SPNEGO fails back to NTLM (won't do Kerberos)

Arnaud Lesueur arnaud.lesueur at gmail.com
Thu Nov 6 15:15:28 EST 2008 

Hi guys,

I confirm that you cannot get a Kerberos token on the local machine for
security reasons ... although I do not have a link on that too :-(

And I also confirm that you should put your FQDN server name when setting
your service principal name. You might generate a new keytab to set it up or
use setspn.exe


Regards,

-Arnaud


On Thu, Nov 6, 2008 at 7:09 PM, Bill Markmann <bmarkmann at gmail.com> wrote:

> JMR -- interesting.  No obvious differences between the test machine
> and the non-working one?  I think I read somewhere that the Kerberos
> exchange wouldn't work properly if you were running IE from the same
> machine as your app server, so that might explain your non-working
> case... although I can't seem to locate where I'd read that now. :-)
>
> When you do 'klist -k' does your keytab user for that server show up
> with a fully-qualified domain name (with the .domain.es before the
> @DOMAIN.ES)?  I didn't include that; I wonder if that's the problem.
>
> Thanks, - Bill
>
>
> On Thu, Nov 6, 2008 at 12:22 PM, JMRodriguez <jmrodriguez at grupoburke.com>
> wrote:
> >
> > I'm in the same situation. I'm not using JBoss but Tomcat55.
> >
> > We have a _working_ CAS-SPNEGO on a test machine: W2kServer, AD,
> Tomcat55.
> > Here's the relevant part of our WORKING deployerConfigContext.xml:
> > ----------------------
> > <!-- SPNEGO -->
> > <bean name="jcifsConfig"
> >
> class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig">
> >                <property name="jcifsServicePrincipal"
> > value="HTTP/server.domain.es at DOMAIN.ES" />
> >                <property name="jcifsServicePassword" value="*****" />
> >                <property name="kerberosDebug" value="true" />
> >                <property name="kerberosRealm" value="DOMAIN.ES" />
> >                <property name="kerberosKdc" value="192.168.1.1" />
> >                <property name="loginConf" value="C:/Archivos de
> programa/Apache Software
> > Foundation/Tomcat 5.5/webapps/cas/WEB-INF/login.conf" />
> > </bean>
> > -----------------------
> > Note the FQDN server.domain.es (not only server, but server.domain.es).
> >
> > But our production environment doesn't work. We have there two
> W2003Server
> > (PDC and SDC), AD and a W2003Server Tomcat55. If we open IExplore from
> the
> > Tomcat machine, we obtain a NTLM token; from other machine we reach a
> > Kerberos token, but it fails with: Unable to obtain the output token
> > required.
> >
> >
> > That's all info I cna give you. I hope someone can help us.
> >
> >
> > JMRodriguez
> >
> > --
> > View this message in context:
> http://www.nabble.com/SPNEGO-fails-back-to-NTLM-%28won%27t-do-Kerberos%29-tp20365070p20365611.html
> > Sent from the CAS Users mailing list archive at Nabble.com.
> >
> > _______________________________________________
> > Yale CAS mailing list
> > cas at tp.its.yale.edu
> > http://tp.its.yale.edu/mailman/listinfo/cas
> >
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>



-- 
Arnaud Lesueur

LinkedIn: http://www.linkedin.com/in/lesueur
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20081106/da394d51/attachment.html

More information about the cas mailing list