Tr: CAS, Spnego and the "pre Windows 2000 logon name"

Céline AUSSOURD celine.aussourd at ville-chateauroux.fr
Mon Jun 9 11:12:21 EDT 2008 

>On Fri, Jun 6, 2008 at 2:38 PM, Céline AUSSOURD <
>celine.aussourd at ville-chateauroux.fr> wrote:
>>        <bean name="jcifsConfig"
>>class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig">
>>          <property name="jcifsServicePrincipal" value="HTTP/
>pronostix at VILLE-CHATEAUROUX.FR" />
>>          <property name="jcifsServicePassword" value="XXXX" />
>>          <property name="jcifsDomain" value="VILLE-CHATEAUROUX.FR"/>
>>          <property name="jcifsDomainController" value="
>CETYUNIX.VILLE-CHATEAUROUX.FR"/>
>>          <property name="kerberosDebug" value="true" />
>>          <property name="kerberosRealm" value="VILLE-CHATEAUROUX.FR" />
>>          <property name="kerberosKdc" value="172.16.11.0" />
>>          <property name="loginConf"
>value="/usr/local/liferay/webapps/cas/WEB-INF/login.conf" />
>>        </bean>
>
>Céline,
>
>You should use FQDN for CAS Server URL and SPN configuration. I mean :
>
>CAS Server URL should be reached using : https://pronostix*.
>ville-chateauroux.fr*/cas/login instead of https://pronostix/cas/login
>
>You will also have to update the Service Principal name of the service
>account in Active Directory. It should be HTTP/pronostix*.
>ville-chateauroux.fr*@VILLE-CHATEAUROUX.FR instead of HTTP/
>pronostix at VILLE-CHATEAUROUX.FR
>
>Then update : your cas configuration to :
>         <property name="jcifsServicePrincipal" value="HTTP/pronostix*.
>ville-chateauroux.fr*@VILLE-CHATEAUROUX.FR" />
>
>If this is still not working, could you please check that you do have a
>valid krbtgt (Kerberos Granting Ticket) on you client windows session ? To
>check this, you can use :
>- kerbtray.exe to see the tickets
>- or klist.exe
>
>Bon courage !
>
>-- 
>Arnaud Lesueur

Merci pour ton aide. 
Now, I can authenticate with a kerberos token. But I have still a problem : the user which is authenticated is <sAMAccountName>@<MyRealm> instead of <userPrincipalName>. 
I think that the problem come from the users authentication in the domain since I haven't a valid krbtgt. 
I can create one using kinit but it seems that the browsers don't use it. 
How is it possible that Kerberos isn't used by my domain controller ? How can I fix it ? I didn't find helpful information about it. 

Regards,

Céline

>
>LinkedIn: http://www.linkedin.com/in/lesueur
>-------------- next part --------------
>An HTML attachment was scrubbed...
>URL: http://tp.its.yale.edu/pipermail/cas/attachments/20080606/760122f6/attachment.html

More information about the cas mailing list