SPNEGO and "Attempting to create TicketGrantingTicket for Principal is null"

Jacek Bilski j.bilski at stermedia.pl
Wed Jan 28 07:06:49 EST 2009 

Hello,

Can anyone help me with SPNEGO authentication? I try to do that for some 
time, but with no success. I've many posts about putting together CAS 
with AD, but I feel like I miss some one little detail.

I'm trying to use CAS with Liferay 5.1.2 on Tomcat 6.0.18. All that on 
Linux.

As you can see in attached configuration I tried both Kerberos and NTLM. 
I would prefer former, but that's not a hard requirement. Either way I 
end up with that in CAS logs:

2009-01-28 12:48:04,820 DEBUG 
[org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - 
<Action 'SpnegoCredentialsAction' beginning execution>
2009-01-28 12:48:04,820 DEBUG 
[org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - 
<SPNEGO Authorization header found with 56 bytes>
2009-01-28 12:48:04,822 DEBUG 
[org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - 
<Obtained token: NTLMSSP��   >
2009-01-28 12:48:04,826 DEBUG 
[org.jasig.cas.CentralAuthenticationServiceImpl] - <Attempting to create 
TicketGrantingTicket for Principal is null>
2009-01-28 12:48:04,906 DEBUG 
[org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - 
<Unable to obtain the output token required.>
2009-01-28 12:48:04,906 DEBUG 
[org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - 
<Setting HTTP Status to 401>
2009-01-28 12:48:04,906 DEBUG 
[org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - 
<Action 'SpnegoCredentialsAction' completed execution; result is 'error'>

I tried sniffing wire to see what's going on between client (IE) and 
CAS. When using Kerberos on CAS side, IE doesn't seem to use Kerberos 
and sends NTLM (as in logs above). When trying NTLM everything seems to 
go far further and ends with SMB message from AD:

"NT Status: STATUS_LOGON_FAILURE (0xc000006d)"

Has anyone any clues or hints for me? Any help is much appreciated.

Regards

Jacek Bilski
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dep.xml
Type: text/xml
Size: 3495 bytes
Desc: not available
Url : http://tp.its.yale.edu/pipermail/cas/attachments/20090128/5b66050b/attachment.xml 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: login.conf
Url: http://tp.its.yale.edu/pipermail/cas/attachments/20090128/5b66050b/attachment.pl

More information about the cas mailing list