Cas - kerberos - Lifery - JBoss config, help needed
Alatalo Antoni
antoni.alatalo at wmdata.fi
Tue Dec 18 03:56:38 EST 2007
Hi,
thank you for yours reply.
As i understand you suggest, that CAS takes ticket from servers JAAS. Ok
that's enough for me.
What i just did and still not working:
To JBoss conf/login-config.xml i did put
<application-policy name="other">
<authentication>
<login-module code="com.sun.security.auth.module.Krb5LoginModule"
flag="required">
<module-option name="storeKey">true</module-option>
<module-option
name="keyTab">C:\liferay\liferay-jboss-4.2-4.3.3\server\default\deploy\c
as-web.war\WEB-INF\spnaccount.keytab</module-option>
<module-option name="useKeyTab">true</module-option>
<module-option name="doNotPrompt">true</module-option>
<module-option
name="principal">HTTP/aaa.xxx.yyy.fi at XXX.YYY.FI</module-option>
<module-option name="realm">XXX.YYY.FI</module-option>
<module-option name="debug">true</module-option>
</login-module>
</authentication>
</application-policy>
Also to the JBoss run.bat skript:
set JAVA_OPTS=%JAVA_OPTS%
-Djava.security.krb5.conf="C:/windows/krb5.ini"
There is only one authenticationHandler in the deployerConfigContext.xml
file:
<bean id="authenticationManager"
class="org.jasig.cas.authentication.AuthenticationManagerImpl">
<property name="credentialsToPrincipalResolvers">
<list>
<!-- ... the others credentialsToPrincipalResolvers ... -->
<bean
class="org.jasig.cas.support.spnego.authentication.principal.SpnegoCrede
ntialsToPrincipalResolver" />
</list>
</property>
<property name="authenticationHandlers">
<list>
<bean
class="org.jasig.cas.authentication.handler.support.JaasAuthenticationHa
ndler">
</bean>
<!-- ... the others authenticationHandlers... -->
</list>
</property>
</bean>
No other changes are made to the CAS default configurations.
While debudding functionality i did set breakpoint to the
Krb5LoginModule class. But while using application functionality never
goes to those breakpoints.
What should i do to get this configuration work? Do i for example
protect all urls in the web.xml of CAS?
Terv.
Antoni
________________________________
From: cas-bounces at tp.its.yale.edu [mailto:cas-bounces at tp.its.yale.edu]
On Behalf Of Adam Rybicki
Sent: 14. joulukuuta 2007 19:07
To: Yale CAS mailing list
Subject: Re: Cas - kerberos - Lifery - JBoss config, help needed
Antoni,
If I am reading your detailed note correctly, you are trying to perform
Kerberos authentication to each service. This may be possible, but I
have never tried it myself. Since nobody else has replied yet, let me
try to tell you what I have done successfully.
Using the CAS JAAS module
(http://www.ja-sig.org/wiki/display/CASUM/JAAS), I was able to configure
CAS to authenticate to AD using Kerberos. From that point on, I can use
CAS protocol, not Kerberos, to authenticate services to CAS. So, this
may not be what you were looking for, but my goal was to use CAS
"natively" after establishing that the user supplied valid Kerberos
credentials.
There is a valid follow-up to authenticating to AD or another Kerberos
server this way: what happens to the Kerberos ticket that is issued to
CAS? Should this ticket be invalidated? If so, when? That is, right
after successful authentication or when the user logs out of CAS? This
questions can only be addressed by someone who knows more about Kerberos
than I do.
Adam
Alatalo Antoni wrote:
Hi,
Here is the same content as in post to:
http://www.nabble.com/Cas---kerberos---Lifery---JBoss-config-2C-help-nee
ded-to14314939.html#a14314939
<http://www.nabble.com/Cas---kerberos---Lifery---JBoss-config-2C-help-ne
eded-to14314939.html#a14314939>
for the last fiew days I did try to setup JBoss, Liferay, Cas to
authenticate users by kerberos. I did follow instructions from
http://www.ja-sig.org/wiki/display/CASUM/SPNEGO
<http://www.ja-sig.org/wiki/display/CASUM/SPNEGO> and many other sites.
Nothing helps.
Cas gets NTLM token, not Kerberos and because of that don't
work.
The platform is Windows 2003.
c:\windows\krb.ini
[libdefaults]
default_realm = XXX.YYY.FI
default_keytab_name =
FILE:C:\liferay\liferay-jboss-4.2-4.3.3\server\default\deploy\cas-web.wa
r\WEB-INF\spnaccount.keytab
<FILE:C:%5Cliferay%5Cliferay-jboss-4.2-4.3.3%5Cserver%5Cdefault%5Cdeploy
%5Ccas-web.war%5CWEB-INF%5Cspnaccount.keytab>
default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc
des-cbc-md5
default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc
des-cbc-md5
permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc
des-cbc-md5
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
XXX.YYY.FI = {
kdc = aaa.xxx.yyy.fi:88
keytab_name =
FILE:C:\liferay\liferay-jboss-4.2-4.3.3\server\default\deploy\cas-web.wa
r\WEB-INF\spnaccount.keytab
<FILE:C:%5Cliferay%5Cliferay-jboss-4.2-4.3.3%5Cserver%5Cdefault%5Cdeploy
%5Ccas-web.war%5CWEB-INF%5Cspnaccount.keytab>
kdc_ports = 750,88
kdc_addrs = aaa.xxx.yyy.fi
default_domain = bbb.xxx.yyy.fi
};
[domain_realm]
bbb.xxx.yyy.fi = XXX.YYY.FI
.bbb.xxx.yyy.fi = XXX.YYY.FI
#[appdefaults]
autologin = true
forward = true
forwardable = true
encrypt = true
This file works fine:
C:\liferay\liferay-jboss-4.2-4.3.3\server\default\deploy\cas-web.war\WEB
-INF>%JAVA_HOME%\bin\kinit
-k -t
C:\liferay\liferay-jboss-4.2-4.3.3\server\default\deploy\cas-web.war\WEB
-INF\spnaccount.keytab
HTTP/bbb.xxx.yyy.fi at XXX.YYY.FI
New ticket is stored in cache file C:\Documents and
Settings\wmanaaa\krb5cc_xxx
C:\liferay\liferay-jboss-4.2-4.3.3\server\default\deploy\cas-web.war\WEB
-INF>%JAVA_HOME%\bin\klist
Credentials cache: C:\Documents and Settings\xxx\krb5cc_xxx
Default principal: HTTP/bbb.xxx.yyy.fi at XXX.YYY.FI, 1 entry found.
[1] Service Principal: krbtgt/XXX.YYY.FI at XXX.YYY.FI
Valid starting: Dec 13, 2007 10:12
Expires: Dec 13, 2007 20:12
C:\liferay\liferay-jboss-4.2-4.3.3\server\default\deploy\cas-web.war\WEB
-INF>%JAVA_HOME%\bin\klist
-k
Key tab:
C:\liferay\liferay-jboss-4.2-4.3.3\server\default\deploy\cas-web.war\WEB
-INF\spnaccount.keytab,
1 entry found.
[1] Service principal: HTTP/bbb.xxx.yyy.fi at XXX.YYY.FI
KVNO: 6
So the next step is configuring CAS. All instructions from
http://www.ja-sig.org/wiki/display/CASUM/SPNEGO
<http://www.ja-sig.org/wiki/display/CASUM/SPNEGO> are followed exactly.
Only login.conf is modified:
jcifs.spnego.initiate {
com.sun.security.auth.module.Krb5LoginModule
required
debug=true
useKeyTab=true
doNotPrompt=true
keyTab="C:\liferay\liferay-jboss-4.2-4.3.3\server\default\deploy\cas-web
.war\WEB-INF\spnaccount.keytab"
realm=XXX.YYY.FI
principal=HTTP/bbb.xxx.yyy.fi at XXX.YYY.FI
storeKey=true;
};
jcifs.spnego.accept {
com.sun.security.auth.module.Krb5LoginModule
required
debug=true
useKeyTab=true
doNotPrompt=true
keyTab="C:\liferay\liferay-jboss-4.2-4.3.3\server\default\deploy\cas-web
.war\WEB-INF\spnaccount.keytab"
realm=XXX.YYY.FI
principal=HTTP/bbb.xxx.yyy.fi at XXX.YYY.FI
storeKey=true;
};
The deployerConfigContext.xml at the end:
<bean name="jcifsConfig"
class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFS
Config">
<property name="jcifsServicePrincipal"
value="HTTP/bbb.xxx.yyy.fi at XXX.YYY.FI"
<mailto:HTTP/bbb.xxx.yyy.fi at XXX.YYY.FI> />
<property name="jcifsServicePassword" value="xxxxxxxx" />
<property name="kerberosDebug" value="true" />
<property name="kerberosRealm" value="XXX.YYY.FI" />
<property name="kerberosKdc" value="123.123.123.123" />
<property name="loginConf" value="/WEB-INF/login.conf" />
</bean>
The "other" loginmodule is added to the JBosses login-config.xml
To the run.bat of JBoss is added:
set JAVA_OPTS=%JAVA_OPTS%
-Djava.security.krb5.conf="C:/windows/krb5.ini"
All seems to be fine, but still don't works.
10:56:17,148 INFO [STDOUT] 2007-12-13 10:56:17,148 INFO
[org.jasig.cas.authentication.AuthenticationManagerImpl] -
<AuthenticationHandler:
org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoA
uthenticationHandler
failed
to authenticate the user which provided the following
credentials: Principal is null>
The problem is there:
jcifs.spnego.Authentication
private void processNtlm(byte[] token) throws
AuthenticationException {
byte[] challenge = null;
try {
switch (token[8]) {
case 1:
if (client) {
throw new AuthenticationException(
"NTLM Type 1 message received by
client.");
}
challenge =
SmbSession.getChallenge(getDomainController());
nextToken = new Type2Message(new
Type1Message(token),
challenge, null).toByteArray();
break;
.......
case 3:
if (client) {
throw new AuthenticationException(
"NTLM Type 3 message received by
client.");
} ....
The NTLM type is always "1". And should be 3.
I can't figure out what should i do next.
Thank you in advance for any help.
Antoni Alatalo
_________________________________________
WM-data a LogicaCMG company
Karvaamokuja 2
PL 38
00381 Helsinki
T: 010 302 010
M: 040 583 1097
F: 010 302 011
E: antoni.alatalo at wmdata.fi <mailto:antoni.alatalo at wmdata.fi>
www.logicacmg.fi <file://www.logicacmg.fi>
________________________________
_______________________________________________
Yale CAS mailing list
cas at tp.its.yale.edu
http://tp.its.yale.edu/mailman/listinfo/cas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20071218/815d0cb0/attachment-0001.html
More information about the cas
mailing list