But you don't need the keytab file if your CAS server is running in a Windows box, don't you?
JMRodriguez. > Hi guys, > > I confirm that you cannot get a Kerberos token on the local machine for > security reasons ... although I do not have a link on that too :-( > > And I also confirm that you should put your FQDN server name when setting > your service principal name. You might generate a new keytab to set it up > or > use setspn.exe > > > Regards, > > -Arnaud > > > On Thu, Nov 6, 2008 at 7:09 PM, Bill Markmann <[EMAIL PROTECTED]> wrote: > >> JMR -- interesting. No obvious differences between the test machine >> and the non-working one? I think I read somewhere that the Kerberos >> exchange wouldn't work properly if you were running IE from the same >> machine as your app server, so that might explain your non-working >> case... although I can't seem to locate where I'd read that now. :-) >> >> When you do 'klist -k' does your keytab user for that server show up >> with a fully-qualified domain name (with the .domain.es before the >> @DOMAIN.ES)? I didn't include that; I wonder if that's the problem. >> >> Thanks, - Bill >> >> >> On Thu, Nov 6, 2008 at 12:22 PM, JMRodriguez >> <[EMAIL PROTECTED]> >> wrote: >> > >> > I'm in the same situation. I'm not using JBoss but Tomcat55. >> > >> > We have a _working_ CAS-SPNEGO on a test machine: W2kServer, AD, >> Tomcat55. >> > Here's the relevant part of our WORKING deployerConfigContext.xml: >> > ---------------------- >> > <!-- SPNEGO --> >> > <bean name="jcifsConfig" >> > >> class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig"> >> > <property name="jcifsServicePrincipal" >> > value="HTTP/[EMAIL PROTECTED]" /> >> > <property name="jcifsServicePassword" value="*****" /> >> > <property name="kerberosDebug" value="true" /> >> > <property name="kerberosRealm" value="DOMAIN.ES" /> >> > <property name="kerberosKdc" value="192.168.1.1" /> >> > <property name="loginConf" value="C:/Archivos de >> programa/Apache Software >> > Foundation/Tomcat 5.5/webapps/cas/WEB-INF/login.conf" /> >> > </bean> >> > ----------------------- >> > Note the FQDN server.domain.es (not only server, but >> server.domain.es). >> > >> > But our production environment doesn't work. We have there two >> W2003Server >> > (PDC and SDC), AD and a W2003Server Tomcat55. If we open IExplore from >> the >> > Tomcat machine, we obtain a NTLM token; from other machine we reach a >> > Kerberos token, but it fails with: Unable to obtain the output token >> > required. >> > >> > >> > That's all info I cna give you. I hope someone can help us. >> > >> > >> > JMRodriguez >> > >> > -- >> > View this message in context: >> http://www.nabble.com/SPNEGO-fails-back-to-NTLM-%28won%27t-do-Kerberos%29-tp20365070p20365611.html >> > Sent from the CAS Users mailing list archive at Nabble.com. >> > >> > _______________________________________________ >> > Yale CAS mailing list >> > [email protected] >> > http://tp.its.yale.edu/mailman/listinfo/cas >> > >> _______________________________________________ >> Yale CAS mailing list >> [email protected] >> http://tp.its.yale.edu/mailman/listinfo/cas >> > > > > -- > Arnaud Lesueur > > LinkedIn: http://www.linkedin.com/in/lesueur > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
