Bill, I'm glad to see this is finally working at your place !
Could you please paste, your configuration in this thread or update the wiki page with those elements ? Regards, -Arnaud On Tue, Nov 18, 2008 at 8:54 PM, Bill Markmann <[EMAIL PROTECTED]> wrote: > Just wanted to update this thread (thanks for the help, Arnaud!): > > - I commented out the password in my jcifsConfig bean > - I added "useKeyTab", "keyTab", "principal", and "realm" elements to the > JBoss login-config.xml Krb5LoginModule block > > ...and Kerberos exchanges work now! Thanks to everyone who gave input. > Hope this helps someone in the future... - Bill > > > On Sun, Nov 16, 2008 at 2:11 PM, Arnaud Lesueur <[EMAIL PROTECTED]>wrote: > >> Bill, >> >> You will have to give a try with the jcifsConfig bean while I do not >> remember that part. Did you check your clock skrew ? According to >> http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/tutorials/Troubleshooting.html >> >> Otherwise, you will have to google on this point. >> >> Regards, >> >> -Arnaud >> >> >> >> On Thu, Nov 13, 2008 at 5:36 PM, Bill Markmann <[EMAIL PROTECTED]>wrote: >> >>> Juan, excellent! I look forward to your howto... :-) >>> >>> Changing regenerating my keytab so that the SPN was a fqdn (HTTP/ >>> [EMAIL PROTECTED]) got me to the point where there is >>> actually a Kerberos negotiation happening now, so I'm one step closer to >>> having this work. However, I'm getting a Kerberos error: >>> >>> Pre-authentication information was invalid (24) >>> >>> I'm not sure why the password wouldn't work, but I'm not making the >>> account or generating the keytab myself (ah, the joys of working in a large >>> distributed IT organization), so I don't believe anything there has changed >>> but it's tough to say... It also appears from the log that my keytab is not >>> being used: >>> >>> 2008-11-12 21:11:28,286 [http-0.0.0.0-8443-2] DEBUG >>> org.jasig.cas.CentralAuthenticationServiceImpl - Attempting to create >>> TicketGrantingTicket for Principal is null >>> Debug is true storeKey true useTicketCache false useKeyTab false >>> doNotPrompt false ticketCache is null isInitiator true KeyTab is null >>> refreshKrb5Config is false principal is null tryFirstPass is false >>> useFirstPass is false storePass is false clearPass is false >>> >>> I added the useKeyTab=true option to my login.conf; what else would cause >>> it to not pick that up? Should I get rid of the following from my >>> jcifsConfig bean, perhaps?... >>> >>> <property name="jcifsServicePrincipal" value="HTTP/[EMAIL PROTECTED]" >>> /> >>> <property name="jcifsServicePassword" value="my_pw" /> >>> >>> Here is my login.conf: >>> >>> jcifs.spnego.initiate { >>> com.sun.security.auth.module.Krb5LoginModule required storeKey=true >>> useKeyTab=true keyTab=/opt/myapp/myspnacct.keytab; >>> }; >>> jcifs.spnego.accept { >>> com.sun.security.auth.module.Krb5LoginModule required storeKey=true >>> useKeyTab=true keyTab=/opt/myapp/myspnacct.keytab; >>> }; >>> >>> Is that format correct, Arnaud? Is there anywhere else I'd need to make >>> a change to get the Krb5LoginModule to use the keytab? >>> >>> Thanks for the help so far! - Bill >>> >>> >>> On Thu, Nov 13, 2008 at 10:17 AM, Juan Manuel Rodríguez < >>> [EMAIL PROTECTED]> wrote: >>> >>>> OK. I`ve just fixed some DNS issues and made a successful test. >>>> >>>> I'll post a small howto from my experience next week. >>>> >>>> Thank you, Arnaud, and all CAS Team. >>>> >>>> JMRodriguez >>>> >>>> >>>> >>>> Arnaud Lesueur escribió: >>>> >>>> Add the following option to login.conf : useKeyTab=true, keyTab=keytab >>>> .file >>>> With the keytab.file in the home directory of the user who launch the >>>> JVM used by CAS. >>>> >>>> I'm not suspecting JBoss but you can at least try with Tomcat, test is >>>> going to be really quick :-) >>>> >>>> Regards, >>>> >>>> -Arnaud >>>> >>>> On Thu, Nov 6, 2008 at 10:31 PM, Bill Markmann <[EMAIL PROTECTED]>wrote: >>>> >>>>> Hi, Arnaud... so I'm taking two points away so far: >>>>> >>>>> - the service principal's account name should be a fully qualified >>>>> domain name, and >>>>> - I should not specify the service principal's account password, but >>>>> rather point to the keytab >>>>> >>>>> On the second point, where would the location of the keytab be >>>>> specified? Will that be picked up from my krb5.conf setup, or does it >>>>> need to be specified in my jcifsConfig bean (in >>>>> deployerConfigContext.xml)? >>>>> >>>>> Any other thoughts? Do you think I was barking up the wrong tree in >>>>> suspecting JBoss? >>>>> >>>>> Thanks, - Bill >>>>> >>>>> On Thu, Nov 6, 2008 at 3:56 PM, Arnaud Lesueur < >>>>> [EMAIL PROTECTED]> wrote: >>>>> > True. But you still have to set the service principal name which is >>>>> done >>>>> > when you generate your keytab in fact :-) >>>>> > >>>>> > Another thing is that you might also use the keytab file instead of >>>>> the >>>>> > password on your configuration. >>>>> > >>>>> > -Arnaud >>>>> > >>>>> > >>>>> > On Thu, Nov 6, 2008 at 9:31 PM, <[EMAIL PROTECTED]> wrote: >>>>> >> >>>>> >> But you don't need the keytab file if your CAS server is running in >>>>> a >>>>> >> Windows box, don't you? >>>>> >> >>>>> >> JMRodriguez. >>>>> >> >>>>> >> > Hi guys, >>>>> >> > >>>>> >> > I confirm that you cannot get a Kerberos token on the local >>>>> machine for >>>>> >> > security reasons ... although I do not have a link on that too :-( >>>>> >> > >>>>> >> > And I also confirm that you should put your FQDN server name when >>>>> >> > setting >>>>> >> > your service principal name. You might generate a new keytab to >>>>> set it >>>>> >> > up >>>>> >> > or >>>>> >> > use setspn.exe >>>>> >> > >>>>> >> > >>>>> >> > Regards, >>>>> >> > >>>>> >> > -Arnaud >>>>> >> > >>>>> >> > >>>>> >> > On Thu, Nov 6, 2008 at 7:09 PM, Bill Markmann < >>>>> [EMAIL PROTECTED]> >>>>> >> > wrote: >>>>> >> > >>>>> >> >> JMR -- interesting. No obvious differences between the test >>>>> machine >>>>> >> >> and the non-working one? I think I read somewhere that the >>>>> Kerberos >>>>> >> >> exchange wouldn't work properly if you were running IE from the >>>>> same >>>>> >> >> machine as your app server, so that might explain your >>>>> non-working >>>>> >> >> case... although I can't seem to locate where I'd read that now. >>>>> :-) >>>>> >> >> >>>>> >> >> When you do 'klist -k' does your keytab user for that server show >>>>> up >>>>> >> >> with a fully-qualified domain name (with the .domain.es before >>>>> the >>>>> >> >> @DOMAIN.ES)? I didn't include that; I wonder if that's the >>>>> problem. >>>>> >> >> >>>>> >> >> Thanks, - Bill >>>>> >> >> >>>>> >> >> >>>>> >> >> On Thu, Nov 6, 2008 at 12:22 PM, JMRodriguez >>>>> >> >> <[EMAIL PROTECTED]> >>>>> >> >> wrote: >>>>> >> >> > >>>>> >> >> > I'm in the same situation. I'm not using JBoss but Tomcat55. >>>>> >> >> > >>>>> >> >> > We have a _working_ CAS-SPNEGO on a test machine: W2kServer, >>>>> AD, >>>>> >> >> Tomcat55. >>>>> >> >> > Here's the relevant part of our WORKING >>>>> deployerConfigContext.xml: >>>>> >> >> > ---------------------- >>>>> >> >> > <!-- SPNEGO --> >>>>> >> >> > <bean name="jcifsConfig" >>>>> >> >> > >>>>> >> >> >>>>> >> >> >>>>> class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig"> >>>>> >> >> > <property name="jcifsServicePrincipal" >>>>> >> >> > value="HTTP/[EMAIL PROTECTED]" /> >>>>> >> >> > <property name="jcifsServicePassword" >>>>> value="*****" /> >>>>> >> >> > <property name="kerberosDebug" value="true" /> >>>>> >> >> > <property name="kerberosRealm" value="DOMAIN.ES" >>>>> /> >>>>> >> >> > <property name="kerberosKdc" value="192.168.1.1" >>>>> /> >>>>> >> >> > <property name="loginConf" value="C:/Archivos de >>>>> >> >> programa/Apache Software >>>>> >> >> > Foundation/Tomcat 5.5/webapps/cas/WEB-INF/login.conf" /> >>>>> >> >> > </bean> >>>>> >> >> > ----------------------- >>>>> >> >> > Note the FQDN server.domain.es (not only server, but >>>>> >> >> server.domain.es). >>>>> >> >> > >>>>> >> >> > But our production environment doesn't work. We have there two >>>>> >> >> W2003Server >>>>> >> >> > (PDC and SDC), AD and a W2003Server Tomcat55. If we open >>>>> IExplore >>>>> >> >> > from >>>>> >> >> the >>>>> >> >> > Tomcat machine, we obtain a NTLM token; from other machine we >>>>> reach a >>>>> >> >> > Kerberos token, but it fails with: Unable to obtain the output >>>>> token >>>>> >> >> > required. >>>>> >> >> > >>>>> >> >> > >>>>> >> >> > That's all info I cna give you. I hope someone can help us. >>>>> >> >> > >>>>> >> >> > >>>>> >> >> > JMRodriguez >>>>> >> >> > >>>>> >> >> > -- >>>>> >> >> > View this message in context: >>>>> >> >> >>>>> >> >> >>>>> http://www.nabble.com/SPNEGO-fails-back-to-NTLM-%28won%27t-do-Kerberos%29-tp20365070p20365611.html >>>>> >> >> > Sent from the CAS Users mailing list archive at Nabble.com. >>>>> >> >> > >>>>> >> >> > _______________________________________________ >>>>> >> >> > Yale CAS mailing list >>>>> >> >> > [email protected] >>>>> >> >> > http://tp.its.yale.edu/mailman/listinfo/cas >>>>> >> >> > >>>>> >> >> _______________________________________________ >>>>> >> >> Yale CAS mailing list >>>>> >> >> [email protected] >>>>> >> >> http://tp.its.yale.edu/mailman/listinfo/cas >>>>> >> >> >>>>> >> > >>>>> >> > >>>>> >> > >>>>> >> > -- >>>>> >> > Arnaud Lesueur >>>>> >> > >>>>> >> > LinkedIn: http://www.linkedin.com/in/lesueur >>>>> >> > _______________________________________________ >>>>> >> > Yale CAS mailing list >>>>> >> > [email protected] >>>>> >> > http://tp.its.yale.edu/mailman/listinfo/cas >>>>> >> > >>>>> >> >>>>> >> >>>>> >> _______________________________________________ >>>>> >> Yale CAS mailing list >>>>> >> [email protected] >>>>> >> http://tp.its.yale.edu/mailman/listinfo/cas >>>>> > >>>>> > >>>>> > >>>>> > -- >>>>> > Arnaud Lesueur >>>>> > >>>>> > LinkedIn: http://www.linkedin.com/in/lesueur >>>>> > >>>>> > _______________________________________________ >>>>> > Yale CAS mailing list >>>>> > [email protected] >>>>> > http://tp.its.yale.edu/mailman/listinfo/cas >>>>> > >>>>> > >>>>> _______________________________________________ >>>>> Yale CAS mailing list >>>>> [email protected] >>>>> http://tp.its.yale.edu/mailman/listinfo/cas >>>>> >>>> >>>> >>>> >>>> -- >>>> Arnaud Lesueur >>>> >>>> LinkedIn: http://www.linkedin.com/in/lesueur >>>> >>>> ------------------------------ >>>> >>>> _______________________________________________ >>>> Yale CAS mailing [EMAIL PROTECTED]://tp.its.yale.edu/mailman/listinfo/cas >>>> >>>> >>>> >>>> -- >>>> Juan Manuel Rodríguez. >>>> Burke. >>>> >>>> >>>> _______________________________________________ >>>> Yale CAS mailing list >>>> [email protected] >>>> http://tp.its.yale.edu/mailman/listinfo/cas >>>> >>>> >>> >>> _______________________________________________ >>> Yale CAS mailing list >>> [email protected] >>> http://tp.its.yale.edu/mailman/listinfo/cas >>> >>> >> >> >> -- >> Arnaud Lesueur >> >> LinkedIn: http://www.linkedin.com/in/lesueur >> >> _______________________________________________ >> Yale CAS mailing list >> [email protected] >> http://tp.its.yale.edu/mailman/listinfo/cas >> >> > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > > -- Arnaud Lesueur LinkedIn: http://www.linkedin.com/in/lesueur
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
