CAS SPNEGO

I follow all the instructions found in the wiki and i read a lot of post in the forum to activate SSO authentication between CAS and windows primary domain. My scenario is:
CASServer (3.2.1):
Windows Xp with Tomcat 5.5.29 on jdk 1.5.0_11. This pc is outside domain. The name is casserver. Configurations file of the cas edited as described in the wiki

Client:
Windows Xp (other pc in domain) with ie 7 configured as described (the server is included in the intranet sites)

AD Server
We try with windows 2000 and windows 2003. We have created the user (casuser) and run the ktpass tool. The only diffrence is that the second support the crypto rc4-hmac-nt. In windows 2000 you can't set this crypto

Reading the log seems that the server receives the token but can't extract the Principal (Principal is null).

Can someone help me? Thanks

Here my logs

2008-05-14 18:47:55,640 DEBUG [org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig] - jcifsServicePrincipal is set to HTTP/casserver@QUIX.LOCALE
2008-05-14 18:47:55,640 DEBUG [org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig] - jcifsServicePassword is set to *****
2008-05-14 18:47:55,640 DEBUG [org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig] - jcifsUsername is set to casuser
2008-05-14 18:47:55,640 DEBUG [org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig] - jcifsPassword is set to *****
2008-05-14 18:47:55,640 DEBUG [org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig] - jcifsDomain is set to QUIX.LOCALE
2008-05-14 18:47:55,640 DEBUG [org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig] - kerberosDebug is set to : true
2008-05-14 18:47:55,640 DEBUG [org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig] - kerberosRealm is set to :QUIX.LOCALE
2008-05-14 18:47:55,640 DEBUG [org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig] - kerberosKdc is set to : 192.168.100.7
2008-05-14 18:47:55,656 DEBUG [org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig] - configured login configuration path : /WEB-INF/login.conf
2008-05-14 18:47:55,718 INFO [org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/cas]] - Initializing Spring FrameworkServlet 'cas'
2008-05-14 18:47:56,265 DEBUG [org.jasig.cas.services.web.ManageRegisteredServicesMultiActionController] - Found action method [public org.springframework.web.servlet.ModelAndView org.jasig.cas.services.web.ManageRegisteredServicesMultiActionController.deleteRegisteredService(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse)]
2008-05-14 18:47:56,265 DEBUG [org.jasig.cas.services.web.ManageRegisteredServicesMultiActionController] - Found action method [public org.springframework.web.servlet.ModelAndView org.jasig.cas.services.web.ManageRegisteredServicesMultiActionController.manage(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse)]
2008-05-14 18:47:56,328 INFO [org.jasig.cas.web.flow.AuthenticationViaFormAction] - FormObjectClass not set.  Using default class of org.jasig.cas.authentication.principal.UsernamePasswordCredentials with formObjectName credentials and validator org.jasig.cas.validation.UsernamePasswordCredentialsValidator.
2008-05-14 18:48:02,890 DEBUG [org.jasig.cas.web.flow.InitialFlowSetupAction] - Action 'InitialFlowSetupAction' beginning execution
2008-05-14 18:48:02,890 INFO [org.jasig.cas.web.flow.InitialFlowSetupAction] - Setting path for cookies to: /cas
2008-05-14 18:48:02,890 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - Extractor did not generate service.
2008-05-14 18:48:02,906 DEBUG [org.jasig.cas.web.support.SamlArgumentExtractor] - Extractor did not generate service.
2008-05-14 18:48:02,906 DEBUG [org.jasig.cas.web.flow.InitialFlowSetupAction] - Action 'InitialFlowSetupAction' completed execution; result is 'success'
2008-05-14 18:48:02,921 DEBUG [org.jasig.cas.support.spnego.web.flow.SpnegoNegociateCredentialsAction] - Action 'SpnegoNegociateCredentialsAction' beginning execution
2008-05-14 18:48:02,921 DEBUG [org.jasig.cas.support.spnego.web.flow.SpnegoNegociateCredentialsAction] - Authorization header not found. Sending WWW-Authenticate header
2008-05-14 18:48:02,921 DEBUG [org.jasig.cas.support.spnego.web.flow.SpnegoNegociateCredentialsAction] - Action 'SpnegoNegociateCredentialsAction' completed execution; result is 'success'
2008-05-14 18:48:02,921 DEBUG [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - Action 'SpnegoCredentialsAction' beginning execution
2008-05-14 18:48:02,921 DEBUG [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - Action 'SpnegoCredentialsAction' completed execution; result is 'error'
2008-05-14 18:48:02,921 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Action 'AuthenticationViaFormAction' beginning execution
2008-05-14 18:48:02,937 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Executing setupForm
2008-05-14 18:48:02,937 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Creating new form object with name 'credentials'
2008-05-14 18:48:02,937 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Creating new instance of form object class [class org.jasig.cas.authentication.principal.UsernamePasswordCredentials]
2008-05-14 18:48:02,937 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Putting form object of type [class org.jasig.cas.authentication.principal.UsernamePasswordCredentials] in scope Flow with name 'credentials'
2008-05-14 18:48:02,937 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Creating new form errors for object with name 'credentials'
2008-05-14 18:48:02,937 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - No property editor registrar set, no custom editors to register
2008-05-14 18:48:02,953 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Putting form errors instance in scope Flash
2008-05-14 18:48:02,953 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Action 'AuthenticationViaFormAction' completed execution; result is 'success'
2008-05-14 18:48:02,953 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Action 'AuthenticationViaFormAction' beginning execution
2008-05-14 18:48:02,953 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Action 'AuthenticationViaFormAction' completed execution; result is 'success'
2008-05-14 18:48:03,500 DEBUG [org.jasig.cas.web.flow.InitialFlowSetupAction] - Action 'InitialFlowSetupAction' beginning execution
2008-05-14 18:48:03,500 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - Extractor did not generate service.
2008-05-14 18:48:03,500 DEBUG [org.jasig.cas.web.support.SamlArgumentExtractor] - Extractor did not generate service.
2008-05-14 18:48:03,500 DEBUG [org.jasig.cas.web.flow.InitialFlowSetupAction] - Action 'InitialFlowSetupAction' completed execution; result is 'success'
2008-05-14 18:48:03,500 DEBUG [org.jasig.cas.support.spnego.web.flow.SpnegoNegociateCredentialsAction] - Action 'SpnegoNegociateCredentialsAction' beginning execution
2008-05-14 18:48:03,500 DEBUG [org.jasig.cas.support.spnego.web.flow.SpnegoNegociateCredentialsAction] - Action 'SpnegoNegociateCredentialsAction' completed execution; result is 'success'
2008-05-14 18:48:03,500 DEBUG [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - Action 'SpnegoCredentialsAction' beginning execution
2008-05-14 18:48:03,500 DEBUG [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - SPNEGO Authorization header found with 1648 bytes
2008-05-14 18:48:03,500 DEBUG [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - Obtained token: `‚Î+
 ‚Â0‚¾ $0" *†H‚÷
 *†H†÷

+

‚7
¢‚”‚?`‚Œ *†H†÷

n‚{0‚w 
¡
¢     £‚§a‚£0‚Ÿ 
¡
QUIX.LOCALE¢0 
¡0HTTP casserver£‚i0‚e 
¢‚\‚XŽn«ñÒ‰¼­öŽXÜ:³Zõû,Ži'
B:«Si§3¤,hŸöcT„nÞ²ËH~ŽÒØ(³ ‚HQdU?4àûð$Ùˆb^!`_`çòq[©ÍL6-5rýí¢"ó¨Æ§±K‚¬ª‡Ü¯É<A¨°ÍU'HƦ^<íõNöSß©A`±3–Ààç»I•ñq‹³=?¬£Tš0yf?Ç‹OÎn¡âSÂvÒ]|Ódd |»áÚŸUHgf[ùªóZg€ý
BõlOï[RmöcA.~ú+íOÔ4û?½M؆Ò>äÎ
=ÒÎôT§@¤Vè
; ‘?9²µ0f”iOÜ'ÞŽ€ÇüŽ&¯ÒòjÜ1ûã³T;Ç6²ÈÏ­ÿe‘™rjèkGêÑ»ÃÖ¦NE–m¤ìû«Þ(¿Õ~?®\ë¦âuã1šbŒš.ËJ|7Þ€Þ!Z¸¹ágÿúpÐ{hyµíµ
†’W¤÷’x†ÍcHã¾M’Ö 4žùªt…¸„^ýî1¶ˆ?7€úøIn¶4®!ªVS÷E?Ö'ÃÐãoG¸é¼'$ÜP„ö-Ø©”ЛÆ? Ç›¿ç#8Í@äÊc“ß6rÅ?4ÂÃ?ate¯ÞÕ#,{Z—7pÃ{Õž+ÕŽû¹Ukl¦½€ùÀÊ÷ öºA»ªsK=ÛáC4),JD!’LË&Û_ê‰9?¬ --½µŽ„þjo¤è#Te‹¹üÂSäsÏ,ZUËò›ŠÆÆ?‘2¡æðéy=Ìq»ˆ?ò*("=AG£Ì_Ö`÷œœP=ÓÙµ£€˜Ôb™¶Ã€QýÀÔòÌš;Þ5"ÇñÕÝ̸lņ̃me®¯‘§ºÌ?#Ö³<ÕÔ¿ÍsSJ·ÿì8'¡–žDÒ›Ÿ»"n$1+käKµþúã "êühO¦-9ú{½ügp Wä´?›>‰]'&¦³˜îíÓžÀùèTÐ?êøúœÖÖ#² bc†¶LzÖíÊ?Ž†ß¡úÓÃULëgEžH¶öõPâžÖä·âôæxèC§™š¿ªCûÊÏûì6âúK= EÿW¦ê˜“—j™Jm‡ÝžbP©"Tò]&Æõ?zðzq½¿AÐj3.Çn~¤?¶0?³ 
¢?«?¨.Š;ôB”Ù•œJàãªýžK¾¯¢NkÁf‡§¼â²àvž(Ï’)QˆPb÷#VpÙa1ÑLmYåQ ´ë…¥_„KëšdŠ™Д°+·Íˆt'ì/7ZG‡ì\{„?Q•Òë?Þj9Šg<›—üÿ ÿvŠäÈòål$Dúb&Q
K©7™aÍ!j†H]IL£9õòšEOš8›ÉqhsÙ~«Y
kw܌
2008-05-14 18:48:03,515 DEBUG [org.jasig.cas.CentralAuthenticationServiceImpl] - Attempting to create TicketGrantingTicket for Principal is null
2008-05-14 18:48:03,578 DEBUG [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - Unable to obtain the output token required.
2008-05-14 18:48:03,578 DEBUG [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - Setting HTTP Status to 401
2008-05-14 18:48:03,578 DEBUG [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - Action 'SpnegoCredentialsAction' completed execution; result is 'error'
2008-05-14 18:48:03,578 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Action 'AuthenticationViaFormAction' beginning execution
2008-05-14 18:48:03,578 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Executing setupForm
2008-05-14 18:48:03,578 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Creating new form object with name 'credentials'
2008-05-14 18:48:03,578 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Creating new instance of form object class [class org.jasig.cas.authentication.principal.UsernamePasswordCredentials]
2008-05-14 18:48:03,578 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Putting form object of type [class org.jasig.cas.authentication.principal.UsernamePasswordCredentials] in scope Flow with name 'credentials'
2008-05-14 18:48:03,578 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Creating new form errors for object with name 'credentials'
2008-05-14 18:48:03,578 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - No property editor registrar set, no custom editors to register
2008-05-14 18:48:03,578 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Putting form errors instance in scope Flash
2008-05-14 18:48:03,578 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Action 'AuthenticationViaFormAction' completed execution; result is 'success'
2008-05-14 18:48:03,578 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Action 'AuthenticationViaFormAction' beginning execution
2008-05-14 18:48:03,578 DEBUG [org.jasig.cas.web.flow.AuthenticationViaFormAction] - Action 'AuthenticationViaFormAction' completed execution; result is 'success'
2008-05-14 18:48:14,734 INFO [org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] - Starting cleaning of expired tickets from ticket registry at [Wed May 14 18:48:14 CEST 2008]

Ok, I resolved the problem by myself. The problem was due that in my network the jifsDomain is not recognizable with his name. I don't know if this is an error in domain configuration, but changing the jcifsDomain with the IP everything work.
To resolve the problem i put the project in debug and I saw that throws an exception in the class JCIFSSpnegoAuthenticationHandler

        try {
            // proceed authentication using jcifs
            synchronized (this) {
                this.authentication.reset();
                this.authentication.process(spnegoCredentials.getInitToken());
                principal = this.authentication.getPrincipal();
                nextToken = this.authentication.getNextToken();
            }
        } catch (jcifs.spnego.AuthenticationException e) {
            throw new BadCredentialsAuthenticationException();
        }

 

I suggest to trace the message of the catched exception.
Now I can authenticate the user with NTLM token because the token i received is NTLMSSP. How can i force the Kerberos authenication? Putting NTLM allowed to false doesn't work.

Thanks.

Andrea  

AndrePra wrote:
>
> Ok, I resolved the problem by myself. The problem was due that in my network
> the jifsDomain is not recognizable with his name. I don't know if this is an
> error in domain configuration, but changing the jcifsDomain with the IP
> everything work.

I'd strongly recommend to solve any DNS issues first.

Your CAS server should have a DNS A record for its name which is used in
the service principal name (SPN) and a PTR record for its IP address.
Also your KDC(s).

Ciao, Michael.
_______________________________________________
Yale CAS mailing list
cas@...
http://tp.its.yale.edu/mailman/listinfo/cas

On Mon, May 19, 2008 at 10:25 AM, AndrePra <aprandini@...> wrote:
Could you please add an issue on this in JIRA please ?

> Now I can authenticate the user with NTLM token because the token i received
> is NTLMSSP. How can i force the Kerberos authenication? Putting NTLM allowed
> to false doesn't work.

Putting a false in the NTLM allowed flag will only reject NTLM token
as valid authentication token. The user stills have to continue to
fill the login form.
As Michael suggest have a look at any DNS issue using only FQDN. I see
that you use casserver in the passed token in your log which is not a
FQDN.

If the problem persist, you should have a closer look at the client
configuration.

Regards,

--
Arnaud Lesueur

LinkedIn: http://www.linkedin.com/in/lesueur
_______________________________________________
Yale CAS mailing list
cas@...
http://tp.its.yale.edu/mailman/listinfo/cas

Thanks for the reply. I took a closed look to my DNS and I solved some issue. Now I have the correct DNS entries for casserver and KDC. The cas server logs this lines

2008-05-20 15:06:23,062 DEBUG [org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig] - <jcifsServicePrincipal is set to HTTP/casserver.quix.locale@QUIX.LOCALE>
2008-05-20 15:06:23,062 DEBUG [org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig] - <jcifsServicePassword is set to *****>
2008-05-20 15:06:23,062 DEBUG [org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig] - <jcifsUsername is set to casuser>
2008-05-20 15:06:23,062 DEBUG [org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig] - <jcifsPassword is set to *****>
2008-05-20 15:06:23,062 DEBUG [org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig] - <jcifsDomain is set to QUIX.LOCALE>
2008-05-20 15:06:23,062 DEBUG [org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig] - <kerberosDebug is set to : true>
2008-05-20 15:06:23,062 DEBUG [org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig] - <kerberosRealm is set to :QUIX.LOCALE>
2008-05-20 15:06:23,062 DEBUG [org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig] - <kerberosKdc is set to : 192.168.100.7>

I've tested the url (http://casserver.quix.locale:8080/cas) from some clients but the token received start always with NTLMSSP.

Andrea

 

On Tue, May 20, 2008 at 3:51 PM, AndrePra <aprandini@...> wrote:
> I've tested the url (http://casserver.quix.locale:8080/cas) from some
> clients but the token received start always with NTLMSSP.
>
> Andrea

Can you check you do have a valid kerberos TGT in your windows
session. You might to this using kerbtray or klist tools.

If this is ok. Then check on the browser configuration ?
- For Internet Explorer, you have to turn on IWA and add the casserver
as a trusted site with an additional check while you are not using
HTTPS
- For Firefox, add the casserver in network.negotiate-auth.trusted-uris

--
Arnaud Lesueur

LinkedIn: http://www.linkedin.com/in/lesueur
_______________________________________________
Yale CAS mailing list
cas@...
http://tp.its.yale.edu/mailman/listinfo/cas

Arnaud Lesueur wrote:
Michael B Allen summed up things which could go wrong in
news:comp.protocols.kerberos.

See his particular message:
http://groups.google.com/group/comp.protocols.kerberos/msg/cf092e21c90e362b

The whole thread:
http://groups.google.com/group/comp.protocols.kerberos/browse_thread/thread/8dea0ffd5e38f727/cf092e21c90e362b#cf092e21c90e362b

Ciao, Michael.

_______________________________________________
Yale CAS mailing list
cas@...
http://tp.its.yale.edu/mailman/listinfo/cas

Hi all,

today I've tried another windows network (same casserver pc, different active dir, different clients). Applying the configuration explained in the wiki everything works fine. The SSO works with the kerberos tokens.

I suggest only to add the /mapuser parameter to ktpass command in the wiki . Active Directory 2003 didn't recognize properly the user to be mapped to service.

Thanks to all.
Andrea    

AndrePra wrote:
>
> I suggest only to add the /mapuser parameter to ktpass command in the wiki .
> Active Directory 2003 didn't recognize properly the user to be mapped to
> service.

One should always check (e.g. via LDAP query) whether attribute
'servicePrincipalName' of the CAS service account is properly set (e.g.
to 'HTTP/cas-server.example.com@...'.

Ciao, Michael.
_______________________________________________
Yale CAS mailing list
cas@...
http://tp.its.yale.edu/mailman/listinfo/cas

On Wed, May 21, 2008 at 7:56 PM, Michael Ströder <michael@...> wrote:
> AndrePra wrote:
>>
>> I suggest only to add the /mapuser parameter to ktpass command in the wiki .
>> Active Directory 2003 didn't recognize properly the user to be mapped to
>> service.

You may have missed it while this command as always been and still is
in the wiki (and even in the old docbook that we used before switching
to the wiki)
I am glad to see that it is finally working :-)

> One should always check (e.g. via LDAP query) whether attribute
> 'servicePrincipalName' of the CAS service account is properly set (e.g.
> to 'HTTP/cas-server.example.com@...'.

That's effectively a good way to check that the job has been made with
ktpass.exe or setspn.exe

--
Arnaud Lesueur

LinkedIn: http://www.linkedin.com/in/lesueur
_______________________________________________
Yale CAS mailing list
cas@...
http://tp.its.yale.edu/mailman/listinfo/cas

>You may have missed it while this command as always been and still is
>in the wiki (and even in the old docbook that we used before switching
>to the wiki)
>I am glad to see that it is finally working :-)

Ops, you are right! There's in the wiki but not in my printed copy! Sorry.
Thanks again.
Andrea