the phrase Action 'SpnegoCredentialsAction' completed > execution; result is 'error' > Yielded a discussion that you had. Do I have to set NTLM allowed is false > and force kerberos for things to work in win 7? > Thread was: > http://tp.its.yale.edu/pipermail/cas/2008-November/010377.html > > deployerConfig.xml > <bean name="jcifsConfig" > > class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig"> > <property name="jcifsServicePrincipal" value="HTTP/ > [email protected]<mailto:HTTP/ > [email protected]>"/> > <property name="jcifsServicePassword" value="XXXXXX"/> > <property name="jcifsDomain" value="DARDEN.VIRGINIA.EDU< > http://DARDEN.VIRGINIA.EDU>"/> > <property name="jcifsDomainController" value="XXX.XXX.59.122"/> > <property name="jcifsNetbiosWins" value="XX.XXX.59.122"/> > <property name="jcifsUsername" value="XXXXXXX"/> > <property name="jcifsPassword" value="XXXXXX"/> > <property name="kerberosRealm" value="DARDEN.VIRGINIA.EDU< > http://DARDEN.VIRGINIA.EDU>" /> > <property name="kerberosKdc" value="XXX.XXX.59.122" /> > <property name="loginConf" value="/WEB-INF/login.conf" /> > <property name="kerberosDebug" value="true"/> > </bean> > login.conf > > jcifs.spnego.initiate { > com.sun.security.auth.module.Krb5LoginModule required storeKey=true > useKeyTab=true keyTab="spnegouser.keytab"; > }; > jcifs.spnego.accept { > com.sun.security.auth.module.Krb5LoginModule required storeKey=true > useKeyTab=true keyTab="spnegouser.keytab"; > }; > > > > Keytab: > > > > > > On Feb 14, 2011, at 2:55 PM, William Markmann wrote: > > My first step would be to increase the logging level to DEBUG for the > SPNEGO-related classes... you familiar with how to alter log4j's config? > > On Mon, Feb 14, 2011 at 2:48 PM, Healey, Thomas < > [email protected]<mailto:[email protected]>> wrote: > Bill et al, > I am sorry. Here is the log. > 2011-02-14 14:46:21,955 INFO > [org.jasig.cas.authentication.AuthenticationManagerImpl] - > <AuthenticationHandler: > org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoAuthenticationHandler > failed to authenticate the user which provided the following credentials: > Principal is null> > > I shouldn't assume that this information is useless or not required. It > didn't provide me with much:) > Tom > Go Hoos! > > On Feb 14, 2011, at 2:24 PM, William Markmann wrote: > > Hey Tom -- first of all, wahoowa! Second, if you could post an example log > snippet from an authentication attempt, it might be a little easier to > suggest where to look for potential solutions... the "Principal is null" > message could have several different causes. > > - Bill > > > On Mon, Feb 14, 2011 at 2:20 PM, Healey, Thomas < > [email protected]<mailto:[email protected]><mailto: > [email protected]<mailto:[email protected]>>> wrote: > All, > As you may know since Windows 7 came out it has been broken regarding > SPNEGO and CAS environments running on Windows Server 2003. What used to > happen was when a authenticated domain user went to an CAS protected site > the user would be seamlessly authenticated and forwarded onto the app to be > authorized and, if authorized, sent to the site. Now I get "Principal is > null" message in the CAS logs and the user is forwarded to the CAS login > page. I searched the web for other instances of this problem but those > people who are having problems with Windows 7 and CAS/SPNEGO were having a > problem with the version of Java they were using and they were getting the > following in their logs: > "GSSException: Channel binding mismatch (Mechanism level: ChannelBinding > not provided!)" from https://wiki.jasig.org/display/CASUM/SPNEGO > This is not our problem as we have upgraded the Java version many moons > ago. It also suggests a MS webpage > http://support.microsoft.com/?scid=kb%3Ben-us%3B968389&x=10&y=18 > for further guidance but that didn't help when I tried it. > I have also tried to use Windows Server 2008 but no luck. > Any thoughts or other areas I can look for answers? > > > > -- > Bill Markmann > > Counterpoint Consulting, Inc. > (p) 571-338-2455 > (f) 202-403-3425 > (e) [email protected]<mailto:[email protected] > ><mailto:[email protected]<mailto: > [email protected]>> > (w) http://www.counterpointconsulting.com/ > > -- > You are currently subscribed to [email protected]<mailto: > [email protected]><mailto:[email protected]<mailto: > [email protected]>> as: [email protected]<mailto: > [email protected]><mailto:[email protected]<mailto: > [email protected]>> > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > Tom Healey > [email protected]<mailto:[email protected]><mailto: > [email protected]<mailto:[email protected]>> > Office:(434)924-0562 > [cid:[email protected]] <http://www.darden.virginia.edu/> < > http://www.darden.virginia.edu/> <http://www.darden.virginia.edu/> < > http://www.darden.virginia.edu/> > Visit Darden on <http://www.darden.virginia.edu/> > [cid:[email protected]] <http://www.facebook.com/DardenMBA> < > http://www.facebook.com/DardenMBA> <http://www.facebook.com/DardenMBA> < > http://www.facebook.com/DardenMBA> <http://www.facebook.com/DardenMBA> > Facebook<http://www.facebook.com/DardenMBA> | < > http://www.linkedin.com/groups?gid=35744&trk=myg_ugrp_ovr&goback=%2Emyg> > [cid:[email protected]] < > http://www.linkedin.com/groups?gid=35744&trk=myg_ugrp_ovr&goback=%2Emyg> < > http://www.linkedin.com/groups?gid=35744&trk=myg_ugrp_ovr&goback=%2Emyg> < > http://www.linkedin.com/groups?gid=35744&trk=myg_ugrp_ovr&goback=%2Emyg> < > http://www.linkedin.com/groups?gid=35744&trk=myg_ugrp_ovr&goback=%2Emyg> < > http://www.linkedin.com/groups?gid=35744&trk=myg_ugrp_ovr&goback=%2Emyg> > LinkedIn< > http://www.linkedin.com/groups?gid=35744&trk=myg_ugrp_ovr&goback=%2Emyg> | > <http://twitter.com/DardenMBA> [cid:[email protected]] < > http://twitter.com/DardenMBA> <http://twitter.com/DardenMBA> < > http://twitter.com/DardenMBA> <http://twitter.com/DardenMBA> < > http://twitter.com/DardenMBA> Twitter<http://twitter.com/DardenMBA> | < > http://www.youtube.com/user/DardenMBA> [cid:[email protected]] > <http://www.youtube.com/user/DardenMBA> < > http://www.youtube.com/user/DardenMBA> < > http://www.youtube.com/user/DardenMBA> < > http://www.youtube.com/user/DardenMBA> YouTube< > http://www.youtube.com/user/DardenMBA> > Please do not print this e-mail or attachments unless necessary. If you > must, please recycle. > Keep your Darden information current on < > http://dardencommunity.darden.virginia.edu/> > [cid:[email protected]] < > http://dardencommunity.darden.virginia.edu/> > > > > > > > > <http://dardencommunity.darden.virginia.edu/> > > > -- > You are currently subscribed to [email protected]<mailto: > [email protected]> as: [email protected]<mailto: > [email protected]> > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > > -- > Bill Markmann > > Counterpoint Consulting, Inc. > (p) 571-338-2455 > (f) 202-403-3425 > (e) [email protected]<mailto:[email protected] > > > (w) http://www.counterpointconsulting.com/ > > -- > You are currently subscribed to [email protected]<mailto: > [email protected]> as: [email protected]<mailto: > [email protected]> > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > Tom Healey > [email protected]<mailto:[email protected]> > Office:(434)924-0562 > [cid:[email protected]] <http://www.darden.virginia.edu/> < > http://www.darden.virginia.edu/> <http://www.darden.virginia.edu/> < > http://www.darden.virginia.edu/> > Visit Darden on <http://www.darden.virginia.edu/> > [cid:[email protected]] <http://www.facebook.com/DardenMBA> < > http://www.facebook.com/DardenMBA> <http://www.facebook.com/DardenMBA> < > http://www.facebook.com/DardenMBA> <http://www.facebook.com/DardenMBA> > Facebook<http://www.facebook.com/DardenMBA> | < > http://www.linkedin.com/groups?gid=35744&trk=myg_ugrp_ovr&goback=%2Emyg> > [cid:[email protected]] < > http://www.linkedin.com/groups?gid=35744&trk=myg_ugrp_ovr&goback=%2Emyg> < > http://www.linkedin.com/groups?gid=35744&trk=myg_ugrp_ovr&goback=%2Emyg> < > http://www.linkedin.com/groups?gid=35744&trk=myg_ugrp_ovr&goback=%2Emyg> < > http://www.linkedin.com/groups?gid=35744&trk=myg_ugrp_ovr&goback=%2Emyg> < > http://www.linkedin.com/groups?gid=35744&trk=myg_ugrp_ovr&goback=%2Emyg> > LinkedIn< > http://www.linkedin.com/groups?gid=35744&trk=myg_ugrp_ovr&goback=%2Emyg> | > <http://twitter.com/DardenMBA> [cid:[email protected]] < > http://twitter.com/DardenMBA> <http://twitter.com/DardenMBA> < > http://twitter.com/DardenMBA> <http://twitter.com/DardenMBA> < > http://twitter.com/DardenMBA> Twitter<http://twitter.com/DardenMBA> | < > http://www.youtube.com/user/DardenMBA> [cid:[email protected]] > <http://www.youtube.com/user/DardenMBA> < > http://www.youtube.com/user/DardenMBA> < > http://www.youtube.com/user/DardenMBA> < > http://www.youtube.com/user/DardenMBA> YouTube< > http://www.youtube.com/user/DardenMBA> > Please do not print this e-mail or attachments unless necessary. If you > must, please recycle. > Keep your Darden information current on < > http://dardencommunity.darden.virginia.edu/> > [cid:[email protected]] < > http://dardencommunity.darden.virginia.edu/> > > > > > > > > <http://dardencommunity.darden.virginia.edu/> > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- Bill Markmann Counterpoint Consulting, Inc. (p) 571-338-2455 (f) 202-403-3425 (e) [email protected] (w) http://www.counterpointconsulting.com/ -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
