Cas - kerberos - Lifery - JBoss config, help needed

Shi Yusen shiys at langhua.cn
Thu Dec 13 11:26:04 EST 2007 

I guess the problem is in Kerberos setting. I never used SPNEGO before.
If it's similar to Cyrus SASL, perhaps you can test whether the service
setting is correct before doing further configuration. In SASL, there
are a sample-server and sample-client which can test the SASL.

Regards,

Shi Yusen/Beijing Langhua Ltd.


在 2007-12-13四的 04:18 -0800,Antoni写道:
> Hi,
> for the last fiew days I did try to setup JBoss, Liferay, Cas to
> authenticate users by kerberos. I did follow instructions from
> http://www.ja-sig.org/wiki/display/CASUM/SPNEGO and many other sites.
> Nothing helps.
> Cas gets NTLM token, not Kerberos and because of that don't work.
> The platform is Windows 2003.
> 
> c:\windows\krb.ini
> [libdefaults]
>     default_realm = XXX.YYY.FI
>     default_keytab_name =
> FILE:C:\liferay\liferay-jboss-4.2-4.3.3\server\default\deploy\cas-web.war\WEB-INF\spnaccount.keytab
>     default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
>     default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
>     permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
>     dns_lookup_realm = false
>     dns_lookup_kdc = false
> 
> [realms]
>      XXX.YYY.FI = {
>                       kdc          = aaa.xxx.yyy.fi:88
> 			keytab_name =
> FILE:C:\liferay\liferay-jboss-4.2-4.3.3\server\default\deploy\cas-web.war\WEB-INF\spnaccount.keytab
> 			kdc_ports = 750,88
> 			kdc_addrs = aaa.xxx.yyy.fi
> 			default_domain = bbb.xxx.yyy.fi
>                     };
> [domain_realm]
>     bbb.xxx.yyy.fi = XXX.YYY.FI
>     .bbb.xxx.yyy.fi = XXX.YYY.FI
> #[appdefaults]
> 	autologin = true
> 	forward = true
> 	forwardable = true
> 	encrypt = true
> 
> This file works fine:
> C:\liferay\liferay-jboss-4.2-4.3.3\server\default\deploy\cas-web.war\WEB-INF>%JAVA_HOME%\bin\kinit
> -k -t
> C:\liferay\liferay-jboss-4.2-4.3.3\server\default\deploy\cas-web.war\WEB-INF\spnaccount.keytab
> HTTP/bbb.xxx.yyy.fi at XXX.YYY.FI
> New ticket is stored in cache file C:\Documents and
> Settings\wmanaaa\krb5cc_xxx
> 
> C:\liferay\liferay-jboss-4.2-4.3.3\server\default\deploy\cas-web.war\WEB-INF>%JAVA_HOME%\bin\klist
> Credentials cache: C:\Documents and Settings\xxx\krb5cc_xxx
> Default principal: HTTP/bbb.xxx.yyy.fi at XXX.YYY.FI, 1 entry found.
> [1]  Service Principal:  krbtgt/XXX.YYY.FI at XXX.YYY.FI
>      Valid starting:  Dec 13, 2007 10:12
>      Expires:         Dec 13, 2007 20:12
> 
> C:\liferay\liferay-jboss-4.2-4.3.3\server\default\deploy\cas-web.war\WEB-INF>%JAVA_HOME%\bin\klist
> -k
> Key tab:
> C:\liferay\liferay-jboss-4.2-4.3.3\server\default\deploy\cas-web.war\WEB-INF\spnaccount.keytab,
> 1 entry found.
> [1] Service principal: HTTP/bbb.xxx.yyy.fi at XXX.YYY.FI
>          KVNO: 6
> 
> So the next step is configuring CAS. All instructions from
> http://www.ja-sig.org/wiki/display/CASUM/SPNEGO are followed exactly. Only
> login.conf is modified:
> jcifs.spnego.initiate {
>         com.sun.security.auth.module.Krb5LoginModule
>         required
>         debug=true
>         useKeyTab=true
> 	  doNotPrompt=true
>        
> keyTab="C:\liferay\liferay-jboss-4.2-4.3.3\server\default\deploy\cas-web.war\WEB-INF\spnaccount.keytab"
> 	  realm=XXX.YYY.FI
> 	  principal=HTTP/bbb.xxx.yyy.fi at XXX.YYY.FI
>         storeKey=true;
> };
> jcifs.spnego.accept {
>         com.sun.security.auth.module.Krb5LoginModule
>         required
>         debug=true
>         useKeyTab=true
> 	  doNotPrompt=true
>        
> keyTab="C:\liferay\liferay-jboss-4.2-4.3.3\server\default\deploy\cas-web.war\WEB-INF\spnaccount.keytab"
> 	  realm=XXX.YYY.FI
> 	  principal=HTTP/bbb.xxx.yyy.fi at XXX.YYY.FI
>         storeKey=true;
> }; 
> 
> The deployerConfigContext.xml at the end:
> <bean name="jcifsConfig"
> class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig">
>   <property name="jcifsServicePrincipal"
> value="HTTP/bbb.xxx.yyy.fi at XXX.YYY.FI" />
>   <property name="jcifsServicePassword" value="xxxxxxxx" />
>   <property name="kerberosDebug" value="true" />
>   <property name="kerberosRealm" value="XXX.YYY.FI" />
>   <property name="kerberosKdc" value="123.123.123.123" />
>   <property name="loginConf" value="/WEB-INF/login.conf" />
> </bean>
> 
> The "other" loginmodule is added to the JBosses login-config.xml
> To the run.bat of JBoss is added:
> set JAVA_OPTS=%JAVA_OPTS% -Djava.security.krb5.conf="C:/windows/krb5.ini"
> 
> All seems to be fine, but still don't works.
> 10:56:17,148 INFO  [STDOUT] 2007-12-13 10:56:17,148 INFO
> [org.jasig.cas.authentication.AuthenticationManagerImpl] -
> <AuthenticationHandler:
> org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoAuthenticationHandler
> failed
> to authenticate the user which provided the following credentials: Principal
> is null>
> 
> The problem is there:
> jcifs.spnego.Authentication
> private void processNtlm(byte[] token) throws AuthenticationException {
>         byte[] challenge = null;
>         try {
>             switch (token[8]) {
>             case 1:
>                 if (client) {
>                     throw new AuthenticationException(
>                             "NTLM Type 1 message received by client.");
>                 }
>                 challenge = SmbSession.getChallenge(getDomainController());
>                 nextToken = new Type2Message(new Type1Message(token),
>                         challenge, null).toByteArray();
>                 break;
>         .......
>             case 3:
>                 if (client) {
>                     throw new AuthenticationException(
>                             "NTLM Type 3 message received by client.");
>                 } ....
> 
> The NTLM type is always "1". And should be 3.
> 
> I can't figure out what should i do next. 
> 
> Thank you in advance for any help.
> 
> Antoni

More information about the cas mailing list