True. But you still have to set the service principal name which is done when you generate your keytab in fact :-)
Another thing is that you might also use the keytab file instead of the password on your configuration. -Arnaud On Thu, Nov 6, 2008 at 9:31 PM, <[EMAIL PROTECTED]> wrote: > But you don't need the keytab file if your CAS server is running in a > Windows box, don't you? > > JMRodriguez. > > > Hi guys, > > > > I confirm that you cannot get a Kerberos token on the local machine for > > security reasons ... although I do not have a link on that too :-( > > > > And I also confirm that you should put your FQDN server name when setting > > your service principal name. You might generate a new keytab to set it up > > or > > use setspn.exe > > > > > > Regards, > > > > -Arnaud > > > > > > On Thu, Nov 6, 2008 at 7:09 PM, Bill Markmann <[EMAIL PROTECTED]> > wrote: > > > >> JMR -- interesting. No obvious differences between the test machine > >> and the non-working one? I think I read somewhere that the Kerberos > >> exchange wouldn't work properly if you were running IE from the same > >> machine as your app server, so that might explain your non-working > >> case... although I can't seem to locate where I'd read that now. :-) > >> > >> When you do 'klist -k' does your keytab user for that server show up > >> with a fully-qualified domain name (with the .domain.es before the > >> @DOMAIN.ES)? I didn't include that; I wonder if that's the problem. > >> > >> Thanks, - Bill > >> > >> > >> On Thu, Nov 6, 2008 at 12:22 PM, JMRodriguez > >> <[EMAIL PROTECTED]> > >> wrote: > >> > > >> > I'm in the same situation. I'm not using JBoss but Tomcat55. > >> > > >> > We have a _working_ CAS-SPNEGO on a test machine: W2kServer, AD, > >> Tomcat55. > >> > Here's the relevant part of our WORKING deployerConfigContext.xml: > >> > ---------------------- > >> > <!-- SPNEGO --> > >> > <bean name="jcifsConfig" > >> > > >> > class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig"> > >> > <property name="jcifsServicePrincipal" > >> > value="HTTP/[EMAIL PROTECTED]" /> > >> > <property name="jcifsServicePassword" value="*****" /> > >> > <property name="kerberosDebug" value="true" /> > >> > <property name="kerberosRealm" value="DOMAIN.ES" /> > >> > <property name="kerberosKdc" value="192.168.1.1" /> > >> > <property name="loginConf" value="C:/Archivos de > >> programa/Apache Software > >> > Foundation/Tomcat 5.5/webapps/cas/WEB-INF/login.conf" /> > >> > </bean> > >> > ----------------------- > >> > Note the FQDN server.domain.es (not only server, but > >> server.domain.es). > >> > > >> > But our production environment doesn't work. We have there two > >> W2003Server > >> > (PDC and SDC), AD and a W2003Server Tomcat55. If we open IExplore from > >> the > >> > Tomcat machine, we obtain a NTLM token; from other machine we reach a > >> > Kerberos token, but it fails with: Unable to obtain the output token > >> > required. > >> > > >> > > >> > That's all info I cna give you. I hope someone can help us. > >> > > >> > > >> > JMRodriguez > >> > > >> > -- > >> > View this message in context: > >> > http://www.nabble.com/SPNEGO-fails-back-to-NTLM-%28won%27t-do-Kerberos%29-tp20365070p20365611.html > >> > Sent from the CAS Users mailing list archive at Nabble.com. > >> > > >> > _______________________________________________ > >> > Yale CAS mailing list > >> > [email protected] > >> > http://tp.its.yale.edu/mailman/listinfo/cas > >> > > >> _______________________________________________ > >> Yale CAS mailing list > >> [email protected] > >> http://tp.its.yale.edu/mailman/listinfo/cas > >> > > > > > > > > -- > > Arnaud Lesueur > > > > LinkedIn: http://www.linkedin.com/in/lesueur > > _______________________________________________ > > Yale CAS mailing list > > [email protected] > > http://tp.its.yale.edu/mailman/listinfo/cas > > > > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > -- Arnaud Lesueur LinkedIn: http://www.linkedin.com/in/lesueur
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
