[cas-user] CAS SPNEGO problem

[brett_sinclair]

Hi 

I am trying to get SPNEGO working, I have followed the instructions (I hope!) 
in the SPNEGO page in the manual but have hit a brick wall hopefully someone 
can help!!!

My Active Directory machine and my tomcat machine are both Windows 2008 servers 
(test virtual machines) I set up a test domain with them both on.

When I try to login to the cas application I get an NTLM token instead of 
kerberos but searching around and looking at different posts I have read that I 
should make sure that the kerberos is working using the kinit command first so 
it is here I think I have found the problem:

- on the AD machine 
    - I created a user myspntest2 
    - I ran the command: 
ktpass.exe /out win2008test2.keytab /princ 
HTTP/win2008test2.testdomain....@testdomain.com /pass * /mapuser 
myspnte...@testdomain.com /ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT 

- on the tomcat machine 
    - I have copied the win2008test2.keytab 
    - edited the krb5.conf to point to the new keytab 
    - when I run the klist command I get: 
C:\Users\administrator.TESTDOMAIN>klist -k 
Key tab: C:\test\win2008test2.keytab, 1 entry found. 
[1] Service principal: HTTP/win2008test2.testdomain....@testdomain.com 
         KVNO: 3 
    
    - all looks ok to me so far but when I run the kinit command I get: 
C:\Users\administrator.TESTDOMAIN>kinit win2008test2.testdomain.com 
Password for win2008test2.testdomain....@testdomain.com: 
Exception: krb_error 6 Client not found in Kerberos database (6) Client not 
found in Kerberos database 
KrbException: Client not found in Kerberos database (6) 
        at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:66) 
        at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:446) 
        at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:404) 
        at sun.security.krb5.internal.tools.Kinit.sendASRequest(Kinit.java:308) 
        at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:237) 
        at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:107) 
Caused by: KrbException: Identifier doesn't match expected value (906) 
        at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133) 
        at sun.security.krb5.internal.ASRep.init(ASRep.java:58) 
        at sun.security.krb5.internal.ASRep.<init>(ASRep.java:53) 
        at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:50) 
        ... 5 more 

Does anyone have any clue as to why the user cannot be found in the database? 
Are there any special settings or permissions I need to give to the 
"myspntest2" user for this to work? 

Any ideas anyone, 
Thanks in advance
-- 
You are currently subscribed to cas-user@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user