SPNEGO Handler Error

Thomas Würth wuerth at mail.fh-ulm.de
Sat Feb 9 11:27:51 EST 2008 

Dear Arnaud,

thanks for your help. It was an build error.
Now the CAS Server is running witout an error. I did all the kinit and 
klist steps,  also all the steps under "Set Up CAS". If i open 
http://i-da-04.tw.local/cas/login, the 401 Login window pops up. But if 
i enter username and password i receive only a Internet Explorer error 
page. Below my kinit and klist steps, followed by the CAS log, 
jcifsConfig bean and krb5.ini.

Any idea how to solve this?

Thanks and Regards

Thomas


creating the krb5.keytab:
ktpass.exe -out c:/winnt/krb5.keytab -princ 
HTTP/i-da-04.tw.local at TW.LOCAL -pass * -mapuser tw\test -ptype 
krb5_nt_principal -crypto rc4-hmac-nt
Targeting domain controller: i-da-01.tw.local
Successfully mapped HTTP/i-da-04.tw.local to test.
Type the password for HTTP/i-da-04.tw.local:
Type the password again to confirm:
Key created.
Output keytab to c:/winnt/krb5.keytab:
Keytab version: 0x502
keysize 65 HTTP/i-da-04.tw.local at TW.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) 
vno 2 etyp
e 0x17 (RC4-HMAC) keylength 16 (0x7655e7e74aea36476bdf3d21de2e7fd3)


Then verify that the keytab file is able to read:
klist.exe -k
Key tab: c:\winnt\krb5.keytab, 1 entry found.
[1] Service principal: HTTP/i-da-04.tw.local at TW.LOCAL
          KVNO: 2

kinit.exe administrator at TW.LOCAL
Password for administrator at TW.LOCAL:geheim
New ticket is stored in cache file C:\Documents and 
Settings\Administrator.TW\krb5cc_administrator

klist
Credentials cache: C:\Documents and 
Settings\Administrator.TW\krb5cc_administrat
or
Default principal: administrator at TW.LOCAL, 1 entry found.

[1]  Service Principal:  krbtgt/TW.LOCAL at TW.LOCAL
      Valid starting:  Feb 09, 2008 16:47
      Expires:         Feb 10, 2008 02:47





Here to log:

2008-02-09 15:59:09,529 DEBUG 
[org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig] 
- jcifsServicePrincipal is set to HTTP/i-da-04.tw.local at TW
2008-02-09 15:59:09,529 DEBUG 
[org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig] 
- jcifsServicePassword is set to *****
2008-02-09 15:59:09,529 DEBUG 
[org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig] 
- kerberosDebug is set to : false
2008-02-09 15:59:09,529 DEBUG 
[org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig] 
- kerberosRealm is set to :TW
2008-02-09 15:59:09,529 DEBUG 
[org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig] 
- kerberosKdc is set to : i-da-01.tw.local
2008-02-09 15:59:09,529 DEBUG 
[org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig] 
- configured login configuration path : 
C:/tomcat/webapps/cas/WEB-INF/login.conf
2008-02-09 15:59:14,247 DEBUG 
[org.jasig.cas.services.web.ManageRegisteredServicesMultiActionController] 
- Found action method [public 
org.springframework.web.servlet.ModelAndView 
org.jasig.cas.services.web.ManageRegisteredServicesMultiActionController.deleteRegisteredService(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse)]
2008-02-09 15:59:14,247 DEBUG 
[org.jasig.cas.services.web.ManageRegisteredServicesMultiActionController] 
- Found action method [public 
org.springframework.web.servlet.ModelAndView 
org.jasig.cas.services.web.ManageRegisteredServicesMultiActionController.manage(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse)]
2008-02-09 15:59:14,388 INFO 
[org.jasig.cas.web.flow.AuthenticationViaFormAction] - FormObjectClass 
not set.  Using default class of 
org.jasig.cas.authentication.principal.UsernamePasswordCredentials with 
formObjectName credentials and validator 
org.jasig.cas.validation.UsernamePasswordCredentialsValidator.
2008-02-09 15:59:20,435 DEBUG 
[org.jasig.cas.web.flow.InitialFlowSetupAction] - Action 
'InitialFlowSetupAction' beginning execution
2008-02-09 15:59:20,435 INFO 
[org.jasig.cas.web.flow.InitialFlowSetupAction] - Setting ContextPath 
for cookies to: /cas
2008-02-09 15:59:20,451 DEBUG 
[org.jasig.cas.web.flow.InitialFlowSetupAction] - Action 
'InitialFlowSetupAction' completed execution; result is 'success'
2008-02-09 15:59:20,482 DEBUG 
[org.jasig.cas.support.spnego.web.flow.SpnegoNegociateCredentialsAction] 
- Action 'SpnegoNegociateCredentialsAction' beginning execution
2008-02-09 15:59:20,482 DEBUG 
[org.jasig.cas.support.spnego.web.flow.SpnegoNegociateCredentialsAction] 
- Authorization header not found.  Sending WWW-Authenticate header
2008-02-09 15:59:20,482 DEBUG 
[org.jasig.cas.support.spnego.web.flow.SpnegoNegociateCredentialsAction] 
- Action 'SpnegoNegociateCredentialsAction' completed execution; result 
is 'success'
2008-02-09 15:59:20,482 DEBUG 
[org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - Action 
'SpnegoCredentialsAction' beginning execution
2008-02-09 15:59:20,482 DEBUG 
[org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - Action 
'SpnegoCredentialsAction' completed execution; result is 'error'
2008-02-09 15:59:20,482 DEBUG 
[org.jasig.cas.web.flow.AuthenticationViaFormAction] - Action 
'AuthenticationViaFormAction' beginning execution
2008-02-09 15:59:20,482 DEBUG 
[org.jasig.cas.web.flow.AuthenticationViaFormAction] - Executing setupForm
2008-02-09 15:59:20,482 DEBUG 
[org.jasig.cas.web.flow.AuthenticationViaFormAction] - Creating new form 
object with name 'credentials'
2008-02-09 15:59:20,482 DEBUG 
[org.jasig.cas.web.flow.AuthenticationViaFormAction] - Creating new 
instance of form object class [class 
org.jasig.cas.authentication.principal.UsernamePasswordCredentials]
2008-02-09 15:59:20,482 DEBUG 
[org.jasig.cas.web.flow.AuthenticationViaFormAction] - Putting form 
object of type [class 
org.jasig.cas.authentication.principal.UsernamePasswordCredentials] in 
scope Flow with name 'credentials'
2008-02-09 15:59:20,482 DEBUG 
[org.jasig.cas.web.flow.AuthenticationViaFormAction] - Creating new form 
errors for object with name 'credentials'
2008-02-09 15:59:20,497 DEBUG 
[org.jasig.cas.web.flow.AuthenticationViaFormAction] - No property 
editor registrar set, no custom editors to register
2008-02-09 15:59:20,544 DEBUG 
[org.jasig.cas.web.flow.AuthenticationViaFormAction] - Putting form 
errors instance in scope Flash
2008-02-09 15:59:20,544 DEBUG 
[org.jasig.cas.web.flow.AuthenticationViaFormAction] - Action 
'AuthenticationViaFormAction' completed execution; result is 'success'
2008-02-09 15:59:20,544 DEBUG 
[org.jasig.cas.web.flow.AuthenticationViaFormAction] - Action 
'AuthenticationViaFormAction' beginning execution
2008-02-09 15:59:20,544 DEBUG 
[org.jasig.cas.web.flow.AuthenticationViaFormAction] - Action 
'AuthenticationViaFormAction' completed execution; result is 'success'
2008-02-09 15:59:22,419 DEBUG 
[org.jasig.cas.web.flow.InitialFlowSetupAction] - Action 
'InitialFlowSetupAction' beginning execution
2008-02-09 15:59:22,419 DEBUG 
[org.jasig.cas.web.flow.InitialFlowSetupAction] - Action 
'InitialFlowSetupAction' completed execution; result is 'success'
2008-02-09 15:59:22,419 DEBUG 
[org.jasig.cas.support.spnego.web.flow.SpnegoNegociateCredentialsAction] 
- Action 'SpnegoNegociateCredentialsAction' beginning execution
2008-02-09 15:59:22,419 DEBUG 
[org.jasig.cas.support.spnego.web.flow.SpnegoNegociateCredentialsAction] 
- Action 'SpnegoNegociateCredentialsAction' completed execution; result 
is 'success'
2008-02-09 15:59:22,419 DEBUG 
[org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - Action 
'SpnegoCredentialsAction' beginning execution
2008-02-09 15:59:22,419 DEBUG 
[org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - SPNEGO 
Authorization header found with 68 bytes
2008-02-09 15:59:22,419 DEBUG 
[org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - 
Obtained token: NTLMSSP


Here the bean jcifsConfig:
<bean name="jcifsConfig" 
class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig">
   <property name="jcifsServicePrincipal" 
value="HTTP/i-da-04.tw.local at TW.LOCAL" />
   <property name="jcifsServicePassword" value="geheim" />
   <property name="kerberosDebug" value="false" />
   <property name="kerberosRealm" value="TW.LOCAL" />
   <property name="kerberosKdc" value="192.168.0.1" />
   <property name="loginConf" 
value="C:/tomcat/webapps/cas/WEB-INF/login.conf" />
</bean>

Here the krb5.ini:
[libdefaults]
  ticket_lifetime = 24000
  default_realm = TW.LOCAL
  default_keytab_name = c:/winnt/krb5.keytab
  dns_lookup_realm = true
  dns_lookup_kdc = true
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac

[realms]
         TW.LOCAL = {
                 kdc = i-da-01.tw.local:88
         }

[domain_realm]
  .tw.local = TW.LOCAL
  tw.local = TW.LOCAL



Arnaud Lesueur schrieb:
> Thomas,
> 
> I guess you are not following every steps of the cas user manual. Once 
> you have modified your config files, you need to rebuild the cas webapp 
> using mvn package command in the cas webapp folder.
> 
> Using this step, you will get a new cas.war with all wanted files such 
> as in your case :
> - cas-server-support-spnego-XXX.jar
> - jcifs-XXX.jar
> - jcifs-ext-XXX.jar
> 
> Regards,
> 
> -Arnaud

More information about the cas mailing list