Tr: CAS, Spnego and the "pre Windows 2000 logon name"
Céline AUSSOURD
celine.aussourd at ville-chateauroux.fr
Fri Jun 6 08:38:52 EDT 2008
Céline AUSSOURD wrote:
>>>>>> What's your setting of principalWithDomainName (property of
>>>>>> JCIFSSpnegoAuthenticationHandler)?
>>>>>
>>>> It's "true". That's why "MC\" appears in the user name.
>>>>> What's your setting of NTLMallowed (property of
>>>>> JCIFSSpnegoAuthenticationHandler)?
>>>>>
>>>> It's "true". If I set to "false", the authentication doesn't work.
>>> Then you don't authenticate with Kerberos. NTLM is used. That leads to
>>> the name form NETBIOSDOMAIN/sAMAccountName.
>>
>> How can I authenticate with Kerberos ? It seems that my client only send NTLM tokens.
>
>Did you follow all the Kerberos-related instructions on
>http://www.ja-sig.org/wiki/display/CASUM/SPNEGO ?
Yep
>
>Are you using MS AD? Which version?
Yes, I am. MS AD is running on Windows Server 2003 and the forest/domain functional level is : Windows Server 2003 interim.
>
>>>>> If you want to allow SPNEGO with NTLM you could try to map the principal
>>>>> name to userPrincipalName like described here:
>>>>> http://www.ja-sig.org/wiki/display/CASUM/Attributes
>>>>>
>>>> Thanks for the idea. I'm trying.
>>> Maybe set principalWithDomainName to false and search via LDAP for
>>> (sAMAccountName=%u).
>>> [...]
>>> You have to add the CredentialsToLDAPAttributePrincipalResolver.
>>> [...]
>>> Why do you want to change the login flow?
>>
>> I followed your advice (I modified /WEB-INF/deployerConfigContext.xml) but it seems that the >CredentialsToLDAPAttributePrincipalResolver isn't used.
>
>What does your configuration look like? (excerpts of
>deployerConfigContext.xml without real passwords!)
Did I already send any password ?
Excerpts of deployerConfigContext.xml :
<bean id="authenticationManager"
class="org.jasig.cas.authentication.AuthenticationManagerImpl">
<property name="credentialsToPrincipalResolvers">
<list>
<bean class="org.jasig.cas.support.spnego.authentication.principal.SpnegoCredentialsToPrincipalResolver" />
<bean
class="org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver">
<property name="credentialsToPrincipalResolver">
<bean
class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" />
</property>
<!-- The query made to find the Principal ID. "%u" will be replaced by the resolved Principal -->
<property name="filter" value="(sAMAccountName=%u)" />
<!-- The attribute used to define the new Principal ID -->
<property name="principalAttributeName" value="sAMAccountName" />
<property name="searchBase"
value="CN=Users,DC=ville-chateauroux,DC=fr" />
<property name="contextSource" ref="contextSource" />
<property name="attributeRepository">
<ref bean="attribRepository" />
</property>
</bean>
</list>
</property>
<property name="authenticationHandlers">
<list>
<bean class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoAuthenticationHandler">
<property name="authentication">
<bean class="jcifs.spnego.Authentication" />
</property>
<property name="principalWithDomainName" value="false" />
<property name="NTLMallowed" value="true"/>
</bean>
</list>
</property>
</bean>
<bean name="jcifsConfig" class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig">
<property name="jcifsServicePrincipal" value="HTTP/pronostix at VILLE-CHATEAUROUX.FR" />
<property name="jcifsServicePassword" value="XXXX" />
<property name="jcifsDomain" value="VILLE-CHATEAUROUX.FR"/>
<property name="jcifsDomainController" value="CETYUNIX.VILLE-CHATEAUROUX.FR"/>
<property name="kerberosDebug" value="true" />
<property name="kerberosRealm" value="VILLE-CHATEAUROUX.FR" />
<property name="kerberosKdc" value="172.16.11.0" />
<property name="loginConf" value="/usr/local/liferay/webapps/cas/WEB-INF/login.conf" />
</bean>
<bean id="userDetailsService" class="org.acegisecurity.userdetails.memory.InMemoryDaoImpl">
<property name="userMap">
<value>
</value>
</property>
</bean>
<bean id="contextSource"
class="org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource">
<property name="urls">
<list>
<value>ldaps://cetyunix:389/</value>
</list>
</property>
<property name="userName" value="CN=Administrateur,CN=Users,DC=ville-chateauroux,DC=fr" />
<property name="password" value="XXXX" />
</bean>
<bean id="attribRepository"
class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao">
<property name="baseDN"
value="CN=Users,DC=ville-chateauroux,DC=fr" />
<property name="query" value="(sAMAccountName={0})" />
<property name="contextSource" ref="contextSource" />
<property name="ldapAttributesToPortalAttributes">
<map>
<entry key="userPrincipalName" value="Name"/>
</map>
</property>
</bean>
<bean
id="serviceRegistryDao"
class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl" />
>
>Ciao, Michael.
Ciao !
Céline
--
More information about the cas
mailing list