Hi, we are evaluating CAS/SPNEGO/Active Directory integration as one of the possible single - sign on solutions for our project. From the posts like http://www.nabble.com/CAS-SPNEGO-td17236457.html we learned that unresolved DNS issues could cause the SPNEGO authentication mechanism to fall-back to NTLM so that's why we have chosen a server on which the cas webapp is deployed, domain controller and test user account from the same domain STODEV.MOGUL.COM. We also followed the manual http://www.ja-sig.org/wiki/display/CASUM/SPNEGO especially the part for testing SPN account using MIT Kerberos V and generated keytab file tool to authenticate the cas server service. klist command produces following output:
C:\Documents and Settings\nikola.zifra>klist -k Keytab name: FILE:C:/apache-tomcat/srv-sso.HTTP.keytab KVNO Principal ---- -------------------------------------------------------------------------- 4 HTTP/[EMAIL PROTECTED] srv-sso.stodev.mogul.com is the the host server running Tomcat 6. kinit also worked for test user account test.sso from domain STODEV.MOGUL.COM and it creates Kerberos tickets. I also checked whether SPN HTTP/[EMAIL PROTECTED] is correctly generated on Active Directory and it is there assigned to the user srv-sso belonging to the domain STODEV.MOGUL.COM (we run ktpass.exe /out srv-sso.HTTP.keytab /princ HTTP/[EMAIL PROTECTED] /pass * /mapuser srv-sso /ptype krb5_nt_principal /crypto rc4-hmac-nt on the Active Directory server from STODEV.MOGUL.COM). However when we tested sso authentication for some protected web resource with test account test.sso from client machine (which is not the same machine as the one on which cas webapp is deployed) the default CAS login page appears. CAS Log says that cas webapp receives a SPNEGO token but it can't extract a Principle. We were wondering why is this happening and could you help us to solve this problem. Here is the CAS log: 2008-07-16 16:14:15,883 WARN [org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler] - org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler is only to be used in a testing environment. NEVER enable this in a production environment. 2008-07-16 16:14:16,805 DEBUG [org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig] - jcifsServicePrincipal is set to HTTP/[EMAIL PROTECTED] 2008-07-16 16:14:16,805 DEBUG [org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig] - jcifsServicePassword is set to ***** 2008-07-16 16:14:16,836 DEBUG [org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig] - kerberosDebug is set to : true 2008-07-16 16:14:16,836 DEBUG [org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig] - kerberosRealm is set to :STODEV.MOGUL.COM 2008-07-16 16:14:16,836 DEBUG [org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig] - kerberosKdc is set to : 172.17.1.23 2008-07-16 16:14:16,836 DEBUG [org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig] - configured login configuration path : /WEB-INF/login.conf 2008-07-16 16:14:18,648 DEBUG [org.jasig.cas.services.web.ManageRegisteredServicesMultiActionController] - Found action method [public org.springframework.web.servlet.ModelAndView org.jasig.cas.services.web.ManageRegisteredServicesMultiActionController.deleteRegisteredService(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse)] 2008-07-16 16:14:18,648 DEBUG [org.jasig.cas.services.web.ManageRegisteredServicesMultiActionController] - Found action method [public org.springframework.web.servlet.ModelAndView org.jasig.cas.services.web.ManageRegisteredServicesMultiActionController.manage(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse)] 2008-07-16 16:14:18,711 INFO [org.jasig.cas.web.flow.AuthenticationViaFormAction] - FormObjectClass not set. Using default class of org.jasig.cas.authentication.principal.UsernamePasswordCredentials with formObjectName credentials and validator org.jasig.cas.validation.UsernamePasswordCredentialsValidator. 2008-07-16 16:14:36,227 INFO [org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] - Starting cleaning of expired tickets from ticket registry at [Wed Jul 16 16:14:36 CEST 2008] 2008-07-16 16:14:36,227 INFO [org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] - 0 found to be removed. Removing now. 2008-07-16 16:14:36,227 INFO [org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] - Finished cleaning of expired tickets from ticket registry at [Wed Jul 16 16:14:36 CEST 2008] 2008-07-16 16:19:10,960 WARN [org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler] - org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler is only to be used in a testing environment. NEVER enable this in a production environment. 2008-07-16 16:19:11,975 DEBUG [org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig] - jcifsServicePrincipal is set to HTTP/[EMAIL PROTECTED] 2008-07-16 16:19:11,975 DEBUG [org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig] - jcifsServicePassword is set to ***** 2008-07-16 16:19:12,006 DEBUG [org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig] - kerberosDebug is set to : true 2008-07-16 16:19:12,006 DEBUG [org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig] - kerberosRealm is set to :STODEV.MOGUL.COM 2008-07-16 16:19:12,006 DEBUG [org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig] - kerberosKdc is set to : 172.17.1.23 2008-07-16 16:19:12,006 DEBUG [org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig] - configured login configuration path : /WEB-INF/login.conf 2008-07-16 16:19:13,569 DEBUG [org.jasig.cas.services.web.ManageRegisteredServicesMultiActionController] - Found action method [public org.springframework.web.servlet.ModelAndView org.jasig.cas.services.web.ManageRegisteredServicesMultiActionController.deleteRegisteredService(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse)] 2008-07-16 16:19:13,569 DEBUG [org.jasig.cas.services.web.ManageRegisteredServicesMultiActionController] - Found action method [public org.springframework.web.servlet.ModelAndView org.jasig.cas.services.web.ManageRegisteredServicesMultiActionController.manage(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse)] 2008-07-16 16:19:13,647 INFO [org.jasig.cas.web.flow.AuthenticationViaFormAction] - FormObjectClass not set. Using default class of org.jasig.cas.authentication.principal.UsernamePasswordCredentials with formObjectName credentials and validator org.jasig.cas.validation.UsernamePasswordCredentialsValidator. 2008-07-16 16:19:23,741 DEBUG [org.jasig.cas.web.flow.InitialFlowSetupAction] - Action 'InitialFlowSetupAction' beginning execution 2008-07-16 16:19:23,741 INFO [org.jasig.cas.web.flow.InitialFlowSetupAction] - Setting path for cookies to: /cas 2008-07-16 16:19:23,756 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - Extractor generated service for: http://srv-sso.stodev.mogul.com:8080/service/test.html 2008-07-16 16:19:23,756 DEBUG [org.jasig.cas.web.flow.InitialFlowSetupAction] - Placing service in FlowScope: http://srv-sso.stodev.mogul.com:8080/service/test.html 2008-07-16 16:19:23,756 DEBUG [org.jasig.cas.web.flow.InitialFlowSetupAction] - Action 'InitialFlowSetupAction' completed execution; result is 'success' 2008-07-16 16:19:23,772 DEBUG [org.jasig.cas.support.spnego.web.flow.SpnegoNegociateCredentialsAction] - Action 'SpnegoNegociateCredentialsAction' beginning execution 2008-07-16 16:19:23,772 DEBUG [org.jasig.cas.support.spnego.web.flow.SpnegoNegociateCredentialsAction] - Authorization header not found. Sending WWW-Authenticate header 2008-07-16 16:19:23,772 DEBUG [org.jasig.cas.support.spnego.web.flow.SpnegoNegociateCredentialsAction] - Action 'SpnegoNegociateCredentialsAction' completed execution; result is 'success' 2008-07-16 16:19:23,772 DEBUG [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - Action 'SpnegoCredentialsAction' beginning execution 2008-07-16 16:19:23,772 DEBUG [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - Action 'SpnegoCredentialsAction' completed execution; result is 'error' 2008-07-16 16:19:23,772 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Action 'AuthenticationViaFormAction' beginning execution 2008-07-16 16:19:23,772 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Executing setupForm 2008-07-16 16:19:23,772 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Creating new form object with name 'credentials' 2008-07-16 16:19:23,772 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Creating new instance of form object class [class org.jasig.cas.authentication.principal.UsernamePasswordCredentials] 2008-07-16 16:19:23,772 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Putting form object of type [class org.jasig.cas.authentication.principal.UsernamePasswordCredentials] in scope Flow with name 'credentials' 2008-07-16 16:19:23,772 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Creating new form errors for object with name 'credentials' 2008-07-16 16:19:23,787 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - No property editor registrar set, no custom editors to register 2008-07-16 16:19:23,787 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Putting form errors instance in scope Flash 2008-07-16 16:19:23,787 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Action 'AuthenticationViaFormAction' completed execution; result is 'success' 2008-07-16 16:19:23,787 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Action 'AuthenticationViaFormAction' beginning execution 2008-07-16 16:19:23,787 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Action 'AuthenticationViaFormAction' completed execution; result is 'success' 2008-07-16 16:19:29,428 DEBUG [org.jasig.cas.web.flow.InitialFlowSetupAction] - Action 'InitialFlowSetupAction' beginning execution 2008-07-16 16:19:29,428 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - Extractor generated service for: http://srv-sso.stodev.mogul.com:8080/service/test.html 2008-07-16 16:19:29,428 DEBUG [org.jasig.cas.web.flow.InitialFlowSetupAction] - Placing service in FlowScope: http://srv-sso.stodev.mogul.com:8080/service/test.html 2008-07-16 16:19:29,428 DEBUG [org.jasig.cas.web.flow.InitialFlowSetupAction] - Action 'InitialFlowSetupAction' completed execution; result is 'success' 2008-07-16 16:19:29,428 DEBUG [org.jasig.cas.support.spnego.web.flow.SpnegoNegociateCredentialsAction] - Action 'SpnegoNegociateCredentialsAction' beginning execution 2008-07-16 16:19:29,428 DEBUG [org.jasig.cas.support.spnego.web.flow.SpnegoNegociateCredentialsAction] - Action 'SpnegoNegociateCredentialsAction' completed execution; result is 'success' 2008-07-16 16:19:29,428 DEBUG [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - Action 'SpnegoCredentialsAction' beginning execution 2008-07-16 16:19:29,428 DEBUG [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - SPNEGO Authorization header found with 1652 bytes 2008-07-16 16:19:29,428 DEBUG [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - Obtained token: `‚Ó+ ‚Ç0‚à $0" *†H‚÷ *†H†÷ +‚7 ¢‚™‚•`‚‘ *†H†÷ n‚€0‚| ¡¢ £‚¡a‚?0‚™ ¡STODEV.MOGUL.COM¢+0) ¡"0 HTTPsrv-sso.stodev.mogul.com£‚O0‚K ¡¢‚=‚9Ž~d?Ç´‘I²(=¶¿Ì_F—…ƒ&‰ß·µ¶.‹³µt¢ÃWUÂëâ?ƒ R7ë“ɔܖÿ¿?z?³ƒ‚8jÁžþïïñ;¯åZ;¶³ÆKu“ Ñi«nYaŒœ´çRÿÍ—â]k>RIFtlH"ó{ÛÂa¬1ýŸöÜÃÕ?êA?Š±.?þ¿¨ÅçIx«œñÔXô-ó›ü—¶IÊ”¨Î(O³„¿ v¥j©üæ˜ñÿYÑspL†\Gn¼q%ªå‚(rëÛׄ*&”!z—]m\.ðÉvÞp øž0d›ÚJoVGïýÍÆ?nm²|ªŠÊ,Ä1…•ÝrŠš–°Í>õ#\ço5ÊxpÎØœïw†t×øF?ÒYÑôì\”Ý}³üù} [EMAIL PROTECTED]'GÉÛˆ'LÙ†±?Þn Ùnø¿„¸9sñ–ÿÛøòÌ'Õ??ì¿ù—ÚB™0+l’×±€•Ž?]Ç.üôëc¯ƒI+Ø [EMAIL PROTECTED] Z<öMV(m$öï)R?ÚE W]Î:˧ªuôÊIž¦§^ö-chRÞe×p?+ THûBû€ì‘¸§Q²íÙ`GáÞl“$àßÄðák?Oí²*Ønm?xÀ“’¢|Ó÷™çN=?yÕ‚žeXæϘù@ KÞ#¢†É9.±8Á>mðÐKbüì‡ùÅÚ?~ʵjOck(h'ÛxõPø8wmÕ‘>#1••Ñx9cœ?Hh¥!˜!R¿†œ¥+ô¬H_ë’|+!ÌQr4˜ÓCñ{åsAˆïº1²½Ð‡X¸t’z~p~è ˆ Œ7páÛë¥píGÃu{?ïI“‡& ¶êžØ«ø.þ.Õëì»A3_.BNw· Ÿ"+G2©YÐh®ÈÎœ.xÌaüÈqF d¬¸AVÎæ–ü`úÉ©ÃѸvù¤BÒ˜L¸U?½žÜÍî ›7»¼™¶ »Nô~&>ÑÉ%Dº áii!¸Õí+Ê°?{wS Û„ u¤¼b¾ƒ¤?Á0?¾ [EMAIL PROTECTED] ‡Ž'8?ÎyÅ©Üj#MÖës.×ìêÓ?ç??V¹ Kyy–ØúËbɳcbŠ7ŒË¯ó‹27øA 4‚ÿÙ°o²„ˆ¡A!ö*Çd‰*Ù´ÂŸÕ ª] ÊU²Š l˜[ƒÖœ*(”rÁi|¥Ö¤ [EMAIL PROTECTED] 2008-07-16 16:19:29,444 DEBUG [org.jasig.cas.CentralAuthenticationServiceImpl] - Attempting to create TicketGrantingTicket for Principal is null 2008-07-16 16:19:29,491 DEBUG [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - Unable to obtain the output token required. 2008-07-16 16:19:29,491 DEBUG [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - Setting HTTP Status to 401 2008-07-16 16:19:29,491 DEBUG [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - Action 'SpnegoCredentialsAction' completed execution; result is 'error' 2008-07-16 16:19:29,491 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Action 'AuthenticationViaFormAction' beginning execution 2008-07-16 16:19:29,491 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Executing setupForm 2008-07-16 16:19:29,491 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Creating new form object with name 'credentials' 2008-07-16 16:19:29,491 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Creating new instance of form object class [class org.jasig.cas.authentication.principal.UsernamePasswordCredentials] 2008-07-16 16:19:29,491 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Putting form object of type [class org.jasig.cas.authentication.principal.UsernamePasswordCredentials] in scope Flow with name 'credentials' 2008-07-16 16:19:29,491 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Creating new form errors for object with name 'credentials' 2008-07-16 16:19:29,491 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - No property editor registrar set, no custom editors to register 2008-07-16 16:19:29,491 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Putting form errors instance in scope Flash 2008-07-16 16:19:29,491 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Action 'AuthenticationViaFormAction' completed execution; result is 'success' 2008-07-16 16:19:29,491 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Action 'AuthenticationViaFormAction' beginning execution 2008-07-16 16:19:29,491 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Action 'AuthenticationViaFormAction' completed execution; result is 'success' The protected webapp is deployed on the same Tomcat server on which the cas webapp is deployed. Used CAS client web.xml settings are: <filter> <filter-name>CAS Filter</filter-name> <filter-class>edu.yale.its.tp.cas.client.filter.CASFilter</filter-class> <init-param> <param-name>edu.yale.its.tp.cas.client.filter.loginUrl</param-name> <param-value>https://srv-sso.stodev.mogul.com:8443/cas/login</param-value> </init-param> <init-param> <param-name>edu.yale.its.tp.cas.client.filter.validateUrl</param-name> <param-value>https://srv-sso.stodev.mogul.com:8443/cas/serviceValidate</param-value> </init-param> <init-param> <param-name>edu.yale.its.tp.cas.client.filter.serviceUrl</param-name> <param-value>http://srv-sso.stodev.mogul.com:8080/service/test.html</param-value> </init-param> <init-param> <param-name>edu.yale.its.tp.cas.client.filter.gateway</param-name> <param-value>false</param-value> </init-param> <init-param> <param-name>edu.yale.its.tp.cas.client.filter.wrapRequest</param-name> <param-value>true</param-value> </init-param> </filter> <filter-mapping> <filter-name>CAS Filter</filter-name> <url-pattern>/service/*</url-pattern> </filter-mapping> Could you pls. help? Regards, Nikola _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
