JCIFS configuration for SPNEGO

Scott Battaglia scott.battaglia at gmail.com
Thu Oct 5 23:27:39 EDT 2006 

Arnaud,

Can you create JIRA issues for the things you want to update/fix so we don't
lose them in case you don't get to them for a while?

Thanks
-Scott

On 10/5/06, Arnaud Lesueur <alesueur+cas at octo.com> wrote:
>
> Le Jeu 5 octobre 2006 08:41, vincent.jaulin at keyphrene.com a écrit :
> > hi,
> >
> > I would use only the NTLM handler.
> > But I don't understand the jcifsServicePrincipal parameter.
> > Can you explain me the pattern of jcifsServicePrincipal, what mean the
> > HTTP/ pattern?
> > What is the way to use only the NTLM handler?
> >
> >
> > <bean name="jcifsConfig"
> > class="
> org.jasig.cas.adaptors.spnego.authentication.handler.support.JCIFSConfig">
> <property name="jcifsKerberosEnable"
> > value="false" /> <property name="jcifsServicePrincipal"
> > value="HTTP/localhost at KEYPHRENE.COM" /> <property
> name="jcifsServicePassword" value="*******" />
> > <property name="kerberosDebug" value="true" />
> > <property name="kerberosRealm" value="KEYPHRENE.COM" />
> > <property name="kerberosKdc" value="10.83.198.4" />
> > <property name="loginConf" value="/WEB-INF/login.conf" />
> > </bean
> >
> >
> > Best Regards
> > Vincent Jaulin
>
>
> The SPNEGO Handler is NOT an NTLM handler. It sends HTTP 401 Negociate.
> The browser may respond with :
> - an NTLM ticket if it is not a trusted service, misconfigured browser,
> not in active directory 2003 domain ...
> - a Kerberos ticket if every things is ok
>
> The jcifsServicePrincipal is the account service used to verify the
> authenticity of the token send by the client. The
> HTTP/ pattern is due to the service we try to connect to is a web service
> => HTTP. Use klist.exe or kerbtray.exe to
> see the service token that you have in the cache of your desktop. I remind
> you that is KERBEROS.
>
> There is presently no NTLM handler for cas. This should not be very
> difficult to implement one with jcifs-ext. I was
> thinking about making one but NTLM is now deprecated for security reason
> ...
>
>
> About the login webflow, the tutorial is wrong. You have to modify thoses
> blocks :
>         <action-state id="gatewayRequestCheck">
>                 <action bean="gatewayRequestCheckAction" />
>                 <transition on="success" to="redirect" />
>                 <transition on="error" to="startAuthenticate" />
>         </action-state>
>
>         <action-state id="renewRequestCheck">
>                 <action bean="renewRequestCheckAction" />
>                 <transition on="authenticationRequired"
> to="startAuthenticate" />
>                 <transition on="generateServiceTicket"
> to="generateServiceTicket" />
>         </action-state>
>
>
> By the way, I also discovered that the parameter jcifsKerberosEnable has
> no impact and is useless.
>
> I will make an update on those points when I will have time to do it.
>
>
> Arnaud Lesueur
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20061005/39f64212/attachment.html

More information about the cas mailing list