JCIFS configuration for SPNEGO

Arnaud Lesueur alesueur+cas at octo.com
Thu Oct 5 12:29:58 EDT 2006 

Le Jeu 5 octobre 2006 08:41, vincent.jaulin at keyphrene.com a écrit :
> hi,
>
> I would use only the NTLM handler.
> But I don't understand the jcifsServicePrincipal parameter.
> Can you explain me the pattern of jcifsServicePrincipal, what mean the
> HTTP/ pattern?
> What is the way to use only the NTLM handler?
>
>
> <bean name="jcifsConfig"
> class="org.jasig.cas.adaptors.spnego.authentication.handler.support.JCIFSConfig"> <property name="jcifsKerberosEnable"
> value="false" /> <property name="jcifsServicePrincipal"
> value="HTTP/localhost at KEYPHRENE.COM" /> <property name="jcifsServicePassword" value="*******" />
> <property name="kerberosDebug" value="true" />
> <property name="kerberosRealm" value="KEYPHRENE.COM" />
> <property name="kerberosKdc" value="10.83.198.4" />
> <property name="loginConf" value="/WEB-INF/login.conf" />
> </bean
>
>
> Best Regards
> Vincent Jaulin


The SPNEGO Handler is NOT an NTLM handler. It sends HTTP 401 Negociate. The browser may respond with :
- an NTLM ticket if it is not a trusted service, misconfigured browser, not in active directory 2003 domain ...
- a Kerberos ticket if every things is ok

The jcifsServicePrincipal is the account service used to verify the authenticity of the token send by the client. The
HTTP/ pattern is due to the service we try to connect to is a web service => HTTP. Use klist.exe or kerbtray.exe to
see the service token that you have in the cache of your desktop. I remind you that is KERBEROS.

There is presently no NTLM handler for cas. This should not be very difficult to implement one with jcifs-ext. I was
thinking about making one but NTLM is now deprecated for security reason ...


About the login webflow, the tutorial is wrong. You have to modify thoses blocks :
	<action-state id="gatewayRequestCheck">
		<action bean="gatewayRequestCheckAction" />
		<transition on="success" to="redirect" />
		<transition on="error" to="startAuthenticate" />
	</action-state>

	<action-state id="renewRequestCheck">
		<action bean="renewRequestCheckAction" />
		<transition on="authenticationRequired" to="startAuthenticate" />
		<transition on="generateServiceTicket" to="generateServiceTicket" />
	</action-state>


By the way, I also discovered that the parameter jcifsKerberosEnable has no impact and is useless.

I will make an update on those points when I will have time to do it.


Arnaud Lesueur

More information about the cas mailing list