CAS 5.0.0 SPNEGO issue
149 views
Skip to first unread message
Philippe MARASSE
Aug 10, 2016, 11:42:13 AM8/10/16
to cas-...@apereo.org
Folks,
I'm testing my freshly installed cas 5.0.0RC1-SNAPSHOT with SPNEGO,
following instructions at
https://apereo.github.io/cas/development/installation/SPNEGO-Authentication.html
Everything looks right at tomcat startup (krb5 princpal (fixed @, kdc,
etc.), My browser get a 401 with WWW-Authenticate: Negotiate as
expected. So it sends its Authorization: Negotiate header, but CAS does
not seem to catch the header (see attached catalina.out log file) and
throws a NullPointerException.
Tomcat is behind Apache + mod_jk, packetSize has been increased to 16k.
Am I missing something ?
Regards.
--
Philippe MARASSE
Responsable pôle Infrastructures - DSIO
Centre Hospitalier Henri Laborit
CS 10587 - 370 avenue Jacques Cœur
86021 Poitiers Cedex
Tel : 05.49.44.57.19
I'm testing my freshly installed cas 5.0.0RC1-SNAPSHOT with SPNEGO,
following instructions at
https://apereo.github.io/cas/development/installation/SPNEGO-Authentication.html
Everything looks right at tomcat startup (krb5 princpal (fixed @, kdc,
etc.), My browser get a 401 with WWW-Authenticate: Negotiate as
expected. So it sends its Authorization: Negotiate header, but CAS does
not seem to catch the header (see attached catalina.out log file) and
throws a NullPointerException.
Tomcat is behind Apache + mod_jk, packetSize has been increased to 16k.
Am I missing something ?
Regards.
--
Philippe MARASSE
Responsable pôle Infrastructures - DSIO
Centre Hospitalier Henri Laborit
CS 10587 - 370 avenue Jacques Cœur
86021 Poitiers Cedex
Tel : 05.49.44.57.19
Philippe MARASSE
Aug 11, 2016, 11:45:26 AM8/11/16
to cas-...@apereo.org
Today, it works a little better : I get 401, my browser send its
ticket... but no authentication :
Caused by: KrbException: Invalid argument (400) - Cannot find key of
appropriate type to decrypt AP REP - RC4 with HMAC
I have to declare my keytab as default keytab in /etc/krb5.conf to get
authenticated (keytab is read *before* login.conf) ! It was not
necessary with CASv3.5.
If my keytab is not declared in /etc/krb5.conf, login.conf is not read
either, why ??
Last test, with only a few parameters :
cas.authn.spnego.kerberosConf=/etc/krb5.conf
cas.authn.spnego.mixedModeAuthentication=false
cas.authn.spnego.jcifsServicePrincipal=HTTP/php-dev.my...@MYDOMAIN.COM
cas.authn.spnego.ntlmAllowed=false
cas.authn.spnego.hostNamePatternString=.+
cas.authn.spnego.supportedBrowsers=MSIE,Firefox,AppleWebKit
cas.authn.spnego.hostNameClientActionStrategy=hostnameSpnegoClientAction
cas.authn.spnego.ipsToCheckPattern=172.+
cas.authn.spnego.send401OnAuthenticationFailure=false
cas.authn.spnego.principalWithDomainName=false
it works...
Is the documentation needing update ?
Regards.
ticket... but no authentication :
Caused by: KrbException: Invalid argument (400) - Cannot find key of
appropriate type to decrypt AP REP - RC4 with HMAC
I have to declare my keytab as default keytab in /etc/krb5.conf to get
authenticated (keytab is read *before* login.conf) ! It was not
necessary with CASv3.5.
If my keytab is not declared in /etc/krb5.conf, login.conf is not read
either, why ??
Last test, with only a few parameters :
cas.authn.spnego.kerberosConf=/etc/krb5.conf
cas.authn.spnego.mixedModeAuthentication=false
cas.authn.spnego.jcifsServicePrincipal=HTTP/php-dev.my...@MYDOMAIN.COM
cas.authn.spnego.ntlmAllowed=false
cas.authn.spnego.hostNamePatternString=.+
cas.authn.spnego.supportedBrowsers=MSIE,Firefox,AppleWebKit
cas.authn.spnego.hostNameClientActionStrategy=hostnameSpnegoClientAction
cas.authn.spnego.ipsToCheckPattern=172.+
cas.authn.spnego.send401OnAuthenticationFailure=false
cas.authn.spnego.principalWithDomainName=false
it works...
Is the documentation needing update ?
Regards.
Misagh Moayyed
Aug 11, 2016, 4:27:14 PM8/11/16
to cas-...@apereo.org
Possibly. Could you issue a pull with the updates you have in mind to the docs?
--
Misagh
Misagh
--
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To post to this group, send email to cas-...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/e1b3772b-8210-abf7-5151-3b85dd10e5ef%40ch-poitiers.fr.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.
Philippe MARASSE
Aug 12, 2016, 5:45:45 AM8/12/16
to cas-...@apereo.org
Done. #1946
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/etPan.57acdf96.21f89478.295c%40unicon.net.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.
Reply all
Reply to author
Forward
0 new messages