> 1°
> I had some problem in not using keytab depending on the KDC configuration.
> The only way I manage to get it work on all environments (ie network) is
> to
> always use keytab.
> If you try this, be sure to regenerate the keytab each time you change the
> account pwd, and to use kdestroy to destroy any cached ticket on cas
> server
> plateform. (in this case, jcifsServicePassword config arg is still
> required
> by the code but unused. This will be corrected)
>
> 2°
> If you don't try the keytab option, I found the following hints on the
> web,
> it may helps, if not, sorry for the noise:
Ok, I use now this configuration with login.conf
jcifs.spnego.initiate {
com.sun.security.auth.module.Krb5LoginModule required storeKey=true
useKeyTab=true keyTab="caskerberos.keytab";
};
jcifs.spnego.accept {
com.sun.security.auth.module.Krb5LoginModule required storeKey=true
useKeyTab=true keyTab="caskerberos.keytab";
};
and this
<bean name="jcifsConfig"
class="org.jasig.cas.adaptors.spnego.authentication.handler.support.JCIFSConfig">
<property name="jcifsKerberosEnable" value="true" />
<property name="jcifsServicePrincipal" value="HTTP/[EMAIL PROTECTED]"
/>
<property name="jcifsServicePassword" value="uniloggda" />
<property name="kerberosDebug" value="true" />
<property name="kerberosRealm" value="KEYPHRENE" />
<property name="kerberosKdc" value="ad-hr-1" />
<property name="loginConf"
value="/home/Vincent/jakarta-tomcat-5.0.28/webapps/cas/WEB-INF/login.conf"
/>
</bean>
I get this error:
>>> KeyTabInputStream, readName(): KEYPHRENE
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): xnet_7
>>> KeyTab: load() entry length: 49; type: 3
>>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbAsReq etypes are: 3 1
>>> KrbKdcReq send: kdc=ad-hr-1 UDP:88, timeout=30000, number of retries
=3, #bytes=227
>>> KDCCommunication: kdc=ad-hr-1 UDP:88, timeout=30000,Attempt =1,
#bytes=227
>>> KrbKdcReq send: #bytes read=1258
>>> KrbKdcReq send: #bytes read=1258
>>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/xnet_7
Found key for HTTP/[EMAIL PROTECTED]
Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism
level: KDC has no support for encryption type (14))
> A°
> Cause 2: This exception is thrown when using native ticket cache on some
> Windows platforms. Microsoft has added a new feature in which they no
> longer
> export the session keys for Ticket-Granting Tickets (TGTs). As a result,
> the
> native TGT obtained on Windows has an "empty" session key and null EType.
> The effected platforms include: Windows Server 2003, Windows 2000 Server
> Service Pack 4 (SP4) and Windows XP SP2.
>
> Solution 2: You need to update the Windows registry to disable this new
> feature. The registry key allowtgtsessionkey should be added--and set
> correctly--to allow session keys to be sent in the Kerberos
> Ticket-Granting
> Ticket.
>
> On the Windows Server 2003 and Windows 2000 SP4, here is the required
> registry setting:
>
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
> Value Name: allowtgtsessionkey
> Value Type: REG_DWORD
> Value: 0x01 ( default is 0 )
>
> By default, the value is 0; setting it to "0x01" allows a session key to
> be
> included in the TGT.
I have added this parameter without success.
>
> B°
> Try this in your krb5.conf (instead of des-cbc-crc/des-cbc-md5)
> des-cbc-crc:normal
> des-cbc-md5:normal
>
I use this parameter
set JAVA_OPTS="-Djava.security.krb5.conf=C:/CAS-NTLM/tomcat/conf/krb5.conf"
[libdefaults]
ticket_lifetime = 24000
default_realm = KEYPHRENE
dns_lookup_realm = false
dns_lookup_kdc = false
default_keytab_name = C:/CAS-NTLM/tomcat/conf/caskerberos.keytab
default_tkt_enctypes = des-cbc-md5
default_tgs_enctypes = des-cbc-md5
[realms]
CRLORRAINE = {
kdc = ad-hr-1:88
admin_server = ad-hr-1:749
default_domain = keyphrene
}
[domain_realm]
.keyphrene = KEYPHRENE
keyphrene = KEYPHRENE
I have replaced des-cbc-md5 by des-cbc-crc
and I have the same result, krb5.conf is not used ...
>>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
Thanks for your help
Vincent Jaulin
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
