Cas - kerberos - Lifery - JBoss config, help needed
Alatalo Antoni
antoni.alatalo at wmdata.fi
Wed Dec 19 08:29:05 EST 2007
Hi, all.
the problem is found.
Default configuration as explained in
http://www.ja-sig.org/wiki/display/CASUM/SPNEGO
<http://www.ja-sig.org/wiki/display/CASUM/SPNEGO> works pretty well.
ONLY ONE thing and it should be mentioned there in huge font size:
"KERBEROS DOES NOT WORK FROM BROWSER THAT IS PLACED TO THE SAME COMPUTER
AS CAS SERVER!!!" (the same thing explained here
http://forum.java.sun.com/thread.jspa?threadID=5229610&tstart=0)
After i did try authentication from other computer everything starts
work.
Please CAS site administrator, put this warning to the
http://www.ja-sig.org/wiki/display/CASUM/SPNEGO
<http://www.ja-sig.org/wiki/display/CASUM/SPNEGO> page. It will help a
lot of developers.
best regards
Antoni
________________________________
From: cas-bounces at tp.its.yale.edu [mailto:cas-bounces at tp.its.yale.edu]
On Behalf Of Alatalo Antoni
Sent: 19. joulukuuta 2007 12:55
To: Yale CAS mailing list
Subject: RE: Cas - kerberos - Lifery - JBoss config, help needed
Hi,
the problem is that JaasAuthenticationHandler is never reached. Even
whole AuthenticationManagerImpl is never called.
Application always goes at first to the logic as it is in the webflow.
What should be placed to the login-webflow to work? Or what else i can
try?
Terv.
Antoni
________________________________
From: cas-bounces at tp.its.yale.edu [mailto:cas-bounces at tp.its.yale.edu]
On Behalf Of Adam Rybicki
Sent: 18. joulukuuta 2007 19:37
To: Yale CAS mailing list
Subject: Re: Cas - kerberos - Lifery - JBoss config, help needed
Hi,
I think your JBoss-specific JAAS configuration is not necessary for CAS.
I remember having to take the following steps to configure CAS 3.1 to
perform Kerberos authentication:
* In deployerConfigContext.xml I configured the
JaasAuthenticationHandler like this:
<bean
class="org.jasig.cas.authentication.handler.support.JaasAuthenticationHa
ndler">
<property name="realm" value="CAS"/>
</bean>
* I supplied a valid jaas.conf file that looks like this (notice
the matching "CAS" realm):
CAS {
com.sun.security.auth.module.Krb5LoginModule required
debug=false;
};
* And then I also have supplied a valid krb5.conf (Linux, Unix) or
krb5.ini (Windows) file using the java.security.krb5.conf system
property using the -D command-line option just like you did. I am not
including my krb5.conf here because it would be completely different
from yours, and I am sure you know how to configure yours.
Note that this does not rely on the Web container authentication, and I
think that this may be where you are having difficulty.
Adam
Alatalo Antoni wrote:
Hi,
thank you for yours reply.
As i understand you suggest, that CAS takes ticket from servers
JAAS. Ok that's enough for me.
What i just did and still not working:
To JBoss conf/login-config.xml i did put
<application-policy name="other">
<authentication>
<login-module
code="com.sun.security.auth.module.Krb5LoginModule" flag="required">
<module-option name="storeKey">true</module-option>
<module-option
name="keyTab">C:\liferay\liferay-jboss-4.2-4.3.3\server\default\deploy\c
as-web.war\WEB-INF\spnaccount.keytab</module-option>
<module-option name="useKeyTab">true</module-option>
<module-option name="doNotPrompt">true</module-option>
<module-option
name="principal">HTTP/aaa.xxx.yyy.fi at XXX.YYY.FI</module-option>
<module-option name="realm">XXX.YYY.FI</module-option>
<module-option name="debug">true</module-option>
</login-module>
</authentication>
</application-policy>
Also to the JBoss run.bat skript:
set JAVA_OPTS=%JAVA_OPTS%
-Djava.security.krb5.conf="C:/windows/krb5.ini"
There is only one authenticationHandler in the
deployerConfigContext.xml file:
<bean id="authenticationManager"
class="org.jasig.cas.authentication.AuthenticationManagerImpl">
<property name="credentialsToPrincipalResolvers">
<list>
<!-- ... the others credentialsToPrincipalResolvers ...
-->
<bean
class="org.jasig.cas.support.spnego.authentication.principal.SpnegoCrede
ntialsToPrincipalResolver" />
</list>
</property>
<property name="authenticationHandlers">
<list>
<bean
class="org.jasig.cas.authentication.handler.support.JaasAuthenticationHa
ndler">
</bean>
<!-- ... the others authenticationHandlers... -->
</list>
</property>
</bean>
No other changes are made to the CAS default configurations.
While debudding functionality i did set breakpoint to the
Krb5LoginModule class. But while using application functionality never
goes to those breakpoints.
What should i do to get this configuration work? Do i for
example protect all urls in the web.xml of CAS?
Terv.
Antoni
________________________________
From: cas-bounces at tp.its.yale.edu
[mailto:cas-bounces at tp.its.yale.edu] On Behalf Of Adam Rybicki
Sent: 14. joulukuuta 2007 19:07
To: Yale CAS mailing list
Subject: Re: Cas - kerberos - Lifery - JBoss config, help needed
Antoni,
If I am reading your detailed note correctly, you are trying to
perform Kerberos authentication to each service. This may be possible,
but I have never tried it myself. Since nobody else has replied yet,
let me try to tell you what I have done successfully.
Using the CAS JAAS module
(http://www.ja-sig.org/wiki/display/CASUM/JAAS), I was able to configure
CAS to authenticate to AD using Kerberos. From that point on, I can use
CAS protocol, not Kerberos, to authenticate services to CAS. So, this
may not be what you were looking for, but my goal was to use CAS
"natively" after establishing that the user supplied valid Kerberos
credentials.
There is a valid follow-up to authenticating to AD or another
Kerberos server this way: what happens to the Kerberos ticket that is
issued to CAS? Should this ticket be invalidated? If so, when? That
is, right after successful authentication or when the user logs out of
CAS? This questions can only be addressed by someone who knows more
about Kerberos than I do.
Adam
Alatalo Antoni wrote:
Hi,
Here is the same content as in post to:
http://www.nabble.com/Cas---kerberos---Lifery---JBoss-config-2C-help-nee
ded-to14314939.html#a14314939
<http://www.nabble.com/Cas---kerberos---Lifery---JBoss-config-2C-help-ne
eded-to14314939.html#a14314939>
for the last fiew days I did try to setup JBoss,
Liferay, Cas to authenticate users by kerberos. I did follow
instructions from http://www.ja-sig.org/wiki/display/CASUM/SPNEGO
<http://www.ja-sig.org/wiki/display/CASUM/SPNEGO> and many other sites.
Nothing helps.
Cas gets NTLM token, not Kerberos and because of that
don't work.
The platform is Windows 2003.
c:\windows\krb.ini
[libdefaults]
default_realm = XXX.YYY.FI
default_keytab_name =
FILE:C:\liferay\liferay-jboss-4.2-4.3.3\server\default\deploy\cas-web.wa
r\WEB-INF\spnaccount.keytab
<FILE:C:%5Cliferay%5Cliferay-jboss-4.2-4.3.3%5Cserver%5Cdefault%5Cdeploy
%5Ccas-web.war%5CWEB-INF%5Cspnaccount.keytab>
default_tgs_enctypes = rc4-hmac des3-cbc-sha1
des-cbc-crc des-cbc-md5
default_tkt_enctypes = rc4-hmac des3-cbc-sha1
des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac des3-cbc-sha1
des-cbc-crc des-cbc-md5
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
XXX.YYY.FI = {
kdc = aaa.xxx.yyy.fi:88
keytab_name =
FILE:C:\liferay\liferay-jboss-4.2-4.3.3\server\default\deploy\cas-web.wa
r\WEB-INF\spnaccount.keytab
<FILE:C:%5Cliferay%5Cliferay-jboss-4.2-4.3.3%5Cserver%5Cdefault%5Cdeploy
%5Ccas-web.war%5CWEB-INF%5Cspnaccount.keytab>
kdc_ports = 750,88
kdc_addrs = aaa.xxx.yyy.fi
default_domain = bbb.xxx.yyy.fi
};
[domain_realm]
bbb.xxx.yyy.fi = XXX.YYY.FI
.bbb.xxx.yyy.fi = XXX.YYY.FI
#[appdefaults]
autologin = true
forward = true
forwardable = true
encrypt = true
This file works fine:
C:\liferay\liferay-jboss-4.2-4.3.3\server\default\deploy\cas-web.war\WEB
-INF>%JAVA_HOME%\bin\kinit
-k -t
C:\liferay\liferay-jboss-4.2-4.3.3\server\default\deploy\cas-web.war\WEB
-INF\spnaccount.keytab
HTTP/bbb.xxx.yyy.fi at XXX.YYY.FI
New ticket is stored in cache file C:\Documents and
Settings\wmanaaa\krb5cc_xxx
C:\liferay\liferay-jboss-4.2-4.3.3\server\default\deploy\cas-web.war\WEB
-INF>%JAVA_HOME%\bin\klist
Credentials cache: C:\Documents and
Settings\xxx\krb5cc_xxx Default principal:
HTTP/bbb.xxx.yyy.fi at XXX.YYY.FI, 1 entry found.
[1] Service Principal: krbtgt/XXX.YYY.FI at XXX.YYY.FI
Valid starting: Dec 13, 2007 10:12
Expires: Dec 13, 2007 20:12
C:\liferay\liferay-jboss-4.2-4.3.3\server\default\deploy\cas-web.war\WEB
-INF>%JAVA_HOME%\bin\klist
-k
Key tab:
C:\liferay\liferay-jboss-4.2-4.3.3\server\default\deploy\cas-web.war\WEB
-INF\spnaccount.keytab,
1 entry found.
[1] Service principal: HTTP/bbb.xxx.yyy.fi at XXX.YYY.FI
KVNO: 6
So the next step is configuring CAS. All instructions
from http://www.ja-sig.org/wiki/display/CASUM/SPNEGO
<http://www.ja-sig.org/wiki/display/CASUM/SPNEGO> are followed exactly.
Only login.conf is modified:
jcifs.spnego.initiate {
com.sun.security.auth.module.Krb5LoginModule
required
debug=true
useKeyTab=true
doNotPrompt=true
keyTab="C:\liferay\liferay-jboss-4.2-4.3.3\server\default\deploy\cas-web
.war\WEB-INF\spnaccount.keytab"
realm=XXX.YYY.FI
principal=HTTP/bbb.xxx.yyy.fi at XXX.YYY.FI
storeKey=true;
};
jcifs.spnego.accept {
com.sun.security.auth.module.Krb5LoginModule
required
debug=true
useKeyTab=true
doNotPrompt=true
keyTab="C:\liferay\liferay-jboss-4.2-4.3.3\server\default\deploy\cas-web
.war\WEB-INF\spnaccount.keytab"
realm=XXX.YYY.FI
principal=HTTP/bbb.xxx.yyy.fi at XXX.YYY.FI
storeKey=true;
};
The deployerConfigContext.xml at the end:
<bean name="jcifsConfig"
class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFS
Config">
<property name="jcifsServicePrincipal"
value="HTTP/bbb.xxx.yyy.fi at XXX.YYY.FI"
<mailto:HTTP/bbb.xxx.yyy.fi at XXX.YYY.FI> />
<property name="jcifsServicePassword" value="xxxxxxxx"
/>
<property name="kerberosDebug" value="true" />
<property name="kerberosRealm" value="XXX.YYY.FI" />
<property name="kerberosKdc" value="123.123.123.123"
/>
<property name="loginConf" value="/WEB-INF/login.conf"
/> </bean>
The "other" loginmodule is added to the JBosses
login-config.xml To the run.bat of JBoss is added:
set JAVA_OPTS=%JAVA_OPTS%
-Djava.security.krb5.conf="C:/windows/krb5.ini"
All seems to be fine, but still don't works.
10:56:17,148 INFO [STDOUT] 2007-12-13 10:56:17,148 INFO
[org.jasig.cas.authentication.AuthenticationManagerImpl] -
<AuthenticationHandler:
org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoA
uthenticationHandler
failed
to authenticate the user which provided the following
credentials: Principal is null>
The problem is there:
jcifs.spnego.Authentication
private void processNtlm(byte[] token) throws
AuthenticationException {
byte[] challenge = null;
try {
switch (token[8]) {
case 1:
if (client) {
throw new AuthenticationException(
"NTLM Type 1 message
received by client.");
}
challenge =
SmbSession.getChallenge(getDomainController());
nextToken = new Type2Message(new
Type1Message(token),
challenge, null).toByteArray();
break;
.......
case 3:
if (client) {
throw new AuthenticationException(
"NTLM Type 3 message
received by client.");
} ....
The NTLM type is always "1". And should be 3.
I can't figure out what should i do next.
Thank you in advance for any help.
Antoni Alatalo
_________________________________________
WM-data a LogicaCMG company
Karvaamokuja 2
PL 38
00381 Helsinki
T: 010 302 010
M: 040 583 1097
F: 010 302 011
E: antoni.alatalo at wmdata.fi
<mailto:antoni.alatalo at wmdata.fi>
www.logicacmg.fi <file://www.logicacmg.fi>
________________________________
_______________________________________________
Yale CAS mailing list
cas at tp.its.yale.edu
http://tp.its.yale.edu/mailman/listinfo/cas
________________________________
_______________________________________________
Yale CAS mailing list
cas at tp.its.yale.edu
http://tp.its.yale.edu/mailman/listinfo/cas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20071219/aba3cf6e/attachment.html
More information about the cas
mailing list