Arnaud,
I don't have a Confluence account, so I don't think I can edit that wiki
page. Here is what I ended up with (the difference from the tutorial here
being that I'm using JBoss and using a keytab for my service principal
instead of directly specifying a password):
- in JBoss' login-config.xml:
<application-policy name="other">
<authentication>
<login-module code="com.sun.security.auth.module.Krb5LoginModule"
flag="required">
<module-option name="storeKey">true</module-option>
<module-option name="debug">true</module-option>
<module-option name="useKeyTab">true</module-option>
<module-option name="keyTab">/opt/myapp/my.keytab</module-option>
<module-option name="principal">HTTP/[EMAIL PROTECTED]
</module-option>
<module-option name="realm">MY.REALM</module-option>
</login-module>
</authentication>
</application-policy>
- in CAS webapp's deployerConfigContext.xml:
<bean name="jcifsConfig"
class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig">
<!-- the following should be ignored and values come from JBoss'
login-config.xml -->
<property name="jcifsServicePrincipal"
value="HTTP/[EMAIL PROTECTED]" />
<!-- <property name="jcifsServicePassword" value="removed" /> -->
<property name="kerberosDebug" value="true" />
<property name="kerberosRealm" value="MY.REALM" />
<property name="kerberosKdc" value="my.kdc" />
<property name="loginConf"
value="/opt/jboss-4.0.2/server/default/deploy/cas.war/WEB-INF/login.conf" />
</bean>
Not sure if the redundant values are ignored or what -- that was what I had
when it started working... If I get time later (doubtful), I'll test a
little more and see which values actually have precedence. Putting the
"useKeyTab", "keyTab", "principal", and "realm" in login-config.xml and
commenting out the password for the jcifsConfig bean are what finally get
authentication working. Using "HTTP/[EMAIL PROTECTED]" for the
principal's name (everywhere it's specified -- the keytab generation, in
login-config.xml, login.conf, deployerConfigContext, etc...) is what got the
Kerberos exchange happening in the first place.
Hope this saves someone else some time... :-)
- Bill
On Wed, Nov 19, 2008 at 3:16 AM, Arnaud Lesueur <[EMAIL PROTECTED]>wrote:
> Bill,
>
> I'm glad to see this is finally working at your place !
>
> Could you please paste, your configuration in this thread or update the
> wiki page with those elements ?
>
> Regards,
>
> -Arnaud
>
>
>
> On Tue, Nov 18, 2008 at 8:54 PM, Bill Markmann <[EMAIL PROTECTED]>wrote:
>
>> Just wanted to update this thread (thanks for the help, Arnaud!):
>>
>> - I commented out the password in my jcifsConfig bean
>> - I added "useKeyTab", "keyTab", "principal", and "realm" elements to the
>> JBoss login-config.xml Krb5LoginModule block
>>
>> ...and Kerberos exchanges work now! Thanks to everyone who gave input.
>> Hope this helps someone in the future... - Bill
>>
>>
>> On Sun, Nov 16, 2008 at 2:11 PM, Arnaud Lesueur <[EMAIL PROTECTED]
>> > wrote:
>>
>>> Bill,
>>>
>>> You will have to give a try with the jcifsConfig bean while I do not
>>> remember that part. Did you check your clock skrew ? According to
>>> http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/tutorials/Troubleshooting.html
>>>
>>> Otherwise, you will have to google on this point.
>>>
>>> Regards,
>>>
>>> -Arnaud
>>>
>>>
>>>
>>> On Thu, Nov 13, 2008 at 5:36 PM, Bill Markmann <[EMAIL PROTECTED]>wrote:
>>>
>>>> Juan, excellent! I look forward to your howto... :-)
>>>>
>>>> Changing regenerating my keytab so that the SPN was a fqdn (HTTP/
>>>> [EMAIL PROTECTED]) got me to the point where there is
>>>> actually a Kerberos negotiation happening now, so I'm one step closer to
>>>> having this work. However, I'm getting a Kerberos error:
>>>>
>>>> Pre-authentication information was invalid (24)
>>>>
>>>> I'm not sure why the password wouldn't work, but I'm not making the
>>>> account or generating the keytab myself (ah, the joys of working in a large
>>>> distributed IT organization), so I don't believe anything there has changed
>>>> but it's tough to say... It also appears from the log that my keytab is
>>>> not
>>>> being used:
>>>>
>>>> 2008-11-12 21:11:28,286 [http-0.0.0.0-8443-2] DEBUG
>>>> org.jasig.cas.CentralAuthenticationServiceImpl - Attempting to create
>>>> TicketGrantingTicket for Principal is null
>>>> Debug is true storeKey true useTicketCache false useKeyTab false
>>>> doNotPrompt false ticketCache is null isInitiator true KeyTab is null
>>>> refreshKrb5Config is false principal is null tryFirstPass is false
>>>> useFirstPass is false storePass is false clearPass is false
>>>>
>>>> I added the useKeyTab=true option to my login.conf; what else would
>>>> cause it to not pick that up? Should I get rid of the following from my
>>>> jcifsConfig bean, perhaps?...
>>>>
>>>> <property name="jcifsServicePrincipal" value="HTTP/[EMAIL PROTECTED]"
>>>> />
>>>> <property name="jcifsServicePassword" value="my_pw" />
>>>>
>>>> Here is my login.conf:
>>>>
>>>> jcifs.spnego.initiate {
>>>> com.sun.security.auth.module.Krb5LoginModule required storeKey=true
>>>> useKeyTab=true keyTab=/opt/myapp/myspnacct.keytab;
>>>> };
>>>> jcifs.spnego.accept {
>>>> com.sun.security.auth.module.Krb5LoginModule required storeKey=true
>>>> useKeyTab=true keyTab=/opt/myapp/myspnacct.keytab;
>>>> };
>>>>
>>>> Is that format correct, Arnaud? Is there anywhere else I'd need to make
>>>> a change to get the Krb5LoginModule to use the keytab?
>>>>
>>>> Thanks for the help so far! - Bill
>>>>
>>>>
>>>> On Thu, Nov 13, 2008 at 10:17 AM, Juan Manuel Rodríguez <
>>>> [EMAIL PROTECTED]> wrote:
>>>>
>>>>> OK. I`ve just fixed some DNS issues and made a successful test.
>>>>>
>>>>> I'll post a small howto from my experience next week.
>>>>>
>>>>> Thank you, Arnaud, and all CAS Team.
>>>>>
>>>>> JMRodriguez
>>>>>
>>>>>
>>>>>
>>>>> Arnaud Lesueur escribió:
>>>>>
>>>>> Add the following option to login.conf : useKeyTab=true, keyTab=keytab
>>>>> .file
>>>>> With the keytab.file in the home directory of the user who launch the
>>>>> JVM used by CAS.
>>>>>
>>>>> I'm not suspecting JBoss but you can at least try with Tomcat, test is
>>>>> going to be really quick :-)
>>>>>
>>>>> Regards,
>>>>>
>>>>> -Arnaud
>>>>>
>>>>> On Thu, Nov 6, 2008 at 10:31 PM, Bill Markmann <[EMAIL PROTECTED]>wrote:
>>>>>
>>>>>> Hi, Arnaud... so I'm taking two points away so far:
>>>>>>
>>>>>> - the service principal's account name should be a fully qualified
>>>>>> domain name, and
>>>>>> - I should not specify the service principal's account password, but
>>>>>> rather point to the keytab
>>>>>>
>>>>>> On the second point, where would the location of the keytab be
>>>>>> specified? Will that be picked up from my krb5.conf setup, or does it
>>>>>> need to be specified in my jcifsConfig bean (in
>>>>>> deployerConfigContext.xml)?
>>>>>>
>>>>>> Any other thoughts? Do you think I was barking up the wrong tree in
>>>>>> suspecting JBoss?
>>>>>>
>>>>>> Thanks, - Bill
>>>>>>
>>>>>> On Thu, Nov 6, 2008 at 3:56 PM, Arnaud Lesueur <
>>>>>> [EMAIL PROTECTED]> wrote:
>>>>>> > True. But you still have to set the service principal name which is
>>>>>> done
>>>>>> > when you generate your keytab in fact :-)
>>>>>> >
>>>>>> > Another thing is that you might also use the keytab file instead of
>>>>>> the
>>>>>> > password on your configuration.
>>>>>> >
>>>>>> > -Arnaud
>>>>>> >
>>>>>> >
>>>>>> > On Thu, Nov 6, 2008 at 9:31 PM, <[EMAIL PROTECTED]> wrote:
>>>>>> >>
>>>>>> >> But you don't need the keytab file if your CAS server is running in
>>>>>> a
>>>>>> >> Windows box, don't you?
>>>>>> >>
>>>>>> >> JMRodriguez.
>>>>>> >>
>>>>>> >> > Hi guys,
>>>>>> >> >
>>>>>> >> > I confirm that you cannot get a Kerberos token on the local
>>>>>> machine for
>>>>>> >> > security reasons ... although I do not have a link on that too
>>>>>> :-(
>>>>>> >> >
>>>>>> >> > And I also confirm that you should put your FQDN server name when
>>>>>> >> > setting
>>>>>> >> > your service principal name. You might generate a new keytab to
>>>>>> set it
>>>>>> >> > up
>>>>>> >> > or
>>>>>> >> > use setspn.exe
>>>>>> >> >
>>>>>> >> >
>>>>>> >> > Regards,
>>>>>> >> >
>>>>>> >> > -Arnaud
>>>>>> >> >
>>>>>> >> >
>>>>>> >> > On Thu, Nov 6, 2008 at 7:09 PM, Bill Markmann <
>>>>>> [EMAIL PROTECTED]>
>>>>>> >> > wrote:
>>>>>> >> >
>>>>>> >> >> JMR -- interesting. No obvious differences between the test
>>>>>> machine
>>>>>> >> >> and the non-working one? I think I read somewhere that the
>>>>>> Kerberos
>>>>>> >> >> exchange wouldn't work properly if you were running IE from the
>>>>>> same
>>>>>> >> >> machine as your app server, so that might explain your
>>>>>> non-working
>>>>>> >> >> case... although I can't seem to locate where I'd read that now.
>>>>>> :-)
>>>>>> >> >>
>>>>>> >> >> When you do 'klist -k' does your keytab user for that server
>>>>>> show up
>>>>>> >> >> with a fully-qualified domain name (with the .domain.es before
>>>>>> the
>>>>>> >> >> @DOMAIN.ES)? I didn't include that; I wonder if that's the
>>>>>> problem.
>>>>>> >> >>
>>>>>> >> >> Thanks, - Bill
>>>>>> >> >>
>>>>>> >> >>
>>>>>> >> >> On Thu, Nov 6, 2008 at 12:22 PM, JMRodriguez
>>>>>> >> >> <[EMAIL PROTECTED]>
>>>>>> >> >> wrote:
>>>>>> >> >> >
>>>>>> >> >> > I'm in the same situation. I'm not using JBoss but Tomcat55.
>>>>>> >> >> >
>>>>>> >> >> > We have a _working_ CAS-SPNEGO on a test machine: W2kServer,
>>>>>> AD,
>>>>>> >> >> Tomcat55.
>>>>>> >> >> > Here's the relevant part of our WORKING
>>>>>> deployerConfigContext.xml:
>>>>>> >> >> > ----------------------
>>>>>> >> >> > <!-- SPNEGO -->
>>>>>> >> >> > <bean name="jcifsConfig"
>>>>>> >> >> >
>>>>>> >> >>
>>>>>> >> >>
>>>>>> class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig">
>>>>>> >> >> > <property name="jcifsServicePrincipal"
>>>>>> >> >> > value="HTTP/[EMAIL PROTECTED]" />
>>>>>> >> >> > <property name="jcifsServicePassword"
>>>>>> value="*****" />
>>>>>> >> >> > <property name="kerberosDebug" value="true" />
>>>>>> >> >> > <property name="kerberosRealm" value="
>>>>>> DOMAIN.ES" />
>>>>>> >> >> > <property name="kerberosKdc" value="
>>>>>> 192.168.1.1" />
>>>>>> >> >> > <property name="loginConf" value="C:/Archivos
>>>>>> de
>>>>>> >> >> programa/Apache Software
>>>>>> >> >> > Foundation/Tomcat 5.5/webapps/cas/WEB-INF/login.conf" />
>>>>>> >> >> > </bean>
>>>>>> >> >> > -----------------------
>>>>>> >> >> > Note the FQDN server.domain.es (not only server, but
>>>>>> >> >> server.domain.es).
>>>>>> >> >> >
>>>>>> >> >> > But our production environment doesn't work. We have there two
>>>>>> >> >> W2003Server
>>>>>> >> >> > (PDC and SDC), AD and a W2003Server Tomcat55. If we open
>>>>>> IExplore
>>>>>> >> >> > from
>>>>>> >> >> the
>>>>>> >> >> > Tomcat machine, we obtain a NTLM token; from other machine we
>>>>>> reach a
>>>>>> >> >> > Kerberos token, but it fails with: Unable to obtain the output
>>>>>> token
>>>>>> >> >> > required.
>>>>>> >> >> >
>>>>>> >> >> >
>>>>>> >> >> > That's all info I cna give you. I hope someone can help us.
>>>>>> >> >> >
>>>>>> >> >> >
>>>>>> >> >> > JMRodriguez
>>>>>> >> >> >
>>>>>> >> >> > --
>>>>>> >> >> > View this message in context:
>>>>>> >> >>
>>>>>> >> >>
>>>>>> http://www.nabble.com/SPNEGO-fails-back-to-NTLM-%28won%27t-do-Kerberos%29-tp20365070p20365611.html
>>>>>> >> >> > Sent from the CAS Users mailing list archive at Nabble.com.
>>>>>> >> >> >
>>>>>> >> >> > _______________________________________________
>>>>>> >> >> > Yale CAS mailing list
>>>>>> >> >> > [email protected]
>>>>>> >> >> > http://tp.its.yale.edu/mailman/listinfo/cas
>>>>>> >> >> >
>>>>>> >> >> _______________________________________________
>>>>>> >> >> Yale CAS mailing list
>>>>>> >> >> [email protected]
>>>>>> >> >> http://tp.its.yale.edu/mailman/listinfo/cas
>>>>>> >> >>
>>>>>> >> >
>>>>>> >> >
>>>>>> >> >
>>>>>> >> > --
>>>>>> >> > Arnaud Lesueur
>>>>>> >> >
>>>>>> >> > LinkedIn: http://www.linkedin.com/in/lesueur
>>>>>> >> > _______________________________________________
>>>>>> >> > Yale CAS mailing list
>>>>>> >> > [email protected]
>>>>>> >> > http://tp.its.yale.edu/mailman/listinfo/cas
>>>>>> >> >
>>>>>> >>
>>>>>> >>
>>>>>> >> _______________________________________________
>>>>>> >> Yale CAS mailing list
>>>>>> >> [email protected]
>>>>>> >> http://tp.its.yale.edu/mailman/listinfo/cas
>>>>>> >
>>>>>> >
>>>>>> >
>>>>>> > --
>>>>>> > Arnaud Lesueur
>>>>>> >
>>>>>> > LinkedIn: http://www.linkedin.com/in/lesueur
>>>>>> >
>>>>>> > _______________________________________________
>>>>>> > Yale CAS mailing list
>>>>>> > [email protected]
>>>>>> > http://tp.its.yale.edu/mailman/listinfo/cas
>>>>>> >
>>>>>> >
>>>>>> _______________________________________________
>>>>>> Yale CAS mailing list
>>>>>> [email protected]
>>>>>> http://tp.its.yale.edu/mailman/listinfo/cas
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Arnaud Lesueur
>>>>>
>>>>> LinkedIn: http://www.linkedin.com/in/lesueur
>>>>>
>>>>> ------------------------------
>>>>>
>>>>> _______________________________________________
>>>>> Yale CAS mailing [EMAIL PROTECTED]://tp.its.yale.edu/mailman/listinfo/cas
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Juan Manuel Rodríguez.
>>>>> Burke.
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Yale CAS mailing list
>>>>> [email protected]
>>>>> http://tp.its.yale.edu/mailman/listinfo/cas
>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> Yale CAS mailing list
>>>> [email protected]
>>>> http://tp.its.yale.edu/mailman/listinfo/cas
>>>>
>>>>
>>>
>>>
>>> --
>>> Arnaud Lesueur
>>>
>>> LinkedIn: http://www.linkedin.com/in/lesueur
>>>
>>> _______________________________________________
>>> Yale CAS mailing list
>>> [email protected]
>>> http://tp.its.yale.edu/mailman/listinfo/cas
>>>
>>>
>>
>> _______________________________________________
>> Yale CAS mailing list
>> [email protected]
>> http://tp.its.yale.edu/mailman/listinfo/cas
>>
>>
>
>
> --
> Arnaud Lesueur
>
> LinkedIn: http://www.linkedin.com/in/lesueur
>
> _______________________________________________
> Yale CAS mailing list
> [email protected]
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
