Jacek, I am not providing a solution, just more questions since I am also attempting to set up NTLM authentication.
Looks like NTLM authentication is being invoked in your case. For some reason, NTLM is not being invoked for me. It seems to try Kerberos. I am trying to turn off Kerberos and turn on NTLM. Is your IE and tomcat on different machines or on the same machine? Would you kindly post the following details - 1. contents of the login.conf file 2. jcifsBean definition (in deployercontextconfig.xml) Thanks. ________________________________ From: Jacek Bilski <[email protected]> To: CAS Users <[email protected]> Sent: Wednesday, January 28, 2009 4:06:49 AM Subject: SPNEGO and "Attempting to create TicketGrantingTicket for Principal is null" Hello, Can anyone help me with SPNEGO authentication? I try to do that for some time, but with no success. I've many posts about putting together CAS with AD, but I feel like I miss some one little detail. I'm trying to use CAS with Liferay 5.1.2 on Tomcat 6.0.18. All that on Linux. As you can see in attached configuration I tried both Kerberos and NTLM. I would prefer former, but that's not a hard requirement. Either way I end up with that in CAS logs: 2009-01-28 12:48:04,820 DEBUG [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - <Action 'SpnegoCredentialsAction' beginning execution> 2009-01-28 12:48:04,820 DEBUG [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - <SPNEGO Authorization header found with 56 bytes> 2009-01-28 12:48:04,822 DEBUG [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - <Obtained token: NTLMSSP�� > 2009-01-28 12:48:04,826 DEBUG [org.jasig.cas.CentralAuthenticationServiceImpl] - <Attempting to create TicketGrantingTicket for Principal is null> 2009-01-28 12:48:04,906 DEBUG [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - <Unable to obtain the output token required.> 2009-01-28 12:48:04,906 DEBUG [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - <Setting HTTP Status to 401> 2009-01-28 12:48:04,906 DEBUG [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - <Action 'SpnegoCredentialsAction' completed execution; result is 'error'> I tried sniffing wire to see what's going on between client (IE) and CAS. When using Kerberos on CAS side, IE doesn't seem to use Kerberos and sends NTLM (as in logs above). When trying NTLM everything seems to go far further and ends with SMB message from AD: "NT Status: STATUS_LOGON_FAILURE (0xc000006d)" Has anyone any clues or hints for me? Any help is much appreciated. Regards Jacek Bilski
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
