Hi, Arnaud... so I'm taking two points away so far: - the service principal's account name should be a fully qualified domain name, and - I should not specify the service principal's account password, but rather point to the keytab
On the second point, where would the location of the keytab be specified? Will that be picked up from my krb5.conf setup, or does it need to be specified in my jcifsConfig bean (in deployerConfigContext.xml)? Any other thoughts? Do you think I was barking up the wrong tree in suspecting JBoss? Thanks, - Bill On Thu, Nov 6, 2008 at 3:56 PM, Arnaud Lesueur <[EMAIL PROTECTED]> wrote: > True. But you still have to set the service principal name which is done > when you generate your keytab in fact :-) > > Another thing is that you might also use the keytab file instead of the > password on your configuration. > > -Arnaud > > > On Thu, Nov 6, 2008 at 9:31 PM, <[EMAIL PROTECTED]> wrote: >> >> But you don't need the keytab file if your CAS server is running in a >> Windows box, don't you? >> >> JMRodriguez. >> >> > Hi guys, >> > >> > I confirm that you cannot get a Kerberos token on the local machine for >> > security reasons ... although I do not have a link on that too :-( >> > >> > And I also confirm that you should put your FQDN server name when >> > setting >> > your service principal name. You might generate a new keytab to set it >> > up >> > or >> > use setspn.exe >> > >> > >> > Regards, >> > >> > -Arnaud >> > >> > >> > On Thu, Nov 6, 2008 at 7:09 PM, Bill Markmann <[EMAIL PROTECTED]> >> > wrote: >> > >> >> JMR -- interesting. No obvious differences between the test machine >> >> and the non-working one? I think I read somewhere that the Kerberos >> >> exchange wouldn't work properly if you were running IE from the same >> >> machine as your app server, so that might explain your non-working >> >> case... although I can't seem to locate where I'd read that now. :-) >> >> >> >> When you do 'klist -k' does your keytab user for that server show up >> >> with a fully-qualified domain name (with the .domain.es before the >> >> @DOMAIN.ES)? I didn't include that; I wonder if that's the problem. >> >> >> >> Thanks, - Bill >> >> >> >> >> >> On Thu, Nov 6, 2008 at 12:22 PM, JMRodriguez >> >> <[EMAIL PROTECTED]> >> >> wrote: >> >> > >> >> > I'm in the same situation. I'm not using JBoss but Tomcat55. >> >> > >> >> > We have a _working_ CAS-SPNEGO on a test machine: W2kServer, AD, >> >> Tomcat55. >> >> > Here's the relevant part of our WORKING deployerConfigContext.xml: >> >> > ---------------------- >> >> > <!-- SPNEGO --> >> >> > <bean name="jcifsConfig" >> >> > >> >> >> >> class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig"> >> >> > <property name="jcifsServicePrincipal" >> >> > value="HTTP/[EMAIL PROTECTED]" /> >> >> > <property name="jcifsServicePassword" value="*****" /> >> >> > <property name="kerberosDebug" value="true" /> >> >> > <property name="kerberosRealm" value="DOMAIN.ES" /> >> >> > <property name="kerberosKdc" value="192.168.1.1" /> >> >> > <property name="loginConf" value="C:/Archivos de >> >> programa/Apache Software >> >> > Foundation/Tomcat 5.5/webapps/cas/WEB-INF/login.conf" /> >> >> > </bean> >> >> > ----------------------- >> >> > Note the FQDN server.domain.es (not only server, but >> >> server.domain.es). >> >> > >> >> > But our production environment doesn't work. We have there two >> >> W2003Server >> >> > (PDC and SDC), AD and a W2003Server Tomcat55. If we open IExplore >> >> > from >> >> the >> >> > Tomcat machine, we obtain a NTLM token; from other machine we reach a >> >> > Kerberos token, but it fails with: Unable to obtain the output token >> >> > required. >> >> > >> >> > >> >> > That's all info I cna give you. I hope someone can help us. >> >> > >> >> > >> >> > JMRodriguez >> >> > >> >> > -- >> >> > View this message in context: >> >> >> >> http://www.nabble.com/SPNEGO-fails-back-to-NTLM-%28won%27t-do-Kerberos%29-tp20365070p20365611.html >> >> > Sent from the CAS Users mailing list archive at Nabble.com. >> >> > >> >> > _______________________________________________ >> >> > Yale CAS mailing list >> >> > [email protected] >> >> > http://tp.its.yale.edu/mailman/listinfo/cas >> >> > >> >> _______________________________________________ >> >> Yale CAS mailing list >> >> [email protected] >> >> http://tp.its.yale.edu/mailman/listinfo/cas >> >> >> > >> > >> > >> > -- >> > Arnaud Lesueur >> > >> > LinkedIn: http://www.linkedin.com/in/lesueur >> > _______________________________________________ >> > Yale CAS mailing list >> > [email protected] >> > http://tp.its.yale.edu/mailman/listinfo/cas >> > >> >> >> _______________________________________________ >> Yale CAS mailing list >> [email protected] >> http://tp.its.yale.edu/mailman/listinfo/cas > > > > -- > Arnaud Lesueur > > LinkedIn: http://www.linkedin.com/in/lesueur > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > > _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
