Re: Cas - kerberos - Lifery - JBoss config, help needed

[Adam Rybicki]

Antoni, If I am reading your detailed note correctly, you are trying to perform Kerberos authentication to each service.  This may be possible, but I have never tried it myself.  Since nobody else has replied yet, let me try to tell you what I have done successfully. Using the CAS JAAS module (http://www.ja-sig.org/wiki/display/CASUM/JAAS), I was able to configure CAS to authenticate to AD using Kerberos.  From that point on, I can use CAS protocol, not Kerberos, to authenticate services to CAS.  So, this may not be what you were looking for, but my goal was to use CAS "natively" after establishing that the user supplied valid Kerberos credentials. There is a valid follow-up to authenticating to AD or another Kerberos server this way: what happens to the Kerberos ticket that is issued to CAS?  Should this ticket be invalidated?  If so, when?  That is, right after successful authentication or when the user logs out of CAS?  This questions can only be addressed by someone who knows more about Kerberos than I do. Adam Alatalo Antoni wrote: Hi, Here is the same content as in post to: http://www.nabble.com/Cas---kerberos---Lifery---JBoss-config-2C-help-needed-to14314939.html#a14314939 for the last fiew days I did try to setup JBoss, Liferay, Cas to authenticate users by kerberos. I did follow instructions from http://www.ja-sig.org/wiki/display/CASUM/SPNEGO and many other sites. Nothing helps. Cas gets NTLM token, not Kerberos and because of that don't work. The platform is Windows 2003. c:\windows\krb.ini [libdefaults]     default_realm = XXX.YYY.FI     default_keytab_name = FILE:C:\liferay\liferay-jboss-4.2-4.3.3\server\default\deploy\cas-web.war\WEB-INF\spnaccount.keytab     default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5     default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5     permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5     dns_lookup_realm = false     dns_lookup_kdc = false [realms]      XXX.YYY.FI = {                       kdc          = aaa.xxx.yyy.fi:88                         keytab_name = FILE:C:\liferay\liferay-jboss-4.2-4.3.3\server\default\deploy\cas-web.war\WEB-INF\spnaccount.keytab                         kdc_ports = 750,88                         kdc_addrs = aaa.xxx.yyy.fi                         default_domain = bbb.xxx.yyy.fi                     }; [domain_realm]     bbb.xxx.yyy.fi = XXX.YYY.FI     .bbb.xxx.yyy.fi = XXX.YYY.FI #[appdefaults]         autologin = true         forward = true         forwardable = true         encrypt = true This file works fine: C:\liferay\liferay-jboss-4.2-4.3.3\server\default\deploy\cas-web.war\WEB-INF>%JAVA_HOME%\bin\kinit -k -t C:\liferay\liferay-jboss-4.2-4.3.3\server\default\deploy\cas-web.war\WEB-INF\spnaccount.keytab HTTP/[EMAIL PROTECTED] New ticket is stored in cache file C:\Documents and Settings\wmanaaa\krb5cc_xxx C:\liferay\liferay-jboss-4.2-4.3.3\server\default\deploy\cas-web.war\WEB-INF>%JAVA_HOME%\bin\klist Credentials cache: C:\Documents and Settings\xxx\krb5cc_xxx Default principal: HTTP/[EMAIL PROTECTED], 1 entry found. [1]  Service Principal:  krbtgt/[EMAIL PROTECTED]      Valid starting:  Dec 13, 2007 10:12      Expires:         Dec 13, 2007 20:12 C:\liferay\liferay-jboss-4.2-4.3.3\server\default\deploy\cas-web.war\WEB-INF>%JAVA_HOME%\bin\klist -k Key tab: C:\liferay\liferay-jboss-4.2-4.3.3\server\default\deploy\cas-web.war\WEB-INF\spnaccount.keytab, 1 entry found. [1] Service principal: HTTP/[EMAIL PROTECTED]          KVNO: 6 So the next step is configuring CAS. All instructions from http://www.ja-sig.org/wiki/display/CASUM/SPNEGO are followed exactly. Only login.conf is modified: jcifs.spnego.initiate {         com.sun.security.auth.module.Krb5LoginModule         required         debug=true         useKeyTab=true           doNotPrompt=true        keyTab="C:\liferay\liferay-jboss-4.2-4.3.3\server\default\deploy\cas-web.war\WEB-INF\spnaccount.keytab"           realm=XXX.YYY.FI           principal=HTTP/[EMAIL PROTECTED]         storeKey=true; }; jcifs.spnego.accept {         com.sun.security.auth.module.Krb5LoginModule         required         debug=true         useKeyTab=true           doNotPrompt=true        keyTab="C:\liferay\liferay-jboss-4.2-4.3.3\server\default\deploy\cas-web.war\WEB-INF\spnaccount.keytab"           realm=XXX.YYY.FI           principal=HTTP/[EMAIL PROTECTED]         storeKey=true; }; The deployerConfigContext.xml at the end: <bean name="jcifsConfig" class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig">   <property name="jcifsServicePrincipal" value="HTTP/[EMAIL PROTECTED]" />   <property name="jcifsServicePassword" value="xxxxxxxx" />   <property name="kerberosDebug" value="true" />   <property name="kerberosRealm" value="XXX.YYY.FI" />   <property name="kerberosKdc" value="123.123.123.123" />   <property name="loginConf" value="/WEB-INF/login.conf" /> </bean> The "other" loginmodule is added to the JBosses login-config.xml To the run.bat of JBoss is added: set JAVA_OPTS=%JAVA_OPTS% -Djava.security.krb5.conf="C:/windows/krb5.ini" All seems to be fine, but still don't works. 10:56:17,148 INFO  [STDOUT] 2007-12-13 10:56:17,148 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <AuthenticationHandler: org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoAuthenticationHandler failed to authenticate the user which provided the following credentials: Principal is null> The problem is there: jcifs.spnego.Authentication private void processNtlm(byte[] token) throws AuthenticationException {         byte[] challenge = null;         try {             switch (token[8]) {             case 1:                 if (client) {                     throw new AuthenticationException(                             "NTLM Type 1 message received by client.");                 }                 challenge = SmbSession.getChallenge(getDomainController());                 nextToken = new Type2Message(new Type1Message(token),                         challenge, null).toByteArray();                 break;         .......             case 3:                 if (client) {                     throw new AuthenticationException(                             "NTLM Type 3 message received by client.");                 } .... The NTLM type is always "1". And should be 3. I can't figure out what should i do next. Thank you in advance for any help. Antoni Alatalo _________________________________________ WM-data a LogicaCMG company Karvaamokuja 2 PL 38 00381 Helsinki T: 010 302 010 M: 040 583 1097 F: 010 302 011 E: [EMAIL PROTECTED] www.logicacmg.fi _______________________________________________ Yale CAS mailing list cas@tp.its.yale.edu http://tp.its.yale.edu/mailman/listinfo/cas

begin:vcard
fn:Adam Rybicki
n:Rybicki;Adam
org:Unicon, Inc.;Professional Services
adr:Suite 113;;3140 North Arizona Avenue;Chandler;AZ;85225;United States
email;internet:[EMAIL PROTECTED]
tel;work:+1-480-558-2400
tel;home:+1-310-265-8286
tel;cell:+1-310-980-2758
x-mozilla-html:FALSE
url:http://www.unicon.net/
version:2.1
end:vcard

smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Yale CAS mailing list
cas@tp.its.yale.edu
http://tp.its.yale.edu/mailman/listinfo/cas