I guess the problem is in Kerberos setting. I never used SPNEGO before. If it's similar to Cyrus SASL, perhaps you can test whether the service setting is correct before doing further configuration. In SASL, there are a sample-server and sample-client which can test the SASL.
Regards, Shi Yusen/Beijing Langhua Ltd. 在 2007-12-13四的 04:18 -0800,Antoni写道: > Hi, > for the last fiew days I did try to setup JBoss, Liferay, Cas to > authenticate users by kerberos. I did follow instructions from > http://www.ja-sig.org/wiki/display/CASUM/SPNEGO and many other sites. > Nothing helps. > Cas gets NTLM token, not Kerberos and because of that don't work. > The platform is Windows 2003. > > c:\windows\krb.ini > [libdefaults] > default_realm = XXX.YYY.FI > default_keytab_name = > FILE:C:\liferay\liferay-jboss-4.2-4.3.3\server\default\deploy\cas-web.war\WEB-INF\spnaccount.keytab > default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5 > default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5 > permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5 > dns_lookup_realm = false > dns_lookup_kdc = false > > [realms] > XXX.YYY.FI = { > kdc = aaa.xxx.yyy.fi:88 > keytab_name = > FILE:C:\liferay\liferay-jboss-4.2-4.3.3\server\default\deploy\cas-web.war\WEB-INF\spnaccount.keytab > kdc_ports = 750,88 > kdc_addrs = aaa.xxx.yyy.fi > default_domain = bbb.xxx.yyy.fi > }; > [domain_realm] > bbb.xxx.yyy.fi = XXX.YYY.FI > .bbb.xxx.yyy.fi = XXX.YYY.FI > #[appdefaults] > autologin = true > forward = true > forwardable = true > encrypt = true > > This file works fine: > C:\liferay\liferay-jboss-4.2-4.3.3\server\default\deploy\cas-web.war\WEB-INF>%JAVA_HOME%\bin\kinit > -k -t > C:\liferay\liferay-jboss-4.2-4.3.3\server\default\deploy\cas-web.war\WEB-INF\spnaccount.keytab > HTTP/[EMAIL PROTECTED] > New ticket is stored in cache file C:\Documents and > Settings\wmanaaa\krb5cc_xxx > > C:\liferay\liferay-jboss-4.2-4.3.3\server\default\deploy\cas-web.war\WEB-INF>%JAVA_HOME%\bin\klist > Credentials cache: C:\Documents and Settings\xxx\krb5cc_xxx > Default principal: HTTP/[EMAIL PROTECTED], 1 entry found. > [1] Service Principal: krbtgt/[EMAIL PROTECTED] > Valid starting: Dec 13, 2007 10:12 > Expires: Dec 13, 2007 20:12 > > C:\liferay\liferay-jboss-4.2-4.3.3\server\default\deploy\cas-web.war\WEB-INF>%JAVA_HOME%\bin\klist > -k > Key tab: > C:\liferay\liferay-jboss-4.2-4.3.3\server\default\deploy\cas-web.war\WEB-INF\spnaccount.keytab, > 1 entry found. > [1] Service principal: HTTP/[EMAIL PROTECTED] > KVNO: 6 > > So the next step is configuring CAS. All instructions from > http://www.ja-sig.org/wiki/display/CASUM/SPNEGO are followed exactly. Only > login.conf is modified: > jcifs.spnego.initiate { > com.sun.security.auth.module.Krb5LoginModule > required > debug=true > useKeyTab=true > doNotPrompt=true > > keyTab="C:\liferay\liferay-jboss-4.2-4.3.3\server\default\deploy\cas-web.war\WEB-INF\spnaccount.keytab" > realm=XXX.YYY.FI > principal=HTTP/[EMAIL PROTECTED] > storeKey=true; > }; > jcifs.spnego.accept { > com.sun.security.auth.module.Krb5LoginModule > required > debug=true > useKeyTab=true > doNotPrompt=true > > keyTab="C:\liferay\liferay-jboss-4.2-4.3.3\server\default\deploy\cas-web.war\WEB-INF\spnaccount.keytab" > realm=XXX.YYY.FI > principal=HTTP/[EMAIL PROTECTED] > storeKey=true; > }; > > The deployerConfigContext.xml at the end: > <bean name="jcifsConfig" > class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig"> > <property name="jcifsServicePrincipal" > value="HTTP/[EMAIL PROTECTED]" /> > <property name="jcifsServicePassword" value="xxxxxxxx" /> > <property name="kerberosDebug" value="true" /> > <property name="kerberosRealm" value="XXX.YYY.FI" /> > <property name="kerberosKdc" value="123.123.123.123" /> > <property name="loginConf" value="/WEB-INF/login.conf" /> > </bean> > > The "other" loginmodule is added to the JBosses login-config.xml > To the run.bat of JBoss is added: > set JAVA_OPTS=%JAVA_OPTS% -Djava.security.krb5.conf="C:/windows/krb5.ini" > > All seems to be fine, but still don't works. > 10:56:17,148 INFO [STDOUT] 2007-12-13 10:56:17,148 INFO > [org.jasig.cas.authentication.AuthenticationManagerImpl] - > <AuthenticationHandler: > org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoAuthenticationHandler > failed > to authenticate the user which provided the following credentials: Principal > is null> > > The problem is there: > jcifs.spnego.Authentication > private void processNtlm(byte[] token) throws AuthenticationException { > byte[] challenge = null; > try { > switch (token[8]) { > case 1: > if (client) { > throw new AuthenticationException( > "NTLM Type 1 message received by client."); > } > challenge = SmbSession.getChallenge(getDomainController()); > nextToken = new Type2Message(new Type1Message(token), > challenge, null).toByteArray(); > break; > ....... > case 3: > if (client) { > throw new AuthenticationException( > "NTLM Type 3 message received by client."); > } .... > > The NTLM type is always "1". And should be 3. > > I can't figure out what should i do next. > > Thank you in advance for any help. > > Antoni _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
