SPNEGO fails back to NTLM (won't do Kerberos)

Thu, 06 Nov 2008 08:54:58 -0800 

Hello all,

Apologies if this seems like an issue that has already been addressed,
but I've searched through the mailing list archives and nothing there
seems to apply to my situation.  In short: I've integrated my
application with CAS (works great by the way, thanks!) but can't get
SPNEGO authentication working properly.  I followed the instructions
here: http://www.ja-sig.org/wiki/display/CASUM/SPNEGO but
authentication isn't happening the way I'd expect.

When I try to log into my application, I get the following in the
application server log:

...*snip*...
2008-11-05 18:58:47,250 [http-0.0.0.0-8443-1] DEBUG
org.jasig.cas.web.flow.InitialFlowSetupAction - Action
'InitialFlowSetupAction' completed execution; result is 'success'
2008-11-05 18:58:47,251 [http-0.0.0.0-8443-1] DEBUG
org.jasig.cas.support.spnego.web.flow.SpnegoNegociateCredentialsAction
- Action 'SpnegoNegociateCredentialsAction' beginning execution
2008-11-05 18:58:47,252 [http-0.0.0.0-8443-1] DEBUG
org.jasig.cas.support.spnego.web.flow.SpnegoNegociateCredentialsAction
- Action 'SpnegoNegociateCredentialsAction' completed execution;
result is 'success'
2008-11-05 18:58:47,253 [http-0.0.0.0-8443-1] DEBUG
org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction - Action
'SpnegoCredentialsAction' beginning execution
2008-11-05 18:58:47,253 [http-0.0.0.0-8443-1] DEBUG
org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction - SPNEGO
Authorization header found with 56 bytes
2008-11-05 18:58:47,259 [http-0.0.0.0-8443-1] DEBUG
org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction -
Obtained token: NTLMSS¢(
2008-11-05 18:58:47,268 [http-0.0.0.0-8443-1] DEBUG
org.jasig.cas.CentralAuthenticationServiceImpl - Attempting to create
TicketGrantingTicket for Principal is null
2008-11-05 18:58:47,474 [http-0.0.0.0-8443-1] DEBUG
org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction - Unable
to obtain the output token required.
2008-11-05 18:58:47,474 [http-0.0.0.0-8443-1] DEBUG
org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction -
Setting HTTP Status to 401
2008-11-05 18:58:47,475 [http-0.0.0.0-8443-1] DEBUG
org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction - Action
'SpnegoCredentialsAction' completed execution; result is 'error'
2008-11-05 18:58:47,475 [http-0.0.0.0-8443-1] DEBUG
org.jasig.cas.web.flow.AuthenticationViaFormAction - Action
'AuthenticationViaFormAction' beginning execution
...*snip*...

...you can see that I'm getting an NTLM token instead of Kerberos and
the principal isn't resolved.  I've confirmed that my keytab and
krb5.conf work properly (with the kinit/klist tools, as recommended in
the SPNEGO tutorial), so I'm guessing one of my CAS configs is messed
up somewhere.  A point to note that I'm suspicious of: I'm using JBoss
4.0.2, which is called out in the tutorial as needing some special
configuration (it ignores the configured login.conf) to get Kerberos
working.  I made the indicated changes to JBoss's login-config.xml
file, but still apparently no dice.

Here's some more info:

- in deployerConfigContext.xml:

    - added to credentialsToPrincipalResolvers:

<bean 
class="org.jasig.cas.support.spnego.authentication.principal.SpnegoCredentialsToPrincipalResolver"
/>

    - added to authenticationHandlers:

<bean 
class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoAuthenticationHandler">
 <property name="authentication">
   <bean class="jcifs.spnego.Authentication" />
 </property>
 <property name="principalWithDomainName" value="false" />
 <property name="NTLMallowed" value="false"/>
</bean>

    - added bean (the names have been changed to protect the innocent):

<bean name="jcifsConfig"
class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig">
  <property name="jcifsServicePrincipal" value="HTTP/[EMAIL PROTECTED]" />
  <property name="jcifsServicePassword" value="my_pw" />
  <property name="kerberosDebug" value="true" />
  <property name="kerberosRealm" value="MY.REALM" />
  <property name="kerberosKdc" value="my.kdc.host" />
  <property name="loginConf"
value="/opt/jboss-4.0.2/server/default/deploy/cas.war/WEB-INF/login.conf"
/>
</bean>

    - added login.conf (which JBoss ignores?):

jcifs.spnego.initiate {
   com.sun.security.auth.module.Krb5LoginModule required storeKey=true;
};
jcifs.spnego.accept {
   com.sun.security.auth.module.Krb5LoginModule required storeKey=true;
};


    - added to bottom of JBoss's login-config.xml:

    <application-policy name="other">
      <authentication>
        <login-module
code="com.sun.security.auth.module.Krb5LoginModule" flag="required">
          <module-option name="storeKey">true</module-option>
          <module-option name="debug">true</module-option>
        </login-module>
      </authentication>
    </application-policy>

I also tried to set some of the java.security.krb5 environment
settings to get JBoss to play ball:

-Djava.security.krb5.conf=/opt/appian/krb5.conf
-Dsun.security.krb5.debug=true -Djava.security.krb5.realm=MY.REALM
-Djava.security.krb5.kdc=my.kdc.server

Any ideas?  Where should I start tracking this down?  Any idea how to
get better debugging information on the actual Kerberos / NTLM /
SPNEGO exchanges?  Thanks in advance for any thoughts on how to track
this down and resolve it...

- Bill
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas

Reply via email to