SSO using CAS with AD and Kerberos

Hi,

My primary reason using that was as i was investigating CAS, I found out that the old versions used Ant Deployment and the new one uses Maven. I have no experience in Maven and wanted to see if the ant deployment based CAS server 2.0 would work fine with our product.

Our webapplication runs on jdk 1.4.2_08 and we still have to upgrade the java version.

Would the latest release of cas server 3.2.1 work on a jdk 1.4.2?

Thanks for directing me towards the wiki page link.

My next step would be to check if cas server 3.2.1 would work along with our webapp on jdk1.4.2
--
Regards
James Dcunha
WorQsmart LLC
(o) 602-803-2559
(c) 480-282-2596
_______________________________________________
Yale CAS mailing list
cas@...
http://tp.its.yale.edu/mailman/listinfo/cas

Hi,

My primary reason using that was as i was investigating CAS, I found out that the old versions used Ant Deployment and the new one uses Maven. I have no experience in Maven and wanted to see if the ant deployment based CAS server 2.0 would work fine with our product.

Our webapplication runs on jdk 1.4.2_08 and we still have to upgrade the java version.

Would the latest release of cas server 3.2.1 work on a jdk 1.4.2?

Thanks for directing me towards the wiki page link.

My next step would be to check if cas server 3.2.1 would work along with our webapp on jdk1.4.2
--
Regards
James Dcunha
_______________________________________________
Yale CAS mailing list
cas@...
http://tp.its.yale.edu/mailman/listinfo/cas

If you are going to do Active Directory authentication via Kerberos, you will need to configure CAS to use the JaasAuthenticationHandler, which takes a JAAS configuration file passed into Tomcat via the –Djava.security.auth.config property along with your Kerberos configuration via the –Djava.security.krb5.conf property. 

 

DISCLAIMER: Before I show you some sample files, a word of warning: in pre-Java 6.06, there was a bug in the Kerberos login module such that memory was not being deallocated appropriately and resulted in Java crashing due to running out of memory over time.  For more information, check out the following links:

 

http://www.nabble.com/trying-to-track-down-jaas-memory-leak-to15194118.html#a15235357

 

http://bugs.sun.com/view_bug.do?bug_id=6578538

 

 

Here are sample files:

 

JAAS.conf

 

========================

 

/**

* Login Configuration for JAAS.

*

* Specify that Kerberos v5 is a required login module

*/

CAS {

        com.sun.security.auth.module.Krb5LoginModule required client=TRUE debug=FALSE useTicketCache=FALSE;

};

 

 

========================

 

Tomcat arguments for JAAS configuration

 

========================

 

 -Djava.security.auth.login.config=/usr/local/tomcat/conf/jaas.conf \

 -Djava.security.krb5.conf=/etc/krb5.conf \

 

========================

 

 

Andrew R Feller, Analyst

University Information Systems

200 Fred Frey Building

Louisiana State University

Baton Rouge, LA, 70803

(225) 578-3737 (Office)

(225) 578-6400 (Fax)

 

---

From: cas-bounces@... [mailto:cas-bounces@...] On Behalf Of James Dcunha
Sent: Friday, June 20, 2008 11:53 AM
To: cas@...
Subject: Re: SSO using CAS with AD and Kerberos

 

Hi,

My primary reason using that was as i was investigating CAS, I found out that the old versions used Ant Deployment and the new one uses Maven. I have no experience in Maven and wanted to see if the ant deployment based CAS server 2.0 would work fine with our product.

Our webapplication runs on jdk 1.4.2_08 and we still have to upgrade the java version.

Would the latest release of cas server 3.2.1 work on a jdk 1.4.2?

Thanks for directing me towards the wiki page link.

My next step would be to check if cas server 3.2.1 would work along with our webapp on jdk1.4.2
--
Regards
James Dcunha

_______________________________________________
Yale CAS mailing list
cas@...
http://tp.its.yale.edu/mailman/listinfo/cas

James Dcunha wrote:
>
> My primary reason using that was as i was investigating CAS, I found out
> that the old versions used Ant Deployment and the new one uses Maven. I
> have no experience in Maven and wanted to see if the ant deployment
> based CAS server 2.0 would work fine with our product.

Well, I'm using cas-server-3.2.1 just tweaking files in WEB-INF with my
favourtite text editor and zipping the .war myself.

> Our webapplication runs on jdk 1.4.2_08 and we still have to upgrade the
> java version.

The CAS client is a different story.

For Java versions for CAS server see
http://www.ja-sig.org/wiki/display/CASUM/Java+Versions
I'd strongly recommend to use a recent JDK for Kerberos.

Ciao, Michael.
_______________________________________________
Yale CAS mailing list
cas@...
http://tp.its.yale.edu/mailman/listinfo/cas

To expand upon what Michael said, the CAS Server's past version 3.1 (I believe) require Java 5.  CAS 3.0.x requires Java 1.4.  CAS Clients, which interact with the CAS server only require Java 1.4

-Scott

-Scott Battaglia
PGP Public Key Id: 0x383733AA
LinkedIn: http://www.linkedin.com/in/scottbattaglia



_______________________________________________
Yale CAS mailing list
cas@...
http://tp.its.yale.edu/mailman/listinfo/cas

Hi,

Thanks for replying and helping me out. I finally got rid of the error by adding the following lines listed below in my KerberosAuthHandler.java file

 System.setProperty("java.security.auth.login.config","C:/Program Files/Apache Software Foundation/Tomcat 5.0/cas_jaas.conf");

 System.setProperty("java.security.krb5.conf","C:/Program Files/Apache Software Foundation/Tomcat 5.0/krb5.conf");

I added the cas_jaas.conf and krb5.conf to the tomcat home directory and now when I enter the Active Directory Credentials I get the following error:
"
Debug is  true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
        [Krb5LoginModule] user entered username: james

principal is servoy@...
Acquire TGT using AS Exchange
        [Krb5LoginModule] authentication failed
Cannot get kdc for realm AD.COURSEWIZARD.COM
Authentication attempt failedjavax.security.auth.login.LoginException: Cannot get kdc for realm AD.COURSEWIZARD.COM
"


I edited my krb5.conf with the change made to libdefaults, realm as shown below:

#
#  All rights reserved.
#
# pragma ident    @(#)krb5.conf    1.1 00/12/08

[libdefaults]
        default_realm = AD.COURSEWIZARD.COM

        default_checksum = rsa-md5

# default_checksum = crc32

# yourdomaincontroller is the name of the domain controller / active directory server acting as the KDC in your windows network

[realms]
        AD.COURSEWIZARD.COM = {
#                kdc = ad.ad.coursewizard.com
                        }

[domain_realm]
    .ad.coursewizard.com = AD.COURSEWIZARD.COM

[logging]
        default = CONSOLE
    kdc_rotate = {

# How often to rotate kdc.log. Logs will get rotated no more
# often than the period, and less often if the KDC is not used
# frequently.

        period = 1d

# how many versions of kdc.log to keep around (kdc.log.0, kdc.log.1, ...)

        versions = 10
    }

[appdefaults]
    gkadmin = {
                help_url = http://localhost:8888/ab2/coll.384.2/SEAM
    }
    kinit = {
        renewable = true
        forwardable= true
    }
    rlogin = {
        forwardable= true
    }
    rsh = {
        forwardable= true
    }
    telnet = {
            autologin = true
        forwardable= true
    }


It would really help if someone could give me some direction on how to get this authentication exception resolved.

Regards
James


_______________________________________________
Yale CAS mailing list
cas@...
http://tp.its.yale.edu/mailman/listinfo/cas