Hi, Here is the same content as in post to: http://www.nabble.com/Cas---kerberos---Lifery---JBoss-config-2C-help-nee ded-to14314939.html#a14314939
for the last fiew days I did try to setup JBoss, Liferay, Cas to authenticate users by kerberos. I did follow instructions from http://www.ja-sig.org/wiki/display/CASUM/SPNEGO and many other sites. Nothing helps. Cas gets NTLM token, not Kerberos and because of that don't work. The platform is Windows 2003. c:\windows\krb.ini [libdefaults] default_realm = XXX.YYY.FI default_keytab_name = FILE:C:\liferay\liferay-jboss-4.2-4.3.3\server\default\deploy\cas-web.wa r\WEB-INF\spnaccount.keytab default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5 default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5 permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5 dns_lookup_realm = false dns_lookup_kdc = false [realms] XXX.YYY.FI = { kdc = aaa.xxx.yyy.fi:88 keytab_name = FILE:C:\liferay\liferay-jboss-4.2-4.3.3\server\default\deploy\cas-web.wa r\WEB-INF\spnaccount.keytab kdc_ports = 750,88 kdc_addrs = aaa.xxx.yyy.fi default_domain = bbb.xxx.yyy.fi }; [domain_realm] bbb.xxx.yyy.fi = XXX.YYY.FI .bbb.xxx.yyy.fi = XXX.YYY.FI #[appdefaults] autologin = true forward = true forwardable = true encrypt = true This file works fine: C:\liferay\liferay-jboss-4.2-4.3.3\server\default\deploy\cas-web.war\WEB -INF>%JAVA_HOME%\bin\kinit -k -t C:\liferay\liferay-jboss-4.2-4.3.3\server\default\deploy\cas-web.war\WEB -INF\spnaccount.keytab HTTP/[EMAIL PROTECTED] New ticket is stored in cache file C:\Documents and Settings\wmanaaa\krb5cc_xxx C:\liferay\liferay-jboss-4.2-4.3.3\server\default\deploy\cas-web.war\WEB -INF>%JAVA_HOME%\bin\klist Credentials cache: C:\Documents and Settings\xxx\krb5cc_xxx Default principal: HTTP/[EMAIL PROTECTED], 1 entry found. [1] Service Principal: krbtgt/[EMAIL PROTECTED] Valid starting: Dec 13, 2007 10:12 Expires: Dec 13, 2007 20:12 C:\liferay\liferay-jboss-4.2-4.3.3\server\default\deploy\cas-web.war\WEB -INF>%JAVA_HOME%\bin\klist -k Key tab: C:\liferay\liferay-jboss-4.2-4.3.3\server\default\deploy\cas-web.war\WEB -INF\spnaccount.keytab, 1 entry found. [1] Service principal: HTTP/[EMAIL PROTECTED] KVNO: 6 So the next step is configuring CAS. All instructions from http://www.ja-sig.org/wiki/display/CASUM/SPNEGO are followed exactly. Only login.conf is modified: jcifs.spnego.initiate { com.sun.security.auth.module.Krb5LoginModule required debug=true useKeyTab=true doNotPrompt=true keyTab="C:\liferay\liferay-jboss-4.2-4.3.3\server\default\deploy\cas-web .war\WEB-INF\spnaccount.keytab" realm=XXX.YYY.FI principal=HTTP/[EMAIL PROTECTED] storeKey=true; }; jcifs.spnego.accept { com.sun.security.auth.module.Krb5LoginModule required debug=true useKeyTab=true doNotPrompt=true keyTab="C:\liferay\liferay-jboss-4.2-4.3.3\server\default\deploy\cas-web .war\WEB-INF\spnaccount.keytab" realm=XXX.YYY.FI principal=HTTP/[EMAIL PROTECTED] storeKey=true; }; The deployerConfigContext.xml at the end: <bean name="jcifsConfig" class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFS Config"> <property name="jcifsServicePrincipal" value="HTTP/[EMAIL PROTECTED]" /> <property name="jcifsServicePassword" value="xxxxxxxx" /> <property name="kerberosDebug" value="true" /> <property name="kerberosRealm" value="XXX.YYY.FI" /> <property name="kerberosKdc" value="123.123.123.123" /> <property name="loginConf" value="/WEB-INF/login.conf" /> </bean> The "other" loginmodule is added to the JBosses login-config.xml To the run.bat of JBoss is added: set JAVA_OPTS=%JAVA_OPTS% -Djava.security.krb5.conf="C:/windows/krb5.ini" All seems to be fine, but still don't works. 10:56:17,148 INFO [STDOUT] 2007-12-13 10:56:17,148 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <AuthenticationHandler: org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoA uthenticationHandler failed to authenticate the user which provided the following credentials: Principal is null> The problem is there: jcifs.spnego.Authentication private void processNtlm(byte[] token) throws AuthenticationException { byte[] challenge = null; try { switch (token[8]) { case 1: if (client) { throw new AuthenticationException( "NTLM Type 1 message received by client."); } challenge = SmbSession.getChallenge(getDomainController()); nextToken = new Type2Message(new Type1Message(token), challenge, null).toByteArray(); break; ....... case 3: if (client) { throw new AuthenticationException( "NTLM Type 3 message received by client."); } .... The NTLM type is always "1". And should be 3. I can't figure out what should i do next. Thank you in advance for any help. Antoni Alatalo _________________________________________ WM-data a LogicaCMG company Karvaamokuja 2 PL 38 00381 Helsinki T: 010 302 010 M: 040 583 1097 F: 010 302 011 E: [EMAIL PROTECTED] www.logicacmg.fi
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
