Hi,

You don't have to install a kerberos server. I assume you have already 
verified your keytab configuration. I had a similar problem when setting up 
SPNEGO. In the end the culprit turned out to be the hostname I was using to 
access CAS. The keytab was generated against the full machine name while I 
was trying to access it through the IP address.


On Tuesday, June 24, 2014 8:07:20 PM UTC+5, Verebélyi Márk wrote:
>
> Hello all,
>
> I'm trying to create a deployment with automatic login by using SPNEGO; 
> based on this tutorial: 
> http://jasig.github.io/cas/development/installation/SPNEGO-Authentication.html
>
> I want to use our AD as a Key Distribution Center, so that our domain 
> users are automatically logged in to our application via CAS. 
>
> We have a user in our domain, it has an SPN set
>
> A keytab file has been generated for this user, and I have set it in the 
> login.conf file
>
> Here is the relevant section of cas config:
>
> <bean id="jcifsConfig" 
> class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig">
> <property name="jcifsServicePrincipal" value="***SPN***" />
> <property name="kerberosDebug" value="true" />
> <property name="kerberosRealm" value="***REALM/DOMAIN***" />
> <property name="kerberosKdc" value="***Active Directory IP***" />
> <property name="loginConf" value="***Path to login.conf***" />
> </bean>
>
> Login conf is
>
> jcifs.spnego.initiate {
>    com.sun.security.auth.module.Krb5LoginModule required storeKey=true 
> useKeyTab=true keyTab="***Path tp keytab***";
> };
> jcifs.spnego.accept {
>    com.sun.security.auth.module.Krb5LoginModule required storeKey=true 
> useKeyTab=true keyTab="***Path tp keytab***";
> };
>
> The problem is that all I get is an NTLMSSP token from the client browser. 
> So I can see that some kind of negotiation has been started, but the 
> authentication always fails.
>
> The tutorial/howto references a Kerberos configuration in the "Test SPN 
> account" section. This is something I do not understand. Should I install a 
> Kerberos server on the machine which hosts CAS (it is not something I would 
> prefer)? It does not seem logical to me as I want AD to provide the 
> Kerberos tickets?
>
> Any help is appreciated!
>
> Thanks,
> Mark.
>

-- 
You are currently subscribed to [email protected] as: 
[email protected]
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Reply via email to