CAS & Spnego is not working

Arnaud Lesueur arnaud.lesueur at gmail.com
Sun Feb 17 14:01:34 EST 2008 

Daniel,

Your browser is sending an NTLM token instead of a kerberos token.
[org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - Obtained
token: NTLMSSP?

You should check your Active Directory and your client configuration
(browser, windows domain ...).
CAS Server and client browser should not be running on the same machine.

Regards,

-Arnaud



On Feb 15, 2008 9:07 AM, .Daniel. <daniel.neubacher at xing.com> wrote:

>
> Hello there,
> i'm totaly new in the cas world so please go easy on me.
> I configured cas as the spnego manual described but it's not working. When
> i
> visit the login site cas is logging some errors. I think there is maybe an
> error with my kerberos token but when i capture the network traffic while
> i
> visit the login screen, i don't see any connection to my dc. And it seems
> that cas is totaly ignoring my login.conf, it doesnt matter what conf dir
> i
> set...
>
> Here is my cas.log.... maybe someone can help me :(
>
>
> the login.conf part of my deployerConfigContext.xml:
>
> <bean name="jcifsConfig"
> class="
> org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig">
> <property name="jcifsServicePrincipal"
> value="HTTP/kuhlstation.xing.hh at XING.HH" />
> <property name="jcifsServicePassword" value="*******" />
> <property name="kerberosDebug" value="true" />
> <property name="kerberosRealm" value="XING.HH" />
> <property name="kerberosKdc" value="172.20.1.10" />
> <property name="loginConf" value="/WEB-INF/login.conf" />
> </bean>
>
>
>
>
> cas.log after starting tomcat:
>
> 2008-02-13 16:34:51,819 WARN
> [
> org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler
> ]
> -
>
> org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler
> is only to be used in a testing environment.  NEVER enable this in a
> production environment.
> 2008-02-13 16:34:51,955 INFO [org.quartz.simpl.SimpleThreadPool] - Job
> execution threads will use class loader of thread: main
> 2008-02-13 16:34:51,977 INFO [org.quartz.core.QuartzScheduler] - Quartz
> Scheduler v.1.5.2 created.
> 2008-02-13 16:34:51,979 INFO [org.quartz.simpl.RAMJobStore] - RAMJobStore
> initialized.
> 2008-02-13 16:34:51,980 INFO [org.quartz.impl.StdSchedulerFactory] -
> Quartz
> scheduler 'DefaultQuartzScheduler' initialized from default resource file
> in
> Quartz package: 'quartz.properties'
> 2008-02-13 16:34:51,980 INFO [org.quartz.impl.StdSchedulerFactory] -
> Quartz
> scheduler version: 1.5.2
> 2008-02-13 16:34:51,980 INFO [org.quartz.core.QuartzScheduler] -
> JobFactory
> set to: org.springframework.scheduling.quartz.AdaptableJobFactory at 4b0bbb
> 2008-02-13 16:34:51,981 INFO [org.quartz.core.QuartzScheduler] - Scheduler
> DefaultQuartzScheduler_$_NON_CLUSTERED started.
> 2008-02-13 16:34:52,003 DEBUG
> [org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig]
> -
> jcifsServicePrincipal is set to HTTP/kuhlstation.xing.hh at XING.HH
> 2008-02-13 16:34:52,004 DEBUG
> [org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig]
> -
> jcifsServicePassword is set to *****
> 2008-02-13 16:34:52,004 DEBUG
> [org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig]
> -
> kerberosDebug is set to : true
> 2008-02-13 16:34:52,004 DEBUG
> [org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig]
> -
> kerberosRealm is set to :XING.HH
> 2008-02-13 16:34:52,004 DEBUG
> [org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig]
> -
> kerberosKdc is set to : 172.20.1.10
> 2008-02-13 16:34:52,005 DEBUG
> [org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig]
> -
> configured login configuration path : /WEB-INF/login.conf
> 2008-02-13 16:34:52,092 DEBUG [net.sf.ehcache.config.ConfigurationFactory]
> -
> Configuring ehcache from InputStream
> 2008-02-13 16:34:52,099 DEBUG [
> net.sf.ehcache.config.DiskStoreConfiguration]
> - Disk Store Path: /var/tmp/tomcat-6/
> 2008-02-13 16:34:52,103 DEBUG [net.sf.ehcache.config.ConfigurationHelper]
> -
> No CacheManagerEventListenerFactory class specified. Skipping...
> 2008-02-13 16:34:52,103 DEBUG [net.sf.ehcache.config.ConfigurationHelper]
> -
> No CachePeerListenerFactoryConfiguration specified. Not configuring a
> CacheManagerPeerListener.
> 2008-02-13 16:34:52,103 DEBUG [net.sf.ehcache.config.ConfigurationHelper]
> -
> No CachePeerProviderFactoryConfiguration specified. Not configuring a
> CacheManagerPeerProvider.
> 2008-02-13 16:34:52,111 DEBUG [net.sf.ehcache.config.ConfigurationHelper]
> -
> No BootstrapCacheLoaderFactory class specified. Skipping...
> 2008-02-13 16:34:52,119 DEBUG [net.sf.ehcache.store.DiskStore] - Deleting
> data file ticketCache.data
> 2008-02-13 16:34:52,129 DEBUG [net.sf.ehcache.store.MemoryStore] -
> Initialized net.sf.ehcache.store.LruMemoryStore for ticketCache
> 2008-02-13 16:34:52,130 DEBUG [net.sf.ehcache.store.LruMemoryStore] -
> ticketCache Cache: Using SpoolingLinkedHashMap implementation
> 2008-02-13 16:34:52,131 DEBUG [net.sf.ehcache.Cache] - Initialised cache:
> ticketCache
> 2008-02-13 16:34:52,191 DEBUG
> [org.acegisecurity.intercept.web.FilterInvocationDefinitionSourceEditor] -
> Detected PATTERN_TYPE_APACHE_ANT directive; using Apache Ant style path
> expressions
> 2008-02-13 16:34:52,191 DEBUG
> [org.acegisecurity.intercept.web.FilterInvocationDefinitionSourceEditor] -
> Detected CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON directive; Instructing
> mapper to convert URLs to lowercase before comparison
> 2008-02-13 16:34:52,191 DEBUG
> [org.acegisecurity.intercept.web.FilterInvocationDefinitionSourceEditor] -
> Line 1:
> 2008-02-13 16:34:52,191 DEBUG
> [org.acegisecurity.intercept.web.FilterInvocationDefinitionSourceEditor] -
> Line 2: CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
> 2008-02-13 16:34:52,191 DEBUG
> [org.acegisecurity.intercept.web.FilterInvocationDefinitionSourceEditor] -
> Line 3: PATTERN_TYPE_APACHE_ANT
> 2008-02-13 16:34:52,191 DEBUG
> [org.acegisecurity.intercept.web.FilterInvocationDefinitionSourceEditor] -
> Line 4: /**=ROLE_ADMIN
> 2008-02-13 16:34:52,193 DEBUG
> [org.acegisecurity.intercept.web.FilterInvocationDefinitionSourceEditor] -
> Line 5:
> 2008-02-13 16:34:52,194 DEBUG
> [org.acegisecurity.intercept.web.PathBasedFilterInvocationDefinitionMap] -
> Added Ant path: /**; attributes: [ROLE_ADMIN]
> 2008-02-13 16:34:52,195 INFO
> [org.acegisecurity.intercept.AbstractSecurityInterceptor] - Validated
> configuration attributes
> 2008-02-13 16:34:52,198 DEBUG
> [org.acegisecurity.intercept.web.FilterInvocationDefinitionSourceEditor] -
> Detected PATTERN_TYPE_APACHE_ANT directive; using Apache Ant style path
> expressions
> 2008-02-13 16:34:52,198 DEBUG
> [org.acegisecurity.intercept.web.FilterInvocationDefinitionSourceEditor] -
> Detected CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON directive; Instructing
> mapper to convert URLs to lowercase before comparison
> 2008-02-13 16:34:52,201 DEBUG
> [org.acegisecurity.intercept.web.FilterInvocationDefinitionSourceEditor] -
> Line 1:
> 2008-02-13 16:34:52,201 DEBUG
> [org.acegisecurity.intercept.web.FilterInvocationDefinitionSourceEditor] -
> Line 2: CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
> 2008-02-13 16:34:52,201 DEBUG
> [org.acegisecurity.intercept.web.FilterInvocationDefinitionSourceEditor] -
> Line 3: PATTERN_TYPE_APACHE_ANT
> 2008-02-13 16:34:52,201 DEBUG
> [org.acegisecurity.intercept.web.FilterInvocationDefinitionSourceEditor] -
> Line 4: /**/loggedout.html=#NONE#
> 2008-02-13 16:34:52,201 DEBUG
> [org.acegisecurity.intercept.web.FilterInvocationDefinitionSourceEditor] -
> Line 5:
>
> /**=httpSessionContextIntegrationFilter,logoutFilter,casProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor
> 2008-02-13 16:34:52,201 DEBUG
> [org.acegisecurity.intercept.web.FilterInvocationDefinitionSourceEditor] -
> Line 6:
> 2008-02-13 16:34:52,202 DEBUG
> [org.acegisecurity.intercept.web.PathBasedFilterInvocationDefinitionMap] -
> Added Ant path: /**/loggedout.html; attributes: [#NONE#]
> 2008-02-13 16:34:52,202 DEBUG
> [org.acegisecurity.intercept.web.PathBasedFilterInvocationDefinitionMap] -
> Added Ant path: /**; attributes: [httpSessionContextIntegrationFilter,
> logoutFilter, casProcessingFilter, exceptionTranslationFilter,
> filterInvocationInterceptor]
> 2008-02-13 16:34:52,690 DEBUG
> [org.jasig.cas.services.web.ManageRegisteredServicesMultiActionController]
> -
> Found action method [public org.springframework.web.servlet.ModelAndView
>
> org.jasig.cas.services.web.ManageRegisteredServicesMultiActionController.deleteRegisteredService
> (javax.servlet.http.HttpServletRequest,
> javax.servlet.http.HttpServletResponse)]
> 2008-02-13 16:34:52,690 DEBUG
> [org.jasig.cas.services.web.ManageRegisteredServicesMultiActionController]
> -
> Found action method [public org.springframework.web.servlet.ModelAndView
>
> org.jasig.cas.services.web.ManageRegisteredServicesMultiActionController.manage
> (javax.servlet.http.HttpServletRequest,
> javax.servlet.http.HttpServletResponse)]
> 2008-02-13 16:34:53,039 INFO
> [org.jasig.cas.web.flow.AuthenticationViaFormAction] - FormObjectClass not
> set.  Using default class of
> org.jasig.cas.authentication.principal.UsernamePasswordCredentials with
> formObjectName credentials and validator
> org.jasig.cas.validation.UsernamePasswordCredentialsValidator.
> 2008-02-13 16:35:11,908 DEBUG [org.quartz.core.JobRunShell] - Calling
> execute on job DEFAULT.jobDetailTicketRegistryCleaner
> 2008-02-13 16:35:11,920 INFO
> [org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] -
> Starting cleaning of expired tickets from ticket registry at [Wed Feb 13
> 16:35:11 CET 2008]
> 2008-02-13 16:35:11,921 INFO
> [org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] - 0
> found to be removed.  Removing now.
> 2008-02-13 16:35:11,921 INFO
> [org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] -
> Finished cleaning of expired tickets from ticket registry at [Wed Feb 13
> 16:35:11 CET 2008]
>
>
>
>
> cas.log after visiting the cas site:
> 2008-02-13 16:35:43,145 INFO [
> org.jasig.cas.web.flow.InitialFlowSetupAction]
> - Setting ContextPath for cookies to: /cas
> 2008-02-13 16:35:43,167 DEBUG
> [org.jasig.cas.support.spnego.web.flow.SpnegoNegociateCredentialsAction] -
> Action 'SpnegoNegociateCredentialsAction' beginning execution
> 2008-02-13 16:35:43,167 DEBUG
> [org.jasig.cas.support.spnego.web.flow.SpnegoNegociateCredentialsAction] -
> Authorization header not found.  Sending WWW-Authenticate header
> 2008-02-13 16:35:43,168 DEBUG
> [org.jasig.cas.support.spnego.web.flow.SpnegoNegociateCredentialsAction] -
> Action 'SpnegoNegociateCredentialsAction' completed execution; result is
> 'success'
> 2008-02-13 16:35:43,168 DEBUG
> [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - Action
> 'SpnegoCredentialsAction' beginning execution
> 2008-02-13 16:35:43,168 DEBUG
> [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - Action
> 'SpnegoCredentialsAction' completed execution; result is 'error'
> 2008-02-13 16:35:43,548 DEBUG
> [org.jasig.cas.support.spnego.web.flow.SpnegoNegociateCredentialsAction] -
> Action 'SpnegoNegociateCredentialsAction' beginning execution
> 2008-02-13 16:35:43,549 DEBUG
> [org.jasig.cas.support.spnego.web.flow.SpnegoNegociateCredentialsAction] -
> Action 'SpnegoNegociateCredentialsAction' completed execution; result is
> 'success'
> 2008-02-13 16:35:43,549 DEBUG
> [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - Action
> 'SpnegoCredentialsAction' beginning execution
> 2008-02-13 16:35:43,549 DEBUG
> [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - SPNEGO
> Authorization header found with 56 bytes
> 2008-02-13 16:35:43,555 DEBUG
> [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - Obtained
> token: NTLMSSP?(
>
> 2008-02-13 16:35:43,558 DEBUG
> [org.jasig.cas.CentralAuthenticationServiceImpl] - Attempting to create
> TicketGrantingTicket for Principal is null
> PuTTY2008-02-13 16:35:43,716 DEBUG
> [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - Unable
> to
> obtain the output token required.
> 2008-02-13 16:35:43,716 DEBUG
> [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - Setting
> HTTP Status to 401
> 2008-02-13 16:35:43,716 DEBUG
> [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - Action
> 'SpnegoCredentialsAction' completed execution; result is 'error'
>
> --
> View this message in context:
> http://www.nabble.com/CAS---Spnego-is-not-working-tp15459837p15459837.html
> Sent from the CAS Users mailing list archive at Nabble.com.
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>



-- 
Arnaud Lesueur

LinkedIn: http://www.linkedin.com/in/lesueur
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20080217/f5bfb6cc/attachment.html

More information about the cas mailing list