SPNEGO Handler Error

Alatalo Antoni antoni.alatalo at wmdata.fi
Mon Feb 11 04:49:01 EST 2008 

Hi,
Try it from other computer. In my case SPNEGO wasn't work from tha same computer as Cas server was installed.


Terv.
Antoni

-----Original Message-----
From: cas-bounces at tp.its.yale.edu [mailto:cas-bounces at tp.its.yale.edu] On Behalf Of Thomas Würth
Sent: 9. helmikuuta 2008 18:28
To: Yale CAS mailing list
Subject: Re: SPNEGO Handler Error

Dear Arnaud,

thanks for your help. It was an build error.
Now the CAS Server is running witout an error. I did all the kinit and klist steps,  also all the steps under "Set Up CAS". If i open http://i-da-04.tw.local/cas/login, the 401 Login window pops up. But if i enter username and password i receive only a Internet Explorer error page. Below my kinit and klist steps, followed by the CAS log, jcifsConfig bean and krb5.ini.

Any idea how to solve this?

Thanks and Regards

Thomas


creating the krb5.keytab:
ktpass.exe -out c:/winnt/krb5.keytab -princ HTTP/i-da-04.tw.local at TW.LOCAL -pass * -mapuser tw\test -ptype krb5_nt_principal -crypto rc4-hmac-nt Targeting domain controller: i-da-01.tw.local Successfully mapped HTTP/i-da-04.tw.local to test.
Type the password for HTTP/i-da-04.tw.local:
Type the password again to confirm:
Key created.
Output keytab to c:/winnt/krb5.keytab:
Keytab version: 0x502
keysize 65 HTTP/i-da-04.tw.local at TW.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 2 etyp e 0x17 (RC4-HMAC) keylength 16 (0x7655e7e74aea36476bdf3d21de2e7fd3)


Then verify that the keytab file is able to read:
klist.exe -k
Key tab: c:\winnt\krb5.keytab, 1 entry found.
[1] Service principal: HTTP/i-da-04.tw.local at TW.LOCAL
          KVNO: 2

kinit.exe administrator at TW.LOCAL
Password for administrator at TW.LOCAL:geheim New ticket is stored in cache file C:\Documents and Settings\Administrator.TW\krb5cc_administrator

klist
Credentials cache: C:\Documents and
Settings\Administrator.TW\krb5cc_administrat
or
Default principal: administrator at TW.LOCAL, 1 entry found.

[1]  Service Principal:  krbtgt/TW.LOCAL at TW.LOCAL
      Valid starting:  Feb 09, 2008 16:47
      Expires:         Feb 10, 2008 02:47





Here to log:

2008-02-09 15:59:09,529 DEBUG
[org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig]
- jcifsServicePrincipal is set to HTTP/i-da-04.tw.local at TW
2008-02-09 15:59:09,529 DEBUG
[org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig]
- jcifsServicePassword is set to *****
2008-02-09 15:59:09,529 DEBUG
[org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig]
- kerberosDebug is set to : false
2008-02-09 15:59:09,529 DEBUG
[org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig]
- kerberosRealm is set to :TW
2008-02-09 15:59:09,529 DEBUG
[org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig]
- kerberosKdc is set to : i-da-01.tw.local
2008-02-09 15:59:09,529 DEBUG
[org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig]
- configured login configuration path : 
C:/tomcat/webapps/cas/WEB-INF/login.conf
2008-02-09 15:59:14,247 DEBUG
[org.jasig.cas.services.web.ManageRegisteredServicesMultiActionController]
- Found action method [public
org.springframework.web.servlet.ModelAndView
org.jasig.cas.services.web.ManageRegisteredServicesMultiActionController.deleteRegisteredService(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse)]
2008-02-09 15:59:14,247 DEBUG
[org.jasig.cas.services.web.ManageRegisteredServicesMultiActionController]
- Found action method [public
org.springframework.web.servlet.ModelAndView
org.jasig.cas.services.web.ManageRegisteredServicesMultiActionController.manage(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse)]
2008-02-09 15:59:14,388 INFO
[org.jasig.cas.web.flow.AuthenticationViaFormAction] - FormObjectClass not set.  Using default class of org.jasig.cas.authentication.principal.UsernamePasswordCredentials with formObjectName credentials and validator org.jasig.cas.validation.UsernamePasswordCredentialsValidator.
2008-02-09 15:59:20,435 DEBUG
[org.jasig.cas.web.flow.InitialFlowSetupAction] - Action 'InitialFlowSetupAction' beginning execution
2008-02-09 15:59:20,435 INFO
[org.jasig.cas.web.flow.InitialFlowSetupAction] - Setting ContextPath for cookies to: /cas
2008-02-09 15:59:20,451 DEBUG
[org.jasig.cas.web.flow.InitialFlowSetupAction] - Action 'InitialFlowSetupAction' completed execution; result is 'success'
2008-02-09 15:59:20,482 DEBUG
[org.jasig.cas.support.spnego.web.flow.SpnegoNegociateCredentialsAction]
- Action 'SpnegoNegociateCredentialsAction' beginning execution
2008-02-09 15:59:20,482 DEBUG
[org.jasig.cas.support.spnego.web.flow.SpnegoNegociateCredentialsAction]
- Authorization header not found.  Sending WWW-Authenticate header
2008-02-09 15:59:20,482 DEBUG
[org.jasig.cas.support.spnego.web.flow.SpnegoNegociateCredentialsAction]
- Action 'SpnegoNegociateCredentialsAction' completed execution; result is 'success'
2008-02-09 15:59:20,482 DEBUG
[org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - Action 'SpnegoCredentialsAction' beginning execution
2008-02-09 15:59:20,482 DEBUG
[org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - Action 'SpnegoCredentialsAction' completed execution; result is 'error'
2008-02-09 15:59:20,482 DEBUG
[org.jasig.cas.web.flow.AuthenticationViaFormAction] - Action 'AuthenticationViaFormAction' beginning execution
2008-02-09 15:59:20,482 DEBUG
[org.jasig.cas.web.flow.AuthenticationViaFormAction] - Executing setupForm
2008-02-09 15:59:20,482 DEBUG
[org.jasig.cas.web.flow.AuthenticationViaFormAction] - Creating new form object with name 'credentials'
2008-02-09 15:59:20,482 DEBUG
[org.jasig.cas.web.flow.AuthenticationViaFormAction] - Creating new instance of form object class [class org.jasig.cas.authentication.principal.UsernamePasswordCredentials]
2008-02-09 15:59:20,482 DEBUG
[org.jasig.cas.web.flow.AuthenticationViaFormAction] - Putting form object of type [class org.jasig.cas.authentication.principal.UsernamePasswordCredentials] in scope Flow with name 'credentials'
2008-02-09 15:59:20,482 DEBUG
[org.jasig.cas.web.flow.AuthenticationViaFormAction] - Creating new form errors for object with name 'credentials'
2008-02-09 15:59:20,497 DEBUG
[org.jasig.cas.web.flow.AuthenticationViaFormAction] - No property editor registrar set, no custom editors to register
2008-02-09 15:59:20,544 DEBUG
[org.jasig.cas.web.flow.AuthenticationViaFormAction] - Putting form errors instance in scope Flash
2008-02-09 15:59:20,544 DEBUG
[org.jasig.cas.web.flow.AuthenticationViaFormAction] - Action 'AuthenticationViaFormAction' completed execution; result is 'success'
2008-02-09 15:59:20,544 DEBUG
[org.jasig.cas.web.flow.AuthenticationViaFormAction] - Action 'AuthenticationViaFormAction' beginning execution
2008-02-09 15:59:20,544 DEBUG
[org.jasig.cas.web.flow.AuthenticationViaFormAction] - Action 'AuthenticationViaFormAction' completed execution; result is 'success'
2008-02-09 15:59:22,419 DEBUG
[org.jasig.cas.web.flow.InitialFlowSetupAction] - Action 'InitialFlowSetupAction' beginning execution
2008-02-09 15:59:22,419 DEBUG
[org.jasig.cas.web.flow.InitialFlowSetupAction] - Action 'InitialFlowSetupAction' completed execution; result is 'success'
2008-02-09 15:59:22,419 DEBUG
[org.jasig.cas.support.spnego.web.flow.SpnegoNegociateCredentialsAction]
- Action 'SpnegoNegociateCredentialsAction' beginning execution
2008-02-09 15:59:22,419 DEBUG
[org.jasig.cas.support.spnego.web.flow.SpnegoNegociateCredentialsAction]
- Action 'SpnegoNegociateCredentialsAction' completed execution; result is 'success'
2008-02-09 15:59:22,419 DEBUG
[org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - Action 'SpnegoCredentialsAction' beginning execution
2008-02-09 15:59:22,419 DEBUG
[org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - SPNEGO Authorization header found with 68 bytes
2008-02-09 15:59:22,419 DEBUG
[org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - Obtained token: NTLMSSP


Here the bean jcifsConfig:
<bean name="jcifsConfig" 
class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig">
   <property name="jcifsServicePrincipal" 
value="HTTP/i-da-04.tw.local at TW.LOCAL" />
   <property name="jcifsServicePassword" value="geheim" />
   <property name="kerberosDebug" value="false" />
   <property name="kerberosRealm" value="TW.LOCAL" />
   <property name="kerberosKdc" value="192.168.0.1" />
   <property name="loginConf" 
value="C:/tomcat/webapps/cas/WEB-INF/login.conf" /> </bean>

Here the krb5.ini:
[libdefaults]
  ticket_lifetime = 24000
  default_realm = TW.LOCAL
  default_keytab_name = c:/winnt/krb5.keytab
  dns_lookup_realm = true
  dns_lookup_kdc = true
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac

[realms]
         TW.LOCAL = {
                 kdc = i-da-01.tw.local:88
         }

[domain_realm]
  .tw.local = TW.LOCAL
  tw.local = TW.LOCAL



Arnaud Lesueur schrieb:
> Thomas,
> 
> I guess you are not following every steps of the cas user manual. Once 
> you have modified your config files, you need to rebuild the cas 
> webapp using mvn package command in the cas webapp folder.
> 
> Using this step, you will get a new cas.war with all wanted files such 
> as in your case :
> - cas-server-support-spnego-XXX.jar
> - jcifs-XXX.jar
> - jcifs-ext-XXX.jar
> 
> Regards,
> 
> -Arnaud

_______________________________________________
Yale CAS mailing list
cas at tp.its.yale.edu
http://tp.its.yale.edu/mailman/listinfo/cas

More information about the cas mailing list