Hi, You don't have to install a kerberos server. I assume you have already verified your keytab configuration. I had a similar problem when setting up SPNEGO. In the end the culprit turned out to be the hostname I was using to access CAS. The keytab was generated against the full machine name while I was trying to access it through the IP address.
On Tuesday, June 24, 2014 8:07:20 PM UTC+5, Verebélyi Márk wrote: > > Hello all, > > I'm trying to create a deployment with automatic login by using SPNEGO; > based on this tutorial: > http://jasig.github.io/cas/development/installation/SPNEGO-Authentication.html > > I want to use our AD as a Key Distribution Center, so that our domain > users are automatically logged in to our application via CAS. > > We have a user in our domain, it has an SPN set > > A keytab file has been generated for this user, and I have set it in the > login.conf file > > Here is the relevant section of cas config: > > <bean id="jcifsConfig" > class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig"> > <property name="jcifsServicePrincipal" value="***SPN***" /> > <property name="kerberosDebug" value="true" /> > <property name="kerberosRealm" value="***REALM/DOMAIN***" /> > <property name="kerberosKdc" value="***Active Directory IP***" /> > <property name="loginConf" value="***Path to login.conf***" /> > </bean> > > Login conf is > > jcifs.spnego.initiate { > com.sun.security.auth.module.Krb5LoginModule required storeKey=true > useKeyTab=true keyTab="***Path tp keytab***"; > }; > jcifs.spnego.accept { > com.sun.security.auth.module.Krb5LoginModule required storeKey=true > useKeyTab=true keyTab="***Path tp keytab***"; > }; > > The problem is that all I get is an NTLMSSP token from the client browser. > So I can see that some kind of negotiation has been started, but the > authentication always fails. > > The tutorial/howto references a Kerberos configuration in the "Test SPN > account" section. This is something I do not understand. Should I install a > Kerberos server on the machine which hosts CAS (it is not something I would > prefer)? It does not seem logical to me as I want AD to provide the > Kerberos tickets? > > Any help is appreciated! > > Thanks, > Mark. > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
