Bill,
You will have to give a try with the jcifsConfig bean while I do not
remember that part. Did you check your clock skrew ? According to
http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/tutorials/Troubleshooting.html
Otherwise, you will have to google on this point.
Regards,
-Arnaud
On Thu, Nov 13, 2008 at 5:36 PM, Bill Markmann <[EMAIL PROTECTED]> wrote:
> Juan, excellent! I look forward to your howto... :-)
>
> Changing regenerating my keytab so that the SPN was a fqdn (HTTP/
> [EMAIL PROTECTED]) got me to the point where there is
> actually a Kerberos negotiation happening now, so I'm one step closer to
> having this work. However, I'm getting a Kerberos error:
>
> Pre-authentication information was invalid (24)
>
> I'm not sure why the password wouldn't work, but I'm not making the account
> or generating the keytab myself (ah, the joys of working in a large
> distributed IT organization), so I don't believe anything there has changed
> but it's tough to say... It also appears from the log that my keytab is not
> being used:
>
> 2008-11-12 21:11:28,286 [http-0.0.0.0-8443-2] DEBUG
> org.jasig.cas.CentralAuthenticationServiceImpl - Attempting to create
> TicketGrantingTicket for Principal is null
> Debug is true storeKey true useTicketCache false useKeyTab false
> doNotPrompt false ticketCache is null isInitiator true KeyTab is null
> refreshKrb5Config is false principal is null tryFirstPass is false
> useFirstPass is false storePass is false clearPass is false
>
> I added the useKeyTab=true option to my login.conf; what else would cause
> it to not pick that up? Should I get rid of the following from my
> jcifsConfig bean, perhaps?...
>
> <property name="jcifsServicePrincipal" value="HTTP/[EMAIL PROTECTED]" />
> <property name="jcifsServicePassword" value="my_pw" />
>
> Here is my login.conf:
>
> jcifs.spnego.initiate {
> com.sun.security.auth.module.Krb5LoginModule required storeKey=true
> useKeyTab=true keyTab=/opt/myapp/myspnacct.keytab;
> };
> jcifs.spnego.accept {
> com.sun.security.auth.module.Krb5LoginModule required storeKey=true
> useKeyTab=true keyTab=/opt/myapp/myspnacct.keytab;
> };
>
> Is that format correct, Arnaud? Is there anywhere else I'd need to make a
> change to get the Krb5LoginModule to use the keytab?
>
> Thanks for the help so far! - Bill
>
>
> On Thu, Nov 13, 2008 at 10:17 AM, Juan Manuel Rodríguez <
> [EMAIL PROTECTED]> wrote:
>
>> OK. I`ve just fixed some DNS issues and made a successful test.
>>
>> I'll post a small howto from my experience next week.
>>
>> Thank you, Arnaud, and all CAS Team.
>>
>> JMRodriguez
>>
>>
>>
>> Arnaud Lesueur escribió:
>>
>> Add the following option to login.conf : useKeyTab=true, keyTab=keytab
>> .file
>> With the keytab.file in the home directory of the user who launch the JVM
>> used by CAS.
>>
>> I'm not suspecting JBoss but you can at least try with Tomcat, test is
>> going to be really quick :-)
>>
>> Regards,
>>
>> -Arnaud
>>
>> On Thu, Nov 6, 2008 at 10:31 PM, Bill Markmann <[EMAIL PROTECTED]>wrote:
>>
>>> Hi, Arnaud... so I'm taking two points away so far:
>>>
>>> - the service principal's account name should be a fully qualified
>>> domain name, and
>>> - I should not specify the service principal's account password, but
>>> rather point to the keytab
>>>
>>> On the second point, where would the location of the keytab be
>>> specified? Will that be picked up from my krb5.conf setup, or does it
>>> need to be specified in my jcifsConfig bean (in
>>> deployerConfigContext.xml)?
>>>
>>> Any other thoughts? Do you think I was barking up the wrong tree in
>>> suspecting JBoss?
>>>
>>> Thanks, - Bill
>>>
>>> On Thu, Nov 6, 2008 at 3:56 PM, Arnaud Lesueur <[EMAIL PROTECTED]>
>>> wrote:
>>> > True. But you still have to set the service principal name which is
>>> done
>>> > when you generate your keytab in fact :-)
>>> >
>>> > Another thing is that you might also use the keytab file instead of the
>>> > password on your configuration.
>>> >
>>> > -Arnaud
>>> >
>>> >
>>> > On Thu, Nov 6, 2008 at 9:31 PM, <[EMAIL PROTECTED]> wrote:
>>> >>
>>> >> But you don't need the keytab file if your CAS server is running in a
>>> >> Windows box, don't you?
>>> >>
>>> >> JMRodriguez.
>>> >>
>>> >> > Hi guys,
>>> >> >
>>> >> > I confirm that you cannot get a Kerberos token on the local machine
>>> for
>>> >> > security reasons ... although I do not have a link on that too :-(
>>> >> >
>>> >> > And I also confirm that you should put your FQDN server name when
>>> >> > setting
>>> >> > your service principal name. You might generate a new keytab to set
>>> it
>>> >> > up
>>> >> > or
>>> >> > use setspn.exe
>>> >> >
>>> >> >
>>> >> > Regards,
>>> >> >
>>> >> > -Arnaud
>>> >> >
>>> >> >
>>> >> > On Thu, Nov 6, 2008 at 7:09 PM, Bill Markmann <[EMAIL PROTECTED]>
>>> >> > wrote:
>>> >> >
>>> >> >> JMR -- interesting. No obvious differences between the test
>>> machine
>>> >> >> and the non-working one? I think I read somewhere that the
>>> Kerberos
>>> >> >> exchange wouldn't work properly if you were running IE from the
>>> same
>>> >> >> machine as your app server, so that might explain your non-working
>>> >> >> case... although I can't seem to locate where I'd read that now.
>>> :-)
>>> >> >>
>>> >> >> When you do 'klist -k' does your keytab user for that server show
>>> up
>>> >> >> with a fully-qualified domain name (with the .domain.es before the
>>> >> >> @DOMAIN.ES)? I didn't include that; I wonder if that's the
>>> problem.
>>> >> >>
>>> >> >> Thanks, - Bill
>>> >> >>
>>> >> >>
>>> >> >> On Thu, Nov 6, 2008 at 12:22 PM, JMRodriguez
>>> >> >> <[EMAIL PROTECTED]>
>>> >> >> wrote:
>>> >> >> >
>>> >> >> > I'm in the same situation. I'm not using JBoss but Tomcat55.
>>> >> >> >
>>> >> >> > We have a _working_ CAS-SPNEGO on a test machine: W2kServer, AD,
>>> >> >> Tomcat55.
>>> >> >> > Here's the relevant part of our WORKING
>>> deployerConfigContext.xml:
>>> >> >> > ----------------------
>>> >> >> > <!-- SPNEGO -->
>>> >> >> > <bean name="jcifsConfig"
>>> >> >> >
>>> >> >>
>>> >> >>
>>> class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig">
>>> >> >> > <property name="jcifsServicePrincipal"
>>> >> >> > value="HTTP/[EMAIL PROTECTED]" />
>>> >> >> > <property name="jcifsServicePassword"
>>> value="*****" />
>>> >> >> > <property name="kerberosDebug" value="true" />
>>> >> >> > <property name="kerberosRealm" value="DOMAIN.ES"
>>> />
>>> >> >> > <property name="kerberosKdc" value="192.168.1.1"
>>> />
>>> >> >> > <property name="loginConf" value="C:/Archivos de
>>> >> >> programa/Apache Software
>>> >> >> > Foundation/Tomcat 5.5/webapps/cas/WEB-INF/login.conf" />
>>> >> >> > </bean>
>>> >> >> > -----------------------
>>> >> >> > Note the FQDN server.domain.es (not only server, but
>>> >> >> server.domain.es).
>>> >> >> >
>>> >> >> > But our production environment doesn't work. We have there two
>>> >> >> W2003Server
>>> >> >> > (PDC and SDC), AD and a W2003Server Tomcat55. If we open IExplore
>>> >> >> > from
>>> >> >> the
>>> >> >> > Tomcat machine, we obtain a NTLM token; from other machine we
>>> reach a
>>> >> >> > Kerberos token, but it fails with: Unable to obtain the output
>>> token
>>> >> >> > required.
>>> >> >> >
>>> >> >> >
>>> >> >> > That's all info I cna give you. I hope someone can help us.
>>> >> >> >
>>> >> >> >
>>> >> >> > JMRodriguez
>>> >> >> >
>>> >> >> > --
>>> >> >> > View this message in context:
>>> >> >>
>>> >> >>
>>> http://www.nabble.com/SPNEGO-fails-back-to-NTLM-%28won%27t-do-Kerberos%29-tp20365070p20365611.html
>>> >> >> > Sent from the CAS Users mailing list archive at Nabble.com.
>>> >> >> >
>>> >> >> > _______________________________________________
>>> >> >> > Yale CAS mailing list
>>> >> >> > [email protected]
>>> >> >> > http://tp.its.yale.edu/mailman/listinfo/cas
>>> >> >> >
>>> >> >> _______________________________________________
>>> >> >> Yale CAS mailing list
>>> >> >> [email protected]
>>> >> >> http://tp.its.yale.edu/mailman/listinfo/cas
>>> >> >>
>>> >> >
>>> >> >
>>> >> >
>>> >> > --
>>> >> > Arnaud Lesueur
>>> >> >
>>> >> > LinkedIn: http://www.linkedin.com/in/lesueur
>>> >> > _______________________________________________
>>> >> > Yale CAS mailing list
>>> >> > [email protected]
>>> >> > http://tp.its.yale.edu/mailman/listinfo/cas
>>> >> >
>>> >>
>>> >>
>>> >> _______________________________________________
>>> >> Yale CAS mailing list
>>> >> [email protected]
>>> >> http://tp.its.yale.edu/mailman/listinfo/cas
>>> >
>>> >
>>> >
>>> > --
>>> > Arnaud Lesueur
>>> >
>>> > LinkedIn: http://www.linkedin.com/in/lesueur
>>> >
>>> > _______________________________________________
>>> > Yale CAS mailing list
>>> > [email protected]
>>> > http://tp.its.yale.edu/mailman/listinfo/cas
>>> >
>>> >
>>> _______________________________________________
>>> Yale CAS mailing list
>>> [email protected]
>>> http://tp.its.yale.edu/mailman/listinfo/cas
>>>
>>
>>
>>
>> --
>> Arnaud Lesueur
>>
>> LinkedIn: http://www.linkedin.com/in/lesueur
>>
>> ------------------------------
>>
>> _______________________________________________
>> Yale CAS mailing [EMAIL PROTECTED]://tp.its.yale.edu/mailman/listinfo/cas
>>
>>
>>
>> --
>> Juan Manuel Rodríguez.
>> Burke.
>>
>>
>> _______________________________________________
>> Yale CAS mailing list
>> [email protected]
>> http://tp.its.yale.edu/mailman/listinfo/cas
>>
>>
>
> _______________________________________________
> Yale CAS mailing list
> [email protected]
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
--
Arnaud Lesueur
LinkedIn: http://www.linkedin.com/in/lesueur
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
