Re: SPNEGO fails back to NTLM (won't do Kerberos)

[Juan Manuel Rodríguez]

OK. I`ve just fixed some DNS issues and made a successful test. I'll post a small howto from my experience next week. Thank you, Arnaud, and all CAS Team. JMRodriguez Arnaud Lesueur escribió: Add the following option to login.conf : useKeyTab=true, keyTab=keytab.file With the keytab.file in the home directory of the user who launch the JVM used by CAS. I'm not suspecting JBoss but you can at least try with Tomcat, test is going to be really quick :-) Regards, -Arnaud On Thu, Nov 6, 2008 at 10:31 PM, Bill Markmann <[EMAIL PROTECTED]> wrote: Hi, Arnaud...  so I'm taking two points away so far: - the service principal's account name should be a fully qualified domain name, and - I should not specify the service principal's account password, but rather point to the keytab On the second point, where would the location of the keytab be specified?  Will that be picked up from my krb5.conf setup, or does it need to be specified in my jcifsConfig bean (in deployerConfigContext.xml)? Any other thoughts?  Do you think I was barking up the wrong tree in suspecting JBoss? Thanks, - Bill On Thu, Nov 6, 2008 at 3:56 PM, Arnaud Lesueur <[EMAIL PROTECTED]> wrote: > True. But you still have to set the service principal name which is done > when you generate your keytab in fact :-) > > Another thing is that you might also use the keytab file instead of the > password on your configuration. > > -Arnaud > > > On Thu, Nov 6, 2008 at 9:31 PM, <[EMAIL PROTECTED]> wrote: >> >> But you don't need the keytab file if your CAS server is running in a >> Windows box, don't you? >> >> JMRodriguez. >> >> > Hi guys, >> > >> > I confirm that you cannot get a Kerberos token on the local machine for >> > security reasons ... although I do not have a link on that too :-( >> > >> > And I also confirm that you should put your FQDN server name when >> > setting >> > your service principal name. You might generate a new keytab to set it >> > up >> > or >> > use setspn.exe >> > >> > >> > Regards, >> > >> > -Arnaud >> > >> > >> > On Thu, Nov 6, 2008 at 7:09 PM, Bill Markmann <[EMAIL PROTECTED]> >> > wrote: >> > >> >> JMR -- interesting.  No obvious differences between the test machine >> >> and the non-working one?  I think I read somewhere that the Kerberos >> >> exchange wouldn't work properly if you were running IE from the same >> >> machine as your app server, so that might explain your non-working >> >> case... although I can't seem to locate where I'd read that now. :-) >> >> >> >> When you do 'klist -k' does your keytab user for that server show up >> >> with a fully-qualified domain name (with the .domain.es before the >> >> @DOMAIN.ES)?  I didn't include that; I wonder if that's the problem. >> >> >> >> Thanks, - Bill >> >> >> >> >> >> On Thu, Nov 6, 2008 at 12:22 PM, JMRodriguez >> >> <[EMAIL PROTECTED]> >> >> wrote: >> >> > >> >> > I'm in the same situation. I'm not using JBoss but Tomcat55. >> >> > >> >> > We have a _working_ CAS-SPNEGO on a test machine: W2kServer, AD, >> >> Tomcat55. >> >> > Here's the relevant part of our WORKING deployerConfigContext.xml: >> >> > ---------------------- >> >> > <!-- SPNEGO --> >> >> > <bean name="jcifsConfig" >> >> > >> >> >> >> class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig"> >> >> >                <property name="jcifsServicePrincipal" >> >> > value="HTTP/server.domain.es@DOMAIN.ES" /> >> >> >                <property name="jcifsServicePassword" value="*****" /> >> >> >                <property name="kerberosDebug" value="true" /> >> >> >                <property name="kerberosRealm" value="DOMAIN.ES" /> >> >> >                <property name="kerberosKdc" value="192.168.1.1" /> >> >> >                <property name="loginConf" value="C:/Archivos de >> >> programa/Apache Software >> >> > Foundation/Tomcat 5.5/webapps/cas/WEB-INF/login.conf" /> >> >> > </bean> >> >> > ----------------------- >> >> > Note the FQDN server.domain.es (not only server, but >> >> server.domain.es). >> >> > >> >> > But our production environment doesn't work. We have there two >> >> W2003Server >> >> > (PDC and SDC), AD and a W2003Server Tomcat55. If we open IExplore >> >> > from >> >> the >> >> > Tomcat machine, we obtain a NTLM token; from other machine we reach a >> >> > Kerberos token, but it fails with: Unable to obtain the output token >> >> > required. >> >> > >> >> > >> >> > That's all info I cna give you. I hope someone can help us. >> >> > >> >> > >> >> > JMRodriguez >> >> > >> >> > -- >> >> > View this message in context: >> >> >> >> http://www.nabble.com/SPNEGO-fails-back-to-NTLM-%28won%27t-do-Kerberos%29-tp20365070p20365611.html >> >> > Sent from the CAS Users mailing list archive at Nabble.com. >> >> > >> >> > _______________________________________________ >> >> > Yale CAS mailing list >> >> > cas@tp.its.yale.edu >> >> > http://tp.its.yale.edu/mailman/listinfo/cas >> >> > >> >> _______________________________________________ >> >> Yale CAS mailing list >> >> cas@tp.its.yale.edu >> >> http://tp.its.yale.edu/mailman/listinfo/cas >> >> >> > >> > >> > >> > -- >> > Arnaud Lesueur >> > >> > LinkedIn: http://www.linkedin.com/in/lesueur >> > _______________________________________________ >> > Yale CAS mailing list >> > cas@tp.its.yale.edu >> > http://tp.its.yale.edu/mailman/listinfo/cas >> > >> >> >> _______________________________________________ >> Yale CAS mailing list >> cas@tp.its.yale.edu >> http://tp.its.yale.edu/mailman/listinfo/cas > > > > -- > Arnaud Lesueur > > LinkedIn: http://www.linkedin.com/in/lesueur > > _______________________________________________ > Yale CAS mailing list > cas@tp.its.yale.edu > http://tp.its.yale.edu/mailman/listinfo/cas > > _______________________________________________ Yale CAS mailing list cas@tp.its.yale.edu http://tp.its.yale.edu/mailman/listinfo/cas -- Arnaud Lesueur LinkedIn: http://www.linkedin.com/in/lesueur _______________________________________________ Yale CAS mailing list cas@tp.its.yale.edu http://tp.its.yale.edu/mailman/listinfo/cas -- Juan Manuel Rodríguez. Burke.

_______________________________________________
Yale CAS mailing list
cas@tp.its.yale.edu
http://tp.its.yale.edu/mailman/listinfo/cas