CAS and SPNEGO

Hello All,

I admit to going spare in setting up CAS with SPNEGO. Can anyone throw
some light on it for me please?

Basic CAS 3.1.1 is working well for us and is in daily use using our
extensive Active Directory service. The problem is in integrating the
SPNEGO option. I have tried everything in the documentation and
alternate suggestions but I fail to get the SPNEGO module to
authenticate against the keytab.

The keytab setup:

"c:\Program Files\Support Tools\ktpass.exe" /out spndls2.keytab /princ
HTTP/dls2.diamond.ac.uk@... /pass * /mapuser DLS2\spndls2
/ptype krb5_nt_principal /crypto des-cbc-md5 +DesOnly
Targeting domain controller: diamrd8139.dls2.diamond.ac.uk
Using legacy password setting method
Successfully mapped HTTP/dls2.diamond.ac.uk to spndls2.
Type the password for HTTP/dls2.diamond.ac.uk:
Type the password again to confirm:
Key created.
Output keytab to spndls2.keytab:
Keytab version: 0x502
keysize 69 HTTP/dls2.diamond.ac.uk@... ptype 1
(KRB5_NT_PRINCIPAL) vno 4 etype 0x3 (DES-CBC-MD5) keylength 8
(0x4a8ffe1cab40154c)
Account spndls2 has been set for DES-only encryption.

The tests:

c:\Java\bin\klist.exe -k

Key tab: c:\etc\spndls2.keytab, 1 entry found.

[1] Service principal: HTTP/dls2.diamond.ac.uk@...
         KVNO: 4

c:\Java\bin\kinit.exe t1@...
Password for t1@...:
New ticket is stored in cache file C:\Documents and
Settings\uadmin\krb5cc_uadmin

Part of deployer context

        <bean name="jcifsConfig"
class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFS
Config">
          <property name="jcifsServicePrincipal"
value="HTTP/dls2.diamond.ac.uk@..." />
          <property name="jcifsServicePassword" value="[te%cset1]" />
          <property name="kerberosDebug" value="true" />
          <property name="kerberosConf" value="C:\windows\krb5.ini" />
          <property name="loginConf" value="C:\etc\login.conf" />
        </bean>


krb5.ini

[logging]
 default = c:\etc\logs\default.log
 kdc = c:\etc\logs\kdc.log
 admin_server = c:\etc\logs\admin.log

[libdefaults]
 ticket_lifetime = 24000
 default_realm = DLS2.DIAMOND.AC.UK
 default_keytab_name = c:\etc\spndls2.keytab
 dns_lookup_realm = false
 dns_lookup_kdc = false
 default_tkt_enctypes = DES-CBC-MD5
 default_tgs_enctypes = DES-CBC-MD5

[realms]

 DLS2.DIAMOND.AC.UK = {
  kdc = 172.23.4.17
  admin_server = 172.23.4.17
 }

[appdefaults]
        autologin = true
        forward = true
        forwardable = true
        encrypt = true

Result of SPNEGO login

2008-05-11 18:20:16,925 DEBUG
[org.springframework.web.servlet.view.JstlView] -
<Forwarded to resource [/WEB-INF/view/jsp/default/ui/casLoginView.jsp]
in Intern
alResourceView 'casLoginView'>
default etypes for default_tkt_enctypes: 3.
default etypes for default_tkt_enctypes: 3.
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=172.23.4.17 UDP:88, timeout=30000, number of
retries =3,
 #bytes=167
>>> KDCCommunication: kdc=172.23.4.17 UDP:88, timeout=30000,Attempt =1,
#bytes=1
67
>>> KrbKdcReq send: #bytes read=201
>>> KrbKdcReq send: #bytes read=201
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
         sTime is Sun May 11 18:20:17 BST 2008 1210526417000
         suSec is 18668
         error code is 25
         error Message is Additional pre-authentication required
         realm is DLS2.DIAMOND.AC.UK
         sname is krbtgt/DLS2.DIAMOND.AC.UK
         eData provided.
         msgType is 30
>>>Pre-Authentication Data:
         PA-DATA type = 11
         PA-ETYPE-INFO etype = 3
>>>Pre-Authentication Data:
         PA-DATA type = 2
         PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
         PA-DATA type = 15
AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ
default etypes for default_tkt_enctypes: 3.
Pre-Authentication: Set preferred etype = 3
Updated salt from pre-auth = DLS2.DIAMOND.AC.UKHTTPdls2.diamond.ac.uk
>>>KrbAsReq salt is DLS2.DIAMOND.AC.UKHTTPdls2.diamond.ac.uk
Pre-Authenticaton: find key for etype = 3
AS-REQ: Add PA_ENC_TIMESTAMP now
>>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=172.23.4.17 UDP:88, timeout=30000, number of
retries =3,
 #bytes=249
>>> KDCCommunication: kdc=172.23.4.17 UDP:88, timeout=30000,Attempt =1,
#bytes=2
49
>>> KrbKdcReq send: #bytes read=180
>>> KrbKdcReq send: #bytes read=180
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
         sTime is Sun May 11 18:20:17 BST 2008 1210526417000
         suSec is 65542
         error code is 24
         error Message is Pre-authentication information was invalid
         realm is DLS2.DIAMOND.AC.UK
         sname is krbtgt/DLS2.DIAMOND.AC.UK
         eData provided.
         msgType is 30
>>>Pre-Authentication Data:
         PA-DATA type = 11
         PA-ETYPE-INFO etype = 3
jcifs.spnego.AuthenticationException: Error performing Kerberos
authentication:
java.lang.reflect.InvocationTargetException
        at
jcifs.spnego.Authentication.processKerberos(Authentication.java:447)
        at
jcifs.spnego.Authentication.processSpnego(Authentication.java:346)
        at jcifs.spnego.Authentication.process(Authentication.java:235)
        at
org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpne
goAuthenticationHandler.doAuthentication(JCIFSSpnegoAuthenticationHandle
r.java:56)


Huge thanks in advance if anyone can help me.

Bill Pulford
Diamond Light Source
<DIV><FONT size="1" color="gray">This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail.
Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd.
Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message.
Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom
</FONT></DIV>
_______________________________________________
Yale CAS mailing list
cas@...
http://tp.its.yale.edu/mailman/listinfo/cas