Hi again, > I use this configuration, the keytab is not needed. > <property name="jcifsServicePrincipal" value="HTTP/[EMAIL PROTECTED]" > /> > <property name="jcifsServicePassword" value="password" /> > But I have an encryption problem.
1° I had some problem in not using keytab depending on the KDC configuration. The only way I manage to get it work on all environments (ie network) is to always use keytab. If you try this, be sure to regenerate the keytab each time you change the account pwd, and to use kdestroy to destroy any cached ticket on cas server plateform. (in this case, jcifsServicePassword config arg is still required by the code but unused. This will be corrected) 2° If you don't try the keytab option, I found the following hints on the web, it may helps, if not, sorry for the noise: A° Cause 2: This exception is thrown when using native ticket cache on some Windows platforms. Microsoft has added a new feature in which they no longer export the session keys for Ticket-Granting Tickets (TGTs). As a result, the native TGT obtained on Windows has an "empty" session key and null EType. The effected platforms include: Windows Server 2003, Windows 2000 Server Service Pack 4 (SP4) and Windows XP SP2. Solution 2: You need to update the Windows registry to disable this new feature. The registry key allowtgtsessionkey should be added--and set correctly--to allow session keys to be sent in the Kerberos Ticket-Granting Ticket. On the Windows Server 2003 and Windows 2000 SP4, here is the required registry setting: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters Value Name: allowtgtsessionkey Value Type: REG_DWORD Value: 0x01 ( default is 0 ) By default, the value is 0; setting it to "0x01" allows a session key to be included in the TGT. B° Try this in your krb5.conf (instead of des-cbc-crc/des-cbc-md5) des-cbc-crc:normal des-cbc-md5:normal My2TGT MAG > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of [EMAIL PROTECTED] > Sent: mercredi 22 novembre 2006 11:39 > To: Yale CAS mailing list > Subject: Re: SPNEGO KERBEROS NTLM > > > Hi Vincent, > Hi Marc-Antoine, > > > Have you set the 'use DES encryption' checkbox on the user account > option > > (you'll have to reset its password after)? > yes > > > I have discovered some configuration hints regarding the current > tutorial. > > 1)much of the krb5.conf stuff is optional (ie to use kinit tool). > > Have you manage to use your keytab to get some tickets? > yes > > > try kinit -k -t your.keytab HTTP/[EMAIL PROTECTED] > > 2) depending on your cas environment, the sun kerberos login module > would > > not be able to find/use the keytab in the current configuration. > > Add the following option to login.conf : > > useKeyTab=true, keyTab=your.keytab > > (the file your.keytab must be in the home directory of the user that > > launch > > the cas JVM). > > > > I use this configuration, the keytab is not needed. > <property name="jcifsServicePrincipal" value="HTTP/[EMAIL PROTECTED]" > /> > <property name="jcifsServicePassword" value="password" /> > But I have an encryption problem. > > >>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType > >>> KrbAsReq calling createMessage > >>> KrbAsReq in createMessage > >>> KrbAsReq etypes are: 3 1 > >>> KrbKdcReq send: kdc=ad-hr-1 UDP:88, timeout=30000, number of retries > =3, #bytes=222 > >>> KDCCommunication: kdc=ad-hr-1 UDP:88, timeout=30000,Attempt =1, > #bytes=222 > >>> KrbKdcReq send: #bytes read=1258 > >>> KrbKdcReq send: #bytes read=1258 > >>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType > >>> KrbAsRep cons in KrbAsReq.getReply HTTP/xnet_7 > Found key for HTTP/[EMAIL PROTECTED] > Entered Krb5Context.acceptSecContext with state=STATE_NEW > > Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism > level: KDC has no support for encryption type (14)) > at > sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:734) > at > sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:300) > at > sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:246) > > > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
