One thing I forgot to put in that is possibly significant. I didn't use the ktpass.exe on a Windows box. Instead, I used the ktutil program in Linux to add new entries to my existing keytab.
ktutil: addent -password -p HTTP/[EMAIL PROTECTED] -k 17 -e DES-CBC-CRC ktutil: addent -password -p HTTP/[EMAIL PROTECTED] -k 17 -e DES-CBC-MD5 ktutil: addent -password -p HTTP/[EMAIL PROTECTED] -k 17 -e arcfour-HMAC-MD5 The choices of encryption type were because of the existing keys in the keytab. There were three entries for each prinicpal: one with each of those three enctypes. Tim -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Mc Laughlin Sent: Friday, June 27, 2008 2:46 PM To: Yale CAS mailing list Subject: RE: Possible (or advisable) to make use of mod_auth_ntlm_winbind in CAS? I'm testing this on my Linux (OpenSUSE 10.3) workstation, which is the build environment for CAS. My workstation is already joined to the AD domain and I log in with the Kerberos credentials. I went through the setup steps on the Wiki page noted below, and have deployed the resulting WAR. I also went through the browser steps (both for IE on Win XP and Firefox on Linux). But it's not working. :( What should I be looking at to track this down? I'm not seeing anything in the cas.log that says SPNEGO is failing (or in catalina.out). Nothing in /var/log/messages, either. I am able to kinit with my own account. The user that Tomcat runs as isn't in the domain -- does that matter? Thanks, Tim -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Ströder Sent: Thursday, June 26, 2008 12:22 PM To: Yale CAS mailing list Subject: Re: Possible (or advisable) to make use of mod_auth_ntlm_winbind in CAS? Scott Battaglia wrote: > On Thu, Jun 26, 2008 at 1:10 PM, Tim Mc Laughlin > <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> wrote: >> I just came across mention of mod_auth_ntlm_winbind: >> http://adldap.sourceforge.net/wiki/doku.php?id=mod_auth_ntlm_winbind >> (I don't know if that is an authoritative site or not, but it gives >> you the basic picture.) >> >> I am now curious to see if anyone has gone down the road of figuring >> out whether this can be made to work with CAS, or if there are any >> other solutions to the same use-case? I poked around in the Wiki and >> couldn't find anything. > > CAS supports SPNEGO/NTLM authentication: > http://www.ja-sig.org/wiki/display/CASUM/SPNEGO I also recommend to use the built-in SPNEGO method in CAS. But note that NTLM is disabled by default. Whether you really want to use NTLM is another (security) question. If you have an AD domain then use Kerberos. Ciao, Michael. _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
