Just wanted to update this thread (thanks for the help, Arnaud!): - I commented out the password in my jcifsConfig bean - I added "useKeyTab", "keyTab", "principal", and "realm" elements to the JBoss login-config.xml Krb5LoginModule block
...and Kerberos exchanges work now! Thanks to everyone who gave input. Hope this helps someone in the future... - Bill On Sun, Nov 16, 2008 at 2:11 PM, Arnaud Lesueur <[EMAIL PROTECTED]>wrote: > Bill, > > You will have to give a try with the jcifsConfig bean while I do not > remember that part. Did you check your clock skrew ? According to > http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/tutorials/Troubleshooting.html > > Otherwise, you will have to google on this point. > > Regards, > > -Arnaud > > > > On Thu, Nov 13, 2008 at 5:36 PM, Bill Markmann <[EMAIL PROTECTED]>wrote: > >> Juan, excellent! I look forward to your howto... :-) >> >> Changing regenerating my keytab so that the SPN was a fqdn (HTTP/ >> [EMAIL PROTECTED]) got me to the point where there is >> actually a Kerberos negotiation happening now, so I'm one step closer to >> having this work. However, I'm getting a Kerberos error: >> >> Pre-authentication information was invalid (24) >> >> I'm not sure why the password wouldn't work, but I'm not making the >> account or generating the keytab myself (ah, the joys of working in a large >> distributed IT organization), so I don't believe anything there has changed >> but it's tough to say... It also appears from the log that my keytab is not >> being used: >> >> 2008-11-12 21:11:28,286 [http-0.0.0.0-8443-2] DEBUG >> org.jasig.cas.CentralAuthenticationServiceImpl - Attempting to create >> TicketGrantingTicket for Principal is null >> Debug is true storeKey true useTicketCache false useKeyTab false >> doNotPrompt false ticketCache is null isInitiator true KeyTab is null >> refreshKrb5Config is false principal is null tryFirstPass is false >> useFirstPass is false storePass is false clearPass is false >> >> I added the useKeyTab=true option to my login.conf; what else would cause >> it to not pick that up? Should I get rid of the following from my >> jcifsConfig bean, perhaps?... >> >> <property name="jcifsServicePrincipal" value="HTTP/[EMAIL PROTECTED]" /> >> <property name="jcifsServicePassword" value="my_pw" /> >> >> Here is my login.conf: >> >> jcifs.spnego.initiate { >> com.sun.security.auth.module.Krb5LoginModule required storeKey=true >> useKeyTab=true keyTab=/opt/myapp/myspnacct.keytab; >> }; >> jcifs.spnego.accept { >> com.sun.security.auth.module.Krb5LoginModule required storeKey=true >> useKeyTab=true keyTab=/opt/myapp/myspnacct.keytab; >> }; >> >> Is that format correct, Arnaud? Is there anywhere else I'd need to make a >> change to get the Krb5LoginModule to use the keytab? >> >> Thanks for the help so far! - Bill >> >> >> On Thu, Nov 13, 2008 at 10:17 AM, Juan Manuel Rodríguez < >> [EMAIL PROTECTED]> wrote: >> >>> OK. I`ve just fixed some DNS issues and made a successful test. >>> >>> I'll post a small howto from my experience next week. >>> >>> Thank you, Arnaud, and all CAS Team. >>> >>> JMRodriguez >>> >>> >>> >>> Arnaud Lesueur escribió: >>> >>> Add the following option to login.conf : useKeyTab=true, keyTab=keytab >>> .file >>> With the keytab.file in the home directory of the user who launch the JVM >>> used by CAS. >>> >>> I'm not suspecting JBoss but you can at least try with Tomcat, test is >>> going to be really quick :-) >>> >>> Regards, >>> >>> -Arnaud >>> >>> On Thu, Nov 6, 2008 at 10:31 PM, Bill Markmann <[EMAIL PROTECTED]>wrote: >>> >>>> Hi, Arnaud... so I'm taking two points away so far: >>>> >>>> - the service principal's account name should be a fully qualified >>>> domain name, and >>>> - I should not specify the service principal's account password, but >>>> rather point to the keytab >>>> >>>> On the second point, where would the location of the keytab be >>>> specified? Will that be picked up from my krb5.conf setup, or does it >>>> need to be specified in my jcifsConfig bean (in >>>> deployerConfigContext.xml)? >>>> >>>> Any other thoughts? Do you think I was barking up the wrong tree in >>>> suspecting JBoss? >>>> >>>> Thanks, - Bill >>>> >>>> On Thu, Nov 6, 2008 at 3:56 PM, Arnaud Lesueur < >>>> [EMAIL PROTECTED]> wrote: >>>> > True. But you still have to set the service principal name which is >>>> done >>>> > when you generate your keytab in fact :-) >>>> > >>>> > Another thing is that you might also use the keytab file instead of >>>> the >>>> > password on your configuration. >>>> > >>>> > -Arnaud >>>> > >>>> > >>>> > On Thu, Nov 6, 2008 at 9:31 PM, <[EMAIL PROTECTED]> wrote: >>>> >> >>>> >> But you don't need the keytab file if your CAS server is running in a >>>> >> Windows box, don't you? >>>> >> >>>> >> JMRodriguez. >>>> >> >>>> >> > Hi guys, >>>> >> > >>>> >> > I confirm that you cannot get a Kerberos token on the local machine >>>> for >>>> >> > security reasons ... although I do not have a link on that too :-( >>>> >> > >>>> >> > And I also confirm that you should put your FQDN server name when >>>> >> > setting >>>> >> > your service principal name. You might generate a new keytab to set >>>> it >>>> >> > up >>>> >> > or >>>> >> > use setspn.exe >>>> >> > >>>> >> > >>>> >> > Regards, >>>> >> > >>>> >> > -Arnaud >>>> >> > >>>> >> > >>>> >> > On Thu, Nov 6, 2008 at 7:09 PM, Bill Markmann <[EMAIL PROTECTED] >>>> > >>>> >> > wrote: >>>> >> > >>>> >> >> JMR -- interesting. No obvious differences between the test >>>> machine >>>> >> >> and the non-working one? I think I read somewhere that the >>>> Kerberos >>>> >> >> exchange wouldn't work properly if you were running IE from the >>>> same >>>> >> >> machine as your app server, so that might explain your non-working >>>> >> >> case... although I can't seem to locate where I'd read that now. >>>> :-) >>>> >> >> >>>> >> >> When you do 'klist -k' does your keytab user for that server show >>>> up >>>> >> >> with a fully-qualified domain name (with the .domain.es before >>>> the >>>> >> >> @DOMAIN.ES)? I didn't include that; I wonder if that's the >>>> problem. >>>> >> >> >>>> >> >> Thanks, - Bill >>>> >> >> >>>> >> >> >>>> >> >> On Thu, Nov 6, 2008 at 12:22 PM, JMRodriguez >>>> >> >> <[EMAIL PROTECTED]> >>>> >> >> wrote: >>>> >> >> > >>>> >> >> > I'm in the same situation. I'm not using JBoss but Tomcat55. >>>> >> >> > >>>> >> >> > We have a _working_ CAS-SPNEGO on a test machine: W2kServer, AD, >>>> >> >> Tomcat55. >>>> >> >> > Here's the relevant part of our WORKING >>>> deployerConfigContext.xml: >>>> >> >> > ---------------------- >>>> >> >> > <!-- SPNEGO --> >>>> >> >> > <bean name="jcifsConfig" >>>> >> >> > >>>> >> >> >>>> >> >> >>>> class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig"> >>>> >> >> > <property name="jcifsServicePrincipal" >>>> >> >> > value="HTTP/[EMAIL PROTECTED]" /> >>>> >> >> > <property name="jcifsServicePassword" >>>> value="*****" /> >>>> >> >> > <property name="kerberosDebug" value="true" /> >>>> >> >> > <property name="kerberosRealm" value="DOMAIN.ES" >>>> /> >>>> >> >> > <property name="kerberosKdc" value="192.168.1.1" >>>> /> >>>> >> >> > <property name="loginConf" value="C:/Archivos de >>>> >> >> programa/Apache Software >>>> >> >> > Foundation/Tomcat 5.5/webapps/cas/WEB-INF/login.conf" /> >>>> >> >> > </bean> >>>> >> >> > ----------------------- >>>> >> >> > Note the FQDN server.domain.es (not only server, but >>>> >> >> server.domain.es). >>>> >> >> > >>>> >> >> > But our production environment doesn't work. We have there two >>>> >> >> W2003Server >>>> >> >> > (PDC and SDC), AD and a W2003Server Tomcat55. If we open >>>> IExplore >>>> >> >> > from >>>> >> >> the >>>> >> >> > Tomcat machine, we obtain a NTLM token; from other machine we >>>> reach a >>>> >> >> > Kerberos token, but it fails with: Unable to obtain the output >>>> token >>>> >> >> > required. >>>> >> >> > >>>> >> >> > >>>> >> >> > That's all info I cna give you. I hope someone can help us. >>>> >> >> > >>>> >> >> > >>>> >> >> > JMRodriguez >>>> >> >> > >>>> >> >> > -- >>>> >> >> > View this message in context: >>>> >> >> >>>> >> >> >>>> http://www.nabble.com/SPNEGO-fails-back-to-NTLM-%28won%27t-do-Kerberos%29-tp20365070p20365611.html >>>> >> >> > Sent from the CAS Users mailing list archive at Nabble.com. >>>> >> >> > >>>> >> >> > _______________________________________________ >>>> >> >> > Yale CAS mailing list >>>> >> >> > [email protected] >>>> >> >> > http://tp.its.yale.edu/mailman/listinfo/cas >>>> >> >> > >>>> >> >> _______________________________________________ >>>> >> >> Yale CAS mailing list >>>> >> >> [email protected] >>>> >> >> http://tp.its.yale.edu/mailman/listinfo/cas >>>> >> >> >>>> >> > >>>> >> > >>>> >> > >>>> >> > -- >>>> >> > Arnaud Lesueur >>>> >> > >>>> >> > LinkedIn: http://www.linkedin.com/in/lesueur >>>> >> > _______________________________________________ >>>> >> > Yale CAS mailing list >>>> >> > [email protected] >>>> >> > http://tp.its.yale.edu/mailman/listinfo/cas >>>> >> > >>>> >> >>>> >> >>>> >> _______________________________________________ >>>> >> Yale CAS mailing list >>>> >> [email protected] >>>> >> http://tp.its.yale.edu/mailman/listinfo/cas >>>> > >>>> > >>>> > >>>> > -- >>>> > Arnaud Lesueur >>>> > >>>> > LinkedIn: http://www.linkedin.com/in/lesueur >>>> > >>>> > _______________________________________________ >>>> > Yale CAS mailing list >>>> > [email protected] >>>> > http://tp.its.yale.edu/mailman/listinfo/cas >>>> > >>>> > >>>> _______________________________________________ >>>> Yale CAS mailing list >>>> [email protected] >>>> http://tp.its.yale.edu/mailman/listinfo/cas >>>> >>> >>> >>> >>> -- >>> Arnaud Lesueur >>> >>> LinkedIn: http://www.linkedin.com/in/lesueur >>> >>> ------------------------------ >>> >>> _______________________________________________ >>> Yale CAS mailing [EMAIL PROTECTED]://tp.its.yale.edu/mailman/listinfo/cas >>> >>> >>> >>> -- >>> Juan Manuel Rodríguez. >>> Burke. >>> >>> >>> _______________________________________________ >>> Yale CAS mailing list >>> [email protected] >>> http://tp.its.yale.edu/mailman/listinfo/cas >>> >>> >> >> _______________________________________________ >> Yale CAS mailing list >> [email protected] >> http://tp.its.yale.edu/mailman/listinfo/cas >> >> > > > -- > Arnaud Lesueur > > LinkedIn: http://www.linkedin.com/in/lesueur > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > >
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
