Juan, excellent! I look forward to your howto... :-)
Changing regenerating my keytab so that the SPN was a fqdn (HTTP/
[EMAIL PROTECTED]) got me to the point where there is
actually a Kerberos negotiation happening now, so I'm one step closer to
having this work. However, I'm getting a Kerberos error:
Pre-authentication information was invalid (24)
I'm not sure why the password wouldn't work, but I'm not making the account
or generating the keytab myself (ah, the joys of working in a large
distributed IT organization), so I don't believe anything there has changed
but it's tough to say... It also appears from the log that my keytab is not
being used:
2008-11-12 21:11:28,286 [http-0.0.0.0-8443-2] DEBUG
org.jasig.cas.CentralAuthenticationServiceImpl - Attempting to create
TicketGrantingTicket for Principal is null
Debug is true storeKey true useTicketCache false useKeyTab false
doNotPrompt false ticketCache is null isInitiator true KeyTab is null
refreshKrb5Config is false principal is null tryFirstPass is false
useFirstPass is false storePass is false clearPass is false
I added the useKeyTab=true option to my login.conf; what else would cause it
to not pick that up? Should I get rid of the following from my jcifsConfig
bean, perhaps?...
<property name="jcifsServicePrincipal" value="HTTP/[EMAIL PROTECTED]" />
<property name="jcifsServicePassword" value="my_pw" />
Here is my login.conf:
jcifs.spnego.initiate {
com.sun.security.auth.module.Krb5LoginModule required storeKey=true
useKeyTab=true keyTab=/opt/myapp/myspnacct.keytab;
};
jcifs.spnego.accept {
com.sun.security.auth.module.Krb5LoginModule required storeKey=true
useKeyTab=true keyTab=/opt/myapp/myspnacct.keytab;
};
Is that format correct, Arnaud? Is there anywhere else I'd need to make a
change to get the Krb5LoginModule to use the keytab?
Thanks for the help so far! - Bill
On Thu, Nov 13, 2008 at 10:17 AM, Juan Manuel Rodríguez <
[EMAIL PROTECTED]> wrote:
> OK. I`ve just fixed some DNS issues and made a successful test.
>
> I'll post a small howto from my experience next week.
>
> Thank you, Arnaud, and all CAS Team.
>
> JMRodriguez
>
>
>
> Arnaud Lesueur escribió:
>
> Add the following option to login.conf : useKeyTab=true, keyTab=keytab
> .file
> With the keytab.file in the home directory of the user who launch the JVM
> used by CAS.
>
> I'm not suspecting JBoss but you can at least try with Tomcat, test is
> going to be really quick :-)
>
> Regards,
>
> -Arnaud
>
> On Thu, Nov 6, 2008 at 10:31 PM, Bill Markmann <[EMAIL PROTECTED]>wrote:
>
>> Hi, Arnaud... so I'm taking two points away so far:
>>
>> - the service principal's account name should be a fully qualified
>> domain name, and
>> - I should not specify the service principal's account password, but
>> rather point to the keytab
>>
>> On the second point, where would the location of the keytab be
>> specified? Will that be picked up from my krb5.conf setup, or does it
>> need to be specified in my jcifsConfig bean (in
>> deployerConfigContext.xml)?
>>
>> Any other thoughts? Do you think I was barking up the wrong tree in
>> suspecting JBoss?
>>
>> Thanks, - Bill
>>
>> On Thu, Nov 6, 2008 at 3:56 PM, Arnaud Lesueur <[EMAIL PROTECTED]>
>> wrote:
>> > True. But you still have to set the service principal name which is done
>> > when you generate your keytab in fact :-)
>> >
>> > Another thing is that you might also use the keytab file instead of the
>> > password on your configuration.
>> >
>> > -Arnaud
>> >
>> >
>> > On Thu, Nov 6, 2008 at 9:31 PM, <[EMAIL PROTECTED]> wrote:
>> >>
>> >> But you don't need the keytab file if your CAS server is running in a
>> >> Windows box, don't you?
>> >>
>> >> JMRodriguez.
>> >>
>> >> > Hi guys,
>> >> >
>> >> > I confirm that you cannot get a Kerberos token on the local machine
>> for
>> >> > security reasons ... although I do not have a link on that too :-(
>> >> >
>> >> > And I also confirm that you should put your FQDN server name when
>> >> > setting
>> >> > your service principal name. You might generate a new keytab to set
>> it
>> >> > up
>> >> > or
>> >> > use setspn.exe
>> >> >
>> >> >
>> >> > Regards,
>> >> >
>> >> > -Arnaud
>> >> >
>> >> >
>> >> > On Thu, Nov 6, 2008 at 7:09 PM, Bill Markmann <[EMAIL PROTECTED]>
>> >> > wrote:
>> >> >
>> >> >> JMR -- interesting. No obvious differences between the test machine
>> >> >> and the non-working one? I think I read somewhere that the Kerberos
>> >> >> exchange wouldn't work properly if you were running IE from the same
>> >> >> machine as your app server, so that might explain your non-working
>> >> >> case... although I can't seem to locate where I'd read that now. :-)
>> >> >>
>> >> >> When you do 'klist -k' does your keytab user for that server show up
>> >> >> with a fully-qualified domain name (with the .domain.es before the
>> >> >> @DOMAIN.ES)? I didn't include that; I wonder if that's the
>> problem.
>> >> >>
>> >> >> Thanks, - Bill
>> >> >>
>> >> >>
>> >> >> On Thu, Nov 6, 2008 at 12:22 PM, JMRodriguez
>> >> >> <[EMAIL PROTECTED]>
>> >> >> wrote:
>> >> >> >
>> >> >> > I'm in the same situation. I'm not using JBoss but Tomcat55.
>> >> >> >
>> >> >> > We have a _working_ CAS-SPNEGO on a test machine: W2kServer, AD,
>> >> >> Tomcat55.
>> >> >> > Here's the relevant part of our WORKING deployerConfigContext.xml:
>> >> >> > ----------------------
>> >> >> > <!-- SPNEGO -->
>> >> >> > <bean name="jcifsConfig"
>> >> >> >
>> >> >>
>> >> >>
>> class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig">
>> >> >> > <property name="jcifsServicePrincipal"
>> >> >> > value="HTTP/[EMAIL PROTECTED]" />
>> >> >> > <property name="jcifsServicePassword" value="*****"
>> />
>> >> >> > <property name="kerberosDebug" value="true" />
>> >> >> > <property name="kerberosRealm" value="DOMAIN.ES"
>> />
>> >> >> > <property name="kerberosKdc" value="192.168.1.1"
>> />
>> >> >> > <property name="loginConf" value="C:/Archivos de
>> >> >> programa/Apache Software
>> >> >> > Foundation/Tomcat 5.5/webapps/cas/WEB-INF/login.conf" />
>> >> >> > </bean>
>> >> >> > -----------------------
>> >> >> > Note the FQDN server.domain.es (not only server, but
>> >> >> server.domain.es).
>> >> >> >
>> >> >> > But our production environment doesn't work. We have there two
>> >> >> W2003Server
>> >> >> > (PDC and SDC), AD and a W2003Server Tomcat55. If we open IExplore
>> >> >> > from
>> >> >> the
>> >> >> > Tomcat machine, we obtain a NTLM token; from other machine we
>> reach a
>> >> >> > Kerberos token, but it fails with: Unable to obtain the output
>> token
>> >> >> > required.
>> >> >> >
>> >> >> >
>> >> >> > That's all info I cna give you. I hope someone can help us.
>> >> >> >
>> >> >> >
>> >> >> > JMRodriguez
>> >> >> >
>> >> >> > --
>> >> >> > View this message in context:
>> >> >>
>> >> >>
>> http://www.nabble.com/SPNEGO-fails-back-to-NTLM-%28won%27t-do-Kerberos%29-tp20365070p20365611.html
>> >> >> > Sent from the CAS Users mailing list archive at Nabble.com.
>> >> >> >
>> >> >> > _______________________________________________
>> >> >> > Yale CAS mailing list
>> >> >> > [email protected]
>> >> >> > http://tp.its.yale.edu/mailman/listinfo/cas
>> >> >> >
>> >> >> _______________________________________________
>> >> >> Yale CAS mailing list
>> >> >> [email protected]
>> >> >> http://tp.its.yale.edu/mailman/listinfo/cas
>> >> >>
>> >> >
>> >> >
>> >> >
>> >> > --
>> >> > Arnaud Lesueur
>> >> >
>> >> > LinkedIn: http://www.linkedin.com/in/lesueur
>> >> > _______________________________________________
>> >> > Yale CAS mailing list
>> >> > [email protected]
>> >> > http://tp.its.yale.edu/mailman/listinfo/cas
>> >> >
>> >>
>> >>
>> >> _______________________________________________
>> >> Yale CAS mailing list
>> >> [email protected]
>> >> http://tp.its.yale.edu/mailman/listinfo/cas
>> >
>> >
>> >
>> > --
>> > Arnaud Lesueur
>> >
>> > LinkedIn: http://www.linkedin.com/in/lesueur
>> >
>> > _______________________________________________
>> > Yale CAS mailing list
>> > [email protected]
>> > http://tp.its.yale.edu/mailman/listinfo/cas
>> >
>> >
>> _______________________________________________
>> Yale CAS mailing list
>> [email protected]
>> http://tp.its.yale.edu/mailman/listinfo/cas
>>
>
>
>
> --
> Arnaud Lesueur
>
> LinkedIn: http://www.linkedin.com/in/lesueur
>
> ------------------------------
>
> _______________________________________________
> Yale CAS mailing [EMAIL PROTECTED]://tp.its.yale.edu/mailman/listinfo/cas
>
>
>
> --
> Juan Manuel Rodríguez.
> Burke.
>
>
> _______________________________________________
> Yale CAS mailing list
> [email protected]
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
