Re: SPNEGO fails back to NTLM (won't do Kerberos)

[Juan Manuel Rodríguez]

Mine was a DNS problem; I got it working without keytab file. Try to do a nslookup direct and inverse to find if your DNS is resolving correctly: you must reach CAS machine and Kerberos machine by name and by IP. Regards, JMRodriguez Bill Markmann escribió: Juan, excellent!  I look forward to your howto... :-) Changing regenerating my keytab so that the SPN was a fqdn (HTTP/myserver.mydomain.com@MYDOMAIN.COM) got me to the point where there is actually a Kerberos negotiation happening now, so I'm one step closer to having this work.  However, I'm getting a Kerberos error: Pre-authentication information was invalid (24) I'm not sure why the password wouldn't work, but I'm not making the account or generating the keytab myself (ah, the joys of working in a large distributed IT organization), so I don't believe anything there has changed but it's tough to say...  It also appears from the log that my keytab is not being used: 2008-11-12 21:11:28,286 [http-0.0.0.0-8443-2] DEBUG org.jasig.cas.CentralAuthenticationServiceImpl - Attempting to create TicketGrantingTicket for Principal is null Debug is  true storeKey true useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false I added the useKeyTab=true option to my login.conf; what else would cause it to not pick that up?  Should I get rid of the following from my jcifsConfig bean, perhaps?...  <property name="jcifsServicePrincipal" value="HTTP/[EMAIL PROTECTED]" />  <property name="jcifsServicePassword" value="my_pw" /> Here is my login.conf: jcifs.spnego.initiate {   com.sun.security.auth.module.Krb5LoginModule required storeKey=true useKeyTab=true keyTab=/opt/myapp/myspnacct.keytab; }; jcifs.spnego.accept {   com.sun.security.auth.module.Krb5LoginModule required storeKey=true useKeyTab=true keyTab=/opt/myapp/myspnacct.keytab; }; Is that format correct, Arnaud?  Is there anywhere else I'd need to make a change to get the Krb5LoginModule to use the keytab? Thanks for the help so far! - Bill On Thu, Nov 13, 2008 at 10:17 AM, Juan Manuel Rodríguez <[EMAIL PROTECTED]> wrote: OK. I`ve just fixed some DNS issues and made a successful test. I'll post a small howto from my experience next week. Thank you, Arnaud, and all CAS Team. JMRodriguez Arnaud Lesueur escribió: Add the following option to login.conf : useKeyTab=true, keyTab=keytab.file With the keytab.file in the home directory of the user who launch the JVM used by CAS. I'm not suspecting JBoss but you can at least try with Tomcat, test is going to be really quick :-) Regards, -Arnaud On Thu, Nov 6, 2008 at 10:31 PM, Bill Markmann <[EMAIL PROTECTED]> wrote: Hi, Arnaud...  so I'm taking two points away so far: - the service principal's account name should be a fully qualified domain name, and - I should not specify the service principal's account password, but rather point to the keytab On the second point, where would the location of the keytab be specified?  Will that be picked up from my krb5.conf setup, or does it need to be specified in my jcifsConfig bean (in deployerConfigContext.xml)? Any other thoughts?  Do you think I was barking up the wrong tree in suspecting JBoss? Thanks, - Bill On Thu, Nov 6, 2008 at 3:56 PM, Arnaud Lesueur <[EMAIL PROTECTED]> wrote: > True. But you still have to set the service principal name which is done > when you generate your keytab in fact :-) > > Another thing is that you might also use the keytab file instead of the > password on your configuration. > > -Arnaud > > > On Thu, Nov 6, 2008 at 9:31 PM, <[EMAIL PROTECTED]> wrote: >> >> But you don't need the keytab file if your CAS server is running in a >> Windows box, don't you? >> >> JMRodriguez. >> >> > Hi guys, >> > >> > I confirm that you cannot get a Kerberos token on the local machine for >> > security reasons ... although I do not have a link on that too :-( >> > >> > And I also confirm that you should put your FQDN server name when >> > setting >> > your service principal name. You might generate a new keytab to set it >> > up >> > or >> > use setspn.exe >> > >> > >> > Regards, >> > >> > -Arnaud >> > >> > >> > On Thu, Nov 6, 2008 at 7:09 PM, Bill Markmann <[EMAIL PROTECTED]> >> > wrote: >> > >> >> JMR -- interesting.  No obvious differences between the test machine >> >> and the non-working one?  I think I read somewhere that the Kerberos >> >> exchange wouldn't work properly if you were running IE from the same >> >> machine as your app server, so that might explain your non-working >> >> case... although I can't seem to locate where I'd read that now. :-) >> >> >> >> When you do 'klist -k' does your keytab user for that server show up >> >> with a fully-qualified domain name (with the .domain.es before the >> >> @DOMAIN.ES)?  I didn't include that; I wonder if that's the problem. >> >> >> >> Thanks, - Bill >> >> >> >> >> >> On Thu, Nov 6, 2008 at 12:22 PM, JMRodriguez >> >> <[EMAIL PROTECTED]> >> >> wrote: >> >> > >> >> > I'm in the same situation. I'm not using JBoss but Tomcat55. >> >> > >> >> > We have a _working_ CAS-SPNEGO on a test machine: W2kServer, AD, >> >> Tomcat55. >> >> > Here's the relevant part of our WORKING deployerConfigContext.xml: >> >> > ---------------------- >> >> > <!-- SPNEGO --> >> >> > <bean name="jcifsConfig" >> >> > >> >> >> >> class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig"> >> >> >                <property name="jcifsServicePrincipal" >> >> > value="HTTP/server.domain.es@DOMAIN.ES" /> >> >> >                <property name="jcifsServicePassword" value="*****" /> >> >> >                <property name="kerberosDebug" value="true" /> >> >> >                <property name="kerberosRealm" value="DOMAIN.ES" /> >> >> >                <property name="kerberosKdc" value="192.168.1.1" /> >> >> >                <property name="loginConf" value="C:/Archivos de >> >> programa/Apache Software >> >> > Foundation/Tomcat 5.5/webapps/cas/WEB-INF/login.conf" /> >> >> > </bean> >> >> > ----------------------- >> >> > Note the FQDN server.domain.es (not only server, but >> >> server.domain.es). >> >> > >> >> > But our production environment doesn't work. We have there two >> >> W2003Server >> >> > (PDC and SDC), AD and a W2003Server Tomcat55. If we open IExplore >> >> > from >> >> the >> >> > Tomcat machine, we obtain a NTLM token; from other machine we reach a >> >> > Kerberos token, but it fails with: Unable to obtain the output token >> >> > required. >> >> > >> >> > >> >> > That's all info I cna give you. I hope someone can help us. >> >> > >> >> > >> >> > JMRodriguez >> >> > >> >> > -- >> >> > View this message in context: >> >> >> >> http://www.nabble.com/SPNEGO-fails-back-to-NTLM-%28won%27t-do-Kerberos%29-tp20365070p20365611.html >> >> > Sent from the CAS Users mailing list archive at Nabble.com. >> >> > >> >> > _______________________________________________ >> >> > Yale CAS mailing list >> >> > cas@tp.its.yale.edu >> >> > http://tp.its.yale.edu/mailman/listinfo/cas >> >> > >> >> _______________________________________________ >> >> Yale CAS mailing list >> >> cas@tp.its.yale.edu >> >> http://tp.its.yale.edu/mailman/listinfo/cas >> >> >> > >> > >> > >> > -- >> > Arnaud Lesueur >> > >> > LinkedIn: http://www.linkedin.com/in/lesueur >> > _______________________________________________ >> > Yale CAS mailing list >> > cas@tp.its.yale.edu >> > http://tp.its.yale.edu/mailman/listinfo/cas >> > >> >> >> _______________________________________________ >> Yale CAS mailing list >> cas@tp.its.yale.edu >> http://tp.its.yale.edu/mailman/listinfo/cas > > > > -- > Arnaud Lesueur > > LinkedIn: http://www.linkedin.com/in/lesueur > > _______________________________________________ > Yale CAS mailing list > cas@tp.its.yale.edu > http://tp.its.yale.edu/mailman/listinfo/cas > > _______________________________________________ Yale CAS mailing list cas@tp.its.yale.edu http://tp.its.yale.edu/mailman/listinfo/cas -- Arnaud Lesueur LinkedIn: http://www.linkedin.com/in/lesueur _______________________________________________ Yale CAS mailing list cas@tp.its.yale.edu http://tp.its.yale.edu/mailman/listinfo/cas -- Juan Manuel Rodríguez. Burke. _______________________________________________ Yale CAS mailing list cas@tp.its.yale.edu http://tp.its.yale.edu/mailman/listinfo/cas _______________________________________________ Yale CAS mailing list cas@tp.its.yale.edu http://tp.its.yale.edu/mailman/listinfo/cas -- Juan Manuel Rodríguez. Burke.

_______________________________________________
Yale CAS mailing list
cas@tp.its.yale.edu
http://tp.its.yale.edu/mailman/listinfo/cas