Question on SpNego

Tom Healey healeyt at darden.virginia.edu
Mon Feb 11 09:03:29 EST 2008 

Arnaud Lesueur <arnaud.lesueur at ...> writes:

> 
> 
> Thomas,Finally are you using the NTLM Handler or the SPNEGO Handler with the
NTLM feature active ?
> While there is no documentation on NTLM handler in the wiki, you will have to
dig in mailling lists and in the source code to get more informations.For 
spnego
handler, here are a few clues :In IE, if your getting a prompt this means that
provided
> credentials has not been validate (this also correspond to the error state on
the spnego action). You will have more information with
> a debug level on org.jasig.cas.support.spnego. This will let you know if your
browser is sending a NTLM token or a Kerberos token as a response to the HTTP
401 with the www-authenticate header.You might also need to turn out debug mode
on the jcifsconfig bean (kerberosDebug parameter).I will also recommand you not
to use the same box for the cas server and the user client browser.
Regards,-Arnaud


Arnaud,
Thanks for your response. I appreciate your time.
My auth handler is the SPNEGO handler and defined as follows:
<bean		
class=
"org.jasig.cas.support.spnego.authentication.handler.support.
JCIFSSpnegoAuthenticationHandler">
<property name="authentication">
<bean class="jcifs.spnego.Authentication"/>
</property>
<property name="principalWithDomainName" value="true"/>
<property name="NTLMallowed" value="true"/>
</bean>

I am authing against AD and _could_ use kerberos but there isn't a lot of 
domain knowledge (no pun intended) with kerberos so we are using NTLM.
Also the statement:
> a debug level on org.jasig.cas.support.spnego. 
means enabling a logger in log4j.properties right?



My login.conf looks like this.

jcifs.spnego.initiate {
    com.sun.security.auth.module.NTLoginModule required;
};
jcifs.spnego.accept {
    com.sun.security.auth.module.NTLoginModule required;
};
and my jcifsConfig is:
<bean name="jcifsConfig"	
class=
"org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig">
<property name=
"jcifsServicePrincipal" value="HTTP/testcas at DARDEN.VIRGINIA.EDU"/>
<property name="jcifsServicePassword" value="Tom12345"/>
<property name="jcifsDomain" value="DARDEN.VIRGINIA.EDU"/>
<property name="jcifsDomainController" value="C2.DARDEN.VIRGINIA.EDU"/>
<property name="jcifsUsername" value="spnegouser"/>				
<property name="jcifsPassword" value="Tom12345"/>
<property name="loginConf" value="/WEB-INF/login.conf" /> 
<property name="kerberosDebug" value="true"/>
</bean>

Would any other information be helpful to you to help solve this issue?

Thanks in advance for your time,
Tom Healey

More information about the cas mailing list