Hi, the problem is that JaasAuthenticationHandler is never reached. Even whole AuthenticationManagerImpl is never called. Application always goes at first to the logic as it is in the webflow. What should be placed to the login-webflow to work? Or what else i can try?
Terv. Antoni ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adam Rybicki Sent: 18. joulukuuta 2007 19:37 To: Yale CAS mailing list Subject: Re: Cas - kerberos - Lifery - JBoss config, help needed Hi, I think your JBoss-specific JAAS configuration is not necessary for CAS. I remember having to take the following steps to configure CAS 3.1 to perform Kerberos authentication: * In deployerConfigContext.xml I configured the JaasAuthenticationHandler like this: <bean class="org.jasig.cas.authentication.handler.support.JaasAuthenticationHa ndler"> <property name="realm" value="CAS"/> </bean> * I supplied a valid jaas.conf file that looks like this (notice the matching "CAS" realm): CAS { com.sun.security.auth.module.Krb5LoginModule required debug=false; }; * And then I also have supplied a valid krb5.conf (Linux, Unix) or krb5.ini (Windows) file using the java.security.krb5.conf system property using the -D command-line option just like you did. I am not including my krb5.conf here because it would be completely different from yours, and I am sure you know how to configure yours. Note that this does not rely on the Web container authentication, and I think that this may be where you are having difficulty. Adam Alatalo Antoni wrote: Hi, thank you for yours reply. As i understand you suggest, that CAS takes ticket from servers JAAS. Ok that's enough for me. What i just did and still not working: To JBoss conf/login-config.xml i did put <application-policy name="other"> <authentication> <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required"> <module-option name="storeKey">true</module-option> <module-option name="keyTab">C:\liferay\liferay-jboss-4.2-4.3.3\server\default\deploy\c as-web.war\WEB-INF\spnaccount.keytab</module-option> <module-option name="useKeyTab">true</module-option> <module-option name="doNotPrompt">true</module-option> <module-option name="principal">HTTP/[EMAIL PROTECTED]</module-option> <module-option name="realm">XXX.YYY.FI</module-option> <module-option name="debug">true</module-option> </login-module> </authentication> </application-policy> Also to the JBoss run.bat skript: set JAVA_OPTS=%JAVA_OPTS% -Djava.security.krb5.conf="C:/windows/krb5.ini" There is only one authenticationHandler in the deployerConfigContext.xml file: <bean id="authenticationManager" class="org.jasig.cas.authentication.AuthenticationManagerImpl"> <property name="credentialsToPrincipalResolvers"> <list> <!-- ... the others credentialsToPrincipalResolvers ... --> <bean class="org.jasig.cas.support.spnego.authentication.principal.SpnegoCrede ntialsToPrincipalResolver" /> </list> </property> <property name="authenticationHandlers"> <list> <bean class="org.jasig.cas.authentication.handler.support.JaasAuthenticationHa ndler"> </bean> <!-- ... the others authenticationHandlers... --> </list> </property> </bean> No other changes are made to the CAS default configurations. While debudding functionality i did set breakpoint to the Krb5LoginModule class. But while using application functionality never goes to those breakpoints. What should i do to get this configuration work? Do i for example protect all urls in the web.xml of CAS? Terv. Antoni ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adam Rybicki Sent: 14. joulukuuta 2007 19:07 To: Yale CAS mailing list Subject: Re: Cas - kerberos - Lifery - JBoss config, help needed Antoni, If I am reading your detailed note correctly, you are trying to perform Kerberos authentication to each service. This may be possible, but I have never tried it myself. Since nobody else has replied yet, let me try to tell you what I have done successfully. Using the CAS JAAS module (http://www.ja-sig.org/wiki/display/CASUM/JAAS), I was able to configure CAS to authenticate to AD using Kerberos. From that point on, I can use CAS protocol, not Kerberos, to authenticate services to CAS. So, this may not be what you were looking for, but my goal was to use CAS "natively" after establishing that the user supplied valid Kerberos credentials. There is a valid follow-up to authenticating to AD or another Kerberos server this way: what happens to the Kerberos ticket that is issued to CAS? Should this ticket be invalidated? If so, when? That is, right after successful authentication or when the user logs out of CAS? This questions can only be addressed by someone who knows more about Kerberos than I do. Adam Alatalo Antoni wrote: Hi, Here is the same content as in post to: http://www.nabble.com/Cas---kerberos---Lifery---JBoss-config-2C-help-nee ded-to14314939.html#a14314939 <http://www.nabble.com/Cas---kerberos---Lifery---JBoss-config-2C-help-ne eded-to14314939.html#a14314939> for the last fiew days I did try to setup JBoss, Liferay, Cas to authenticate users by kerberos. I did follow instructions from http://www.ja-sig.org/wiki/display/CASUM/SPNEGO <http://www.ja-sig.org/wiki/display/CASUM/SPNEGO> and many other sites. Nothing helps. Cas gets NTLM token, not Kerberos and because of that don't work. The platform is Windows 2003. c:\windows\krb.ini [libdefaults] default_realm = XXX.YYY.FI default_keytab_name = FILE:C:\liferay\liferay-jboss-4.2-4.3.3\server\default\deploy\cas-web.wa r\WEB-INF\spnaccount.keytab <FILE:C:%5Cliferay%5Cliferay-jboss-4.2-4.3.3%5Cserver%5Cdefault%5Cdeploy %5Ccas-web.war%5CWEB-INF%5Cspnaccount.keytab> default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5 default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5 permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5 dns_lookup_realm = false dns_lookup_kdc = false [realms] XXX.YYY.FI = { kdc = aaa.xxx.yyy.fi:88 keytab_name = FILE:C:\liferay\liferay-jboss-4.2-4.3.3\server\default\deploy\cas-web.wa r\WEB-INF\spnaccount.keytab <FILE:C:%5Cliferay%5Cliferay-jboss-4.2-4.3.3%5Cserver%5Cdefault%5Cdeploy %5Ccas-web.war%5CWEB-INF%5Cspnaccount.keytab> kdc_ports = 750,88 kdc_addrs = aaa.xxx.yyy.fi default_domain = bbb.xxx.yyy.fi }; [domain_realm] bbb.xxx.yyy.fi = XXX.YYY.FI .bbb.xxx.yyy.fi = XXX.YYY.FI #[appdefaults] autologin = true forward = true forwardable = true encrypt = true This file works fine: C:\liferay\liferay-jboss-4.2-4.3.3\server\default\deploy\cas-web.war\WEB -INF>%JAVA_HOME%\bin\kinit -k -t C:\liferay\liferay-jboss-4.2-4.3.3\server\default\deploy\cas-web.war\WEB -INF\spnaccount.keytab HTTP/[EMAIL PROTECTED] New ticket is stored in cache file C:\Documents and Settings\wmanaaa\krb5cc_xxx C:\liferay\liferay-jboss-4.2-4.3.3\server\default\deploy\cas-web.war\WEB -INF>%JAVA_HOME%\bin\klist Credentials cache: C:\Documents and Settings\xxx\krb5cc_xxx Default principal: HTTP/[EMAIL PROTECTED], 1 entry found. [1] Service Principal: krbtgt/[EMAIL PROTECTED] Valid starting: Dec 13, 2007 10:12 Expires: Dec 13, 2007 20:12 C:\liferay\liferay-jboss-4.2-4.3.3\server\default\deploy\cas-web.war\WEB -INF>%JAVA_HOME%\bin\klist -k Key tab: C:\liferay\liferay-jboss-4.2-4.3.3\server\default\deploy\cas-web.war\WEB -INF\spnaccount.keytab, 1 entry found. [1] Service principal: HTTP/[EMAIL PROTECTED] KVNO: 6 So the next step is configuring CAS. All instructions from http://www.ja-sig.org/wiki/display/CASUM/SPNEGO <http://www.ja-sig.org/wiki/display/CASUM/SPNEGO> are followed exactly. Only login.conf is modified: jcifs.spnego.initiate { com.sun.security.auth.module.Krb5LoginModule required debug=true useKeyTab=true doNotPrompt=true keyTab="C:\liferay\liferay-jboss-4.2-4.3.3\server\default\deploy\cas-web .war\WEB-INF\spnaccount.keytab" realm=XXX.YYY.FI principal=HTTP/[EMAIL PROTECTED] storeKey=true; }; jcifs.spnego.accept { com.sun.security.auth.module.Krb5LoginModule required debug=true useKeyTab=true doNotPrompt=true keyTab="C:\liferay\liferay-jboss-4.2-4.3.3\server\default\deploy\cas-web .war\WEB-INF\spnaccount.keytab" realm=XXX.YYY.FI principal=HTTP/[EMAIL PROTECTED] storeKey=true; }; The deployerConfigContext.xml at the end: <bean name="jcifsConfig" class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFS Config"> <property name="jcifsServicePrincipal" value="HTTP/[EMAIL PROTECTED]" <mailto:HTTP/[EMAIL PROTECTED]> /> <property name="jcifsServicePassword" value="xxxxxxxx" /> <property name="kerberosDebug" value="true" /> <property name="kerberosRealm" value="XXX.YYY.FI" /> <property name="kerberosKdc" value="123.123.123.123" /> <property name="loginConf" value="/WEB-INF/login.conf" /> </bean> The "other" loginmodule is added to the JBosses login-config.xml To the run.bat of JBoss is added: set JAVA_OPTS=%JAVA_OPTS% -Djava.security.krb5.conf="C:/windows/krb5.ini" All seems to be fine, but still don't works. 10:56:17,148 INFO [STDOUT] 2007-12-13 10:56:17,148 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <AuthenticationHandler: org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoA uthenticationHandler failed to authenticate the user which provided the following credentials: Principal is null> The problem is there: jcifs.spnego.Authentication private void processNtlm(byte[] token) throws AuthenticationException { byte[] challenge = null; try { switch (token[8]) { case 1: if (client) { throw new AuthenticationException( "NTLM Type 1 message received by client."); } challenge = SmbSession.getChallenge(getDomainController()); nextToken = new Type2Message(new Type1Message(token), challenge, null).toByteArray(); break; ....... case 3: if (client) { throw new AuthenticationException( "NTLM Type 3 message received by client."); } .... The NTLM type is always "1". And should be 3. I can't figure out what should i do next. Thank you in advance for any help. Antoni Alatalo _________________________________________ WM-data a LogicaCMG company Karvaamokuja 2 PL 38 00381 Helsinki T: 010 302 010 M: 040 583 1097 F: 010 302 011 E: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> www.logicacmg.fi <file://www.logicacmg.fi> ________________________________ _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas ________________________________ _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
