Cas - kerberos - Lifery - JBoss config, help needed

Thu, 13 Dec 2007 04:35:57 -0800 

Hi,
for the last fiew days I did try to setup JBoss, Liferay, Cas to
authenticate users by kerberos. I did follow instructions from
http://www.ja-sig.org/wiki/display/CASUM/SPNEGO and many other sites.
Nothing helps.
Cas gets NTLM token, not Kerberos and because of that don't work.
The platform is Windows 2003.

c:\windows\krb.ini
[libdefaults]
    default_realm = XXX.YYY.FI
    default_keytab_name =
FILE:C:\liferay\liferay-jboss-4.2-4.3.3\server\default\deploy\cas-web.war\WEB-INF\spnaccount.keytab
    default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
    default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
    permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
    dns_lookup_realm = false
    dns_lookup_kdc = false

[realms]
     XXX.YYY.FI = {
                      kdc          = aaa.xxx.yyy.fi:88
                        keytab_name =
FILE:C:\liferay\liferay-jboss-4.2-4.3.3\server\default\deploy\cas-web.war\WEB-INF\spnaccount.keytab
                        kdc_ports = 750,88
                        kdc_addrs = aaa.xxx.yyy.fi
                        default_domain = bbb.xxx.yyy.fi
                    };
[domain_realm]
    bbb.xxx.yyy.fi = XXX.YYY.FI
    .bbb.xxx.yyy.fi = XXX.YYY.FI
#[appdefaults]
        autologin = true
        forward = true
        forwardable = true
        encrypt = true

This file works fine:
C:\liferay\liferay-jboss-4.2-4.3.3\server\default\deploy\cas-web.war\WEB-INF>%JAVA_HOME%\bin\kinit
-k -t
C:\liferay\liferay-jboss-4.2-4.3.3\server\default\deploy\cas-web.war\WEB-INF\spnaccount.keytab
HTTP/[EMAIL PROTECTED]
New ticket is stored in cache file C:\Documents and
Settings\wmanaaa\krb5cc_xxx

C:\liferay\liferay-jboss-4.2-4.3.3\server\default\deploy\cas-web.war\WEB-INF>%JAVA_HOME%\bin\klist
Credentials cache: C:\Documents and Settings\xxx\krb5cc_xxx
Default principal: HTTP/[EMAIL PROTECTED], 1 entry found.
[1]  Service Principal:  krbtgt/[EMAIL PROTECTED]
     Valid starting:  Dec 13, 2007 10:12
     Expires:         Dec 13, 2007 20:12

C:\liferay\liferay-jboss-4.2-4.3.3\server\default\deploy\cas-web.war\WEB-INF>%JAVA_HOME%\bin\klist
-k
Key tab:
C:\liferay\liferay-jboss-4.2-4.3.3\server\default\deploy\cas-web.war\WEB-INF\spnaccount.keytab,
1 entry found.
[1] Service principal: HTTP/[EMAIL PROTECTED]
         KVNO: 6

So the next step is configuring CAS. All instructions from
http://www.ja-sig.org/wiki/display/CASUM/SPNEGO are followed exactly. Only
login.conf is modified:
jcifs.spnego.initiate {
        com.sun.security.auth.module.Krb5LoginModule
        required
        debug=true
        useKeyTab=true
          doNotPrompt=true
       
keyTab="C:\liferay\liferay-jboss-4.2-4.3.3\server\default\deploy\cas-web.war\WEB-INF\spnaccount.keytab"
          realm=XXX.YYY.FI
          principal=HTTP/[EMAIL PROTECTED]
        storeKey=true;
};
jcifs.spnego.accept {
        com.sun.security.auth.module.Krb5LoginModule
        required
        debug=true
        useKeyTab=true
          doNotPrompt=true
       
keyTab="C:\liferay\liferay-jboss-4.2-4.3.3\server\default\deploy\cas-web.war\WEB-INF\spnaccount.keytab"
          realm=XXX.YYY.FI
          principal=HTTP/[EMAIL PROTECTED]
        storeKey=true;
}; 

The deployerConfigContext.xml at the end:
<bean name="jcifsConfig"
class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig">
  <property name="jcifsServicePrincipal"
value="HTTP/[EMAIL PROTECTED]" />
  <property name="jcifsServicePassword" value="xxxxxxxx" />
  <property name="kerberosDebug" value="true" />
  <property name="kerberosRealm" value="XXX.YYY.FI" />
  <property name="kerberosKdc" value="123.123.123.123" />
  <property name="loginConf" value="/WEB-INF/login.conf" />
</bean>

The "other" loginmodule is added to the JBosses login-config.xml
To the run.bat of JBoss is added:
set JAVA_OPTS=%JAVA_OPTS% -Djava.security.krb5.conf="C:/windows/krb5.ini"

All seems to be fine, but still don't works.
10:56:17,148 INFO  [STDOUT] 2007-12-13 10:56:17,148 INFO
[org.jasig.cas.authentication.AuthenticationManagerImpl] -
<AuthenticationHandler:
org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoAuthenticationHandler
failed
to authenticate the user which provided the following credentials: Principal
is null>

The problem is there:
jcifs.spnego.Authentication
private void processNtlm(byte[] token) throws AuthenticationException {
        byte[] challenge = null;
        try {
            switch (token[8]) {
            case 1:
                if (client) {
                    throw new AuthenticationException(
                            "NTLM Type 1 message received by client.");
                }
                challenge = SmbSession.getChallenge(getDomainController());
                nextToken = new Type2Message(new Type1Message(token),
                        challenge, null).toByteArray();
                break;
        .......
            case 3:
                if (client) {
                    throw new AuthenticationException(
                            "NTLM Type 3 message received by client.");
                } ....

The NTLM type is always "1". And should be 3.

I can't figure out what should i do next. 

Thank you in advance for any help.

Antoni
-- 
View this message in context: 
http://www.nabble.com/Cas---kerberos---Lifery---JBoss-config%2C-help-needed-tp14314939p14314939.html
Sent from the CAS Users mailing list archive at Nabble.com.

_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas

Reply via email to