Spnego ERROR on CAS 5.2.0

[Abylay]

Hello!
I'm trying to configure Spnego on CAS 5.2.0 

I added required dependency to pom file:

<dependency>
    <groupId>org.apereo.cas</groupId>
    <artifactId>cas-server-support-spnego-webflow</artifactId>
    <version>${cas.version}</version>
</dependency>

I have an SPN account and working keytab file. I've configured krb5.conf and login.conf as it says in here SPNEGO-Authentication.html

I configured my browsers to support Kerberos.

Here is the SPNEGO part of cas configuration file:

# SPNEGO

# cas.authn.spnego.kerberosConf=

cas.authn.spnego.mixedModeAuthentication=true

# cas.authn.spnego.cachePolicy=600

# cas.authn.spnego.timeout=300000

cas.authn.spnego.jcifsServicePrincipal=HTTP/kerberos.m...@MYCOMPANY.KZ

# cas.authn.spnego.jcifsNetbiosWins=

cas.authn.spnego.loginConf=file:D:\\etc\\cas\\config\\login.conf

# cas.authn.spnego.ntlmAllowed=true

# cas.authn.spnego.hostNamePatternString=.+

# cas.authn.spnego.jcifsUsername=

# cas.authn.spnego.useSubjectCredsOnly=false

# cas.authn.spnego.supportedBrowsers=MSIE,Trident,Firefox,AppleWebKit

# cas.authn.spnego.jcifsDomainController=

# cas.authn.spnego.dnsTimeout=2000

# cas.authn.spnego.hostNameClientActionStrategy=hostnameSpnegoClientAction

cas.authn.spnego.kerberosKdc=dc01.mycompany.kz

# cas.authn.spnego.alternativeRemoteHostAttribute=alternateRemoteHeader

# cas.authn.spnego.jcifsDomain=

# cas.authn.spnego.ipsToCheckPattern=127.+

# cas.authn.spnego.kerberosDebug=true

# cas.authn.spnego.send401OnAuthenticationFailure=true

cas.authn.spnego.kerberosRealm=MYCOMPANY.KZ

# cas.authn.spnego.ntlm=false

# cas.authn.spnego.principalWithDomainName=false

cas.authn.spnego.jcifsServicePassword=1q2w3e4r

When I open login page there is the next error on CAS logs:

2018-01-09 13:47:33,472 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN

=============================================================

WHO: audit:unknown

WHAT: [event=success,timestamp=Tue Jan 09 13:47:33 ALMT 2018,source=RankedAuthenticationProviderWebflowEventResolver]

ACTION: AUTHENTICATION_EVENT_TRIGGERED

APPLICATION: CAS

WHEN: Tue Jan 09 13:47:33 ALMT 2018

CLIENT IP ADDRESS: fe80:0:0:0:459b:8012:528e:462a%20

SERVER IP ADDRESS: fe80:0:0:0:459b:8012:528e:462a%20

=============================================================

>

2018-01-09 13:47:33,487 DEBUG [org.apereo.cas.support.oauth.validator.OAuth20AuthenticationServiceSelectionStrategy] - <Authentication request is not identified as an OAuth request>

2018-01-09 13:47:33,488 DEBUG [org.apereo.cas.authentication.adaptive.DefaultAdaptiveAuthenticationPolicy] - <Located client IP address as [fe80:0:0:0:459b:8012:528e:462a%20]>

2018-01-09 13:47:33,490 DEBUG [org.apereo.cas.authentication.adaptive.DefaultAdaptiveAuthenticationPolicy] - <User agent [Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:53.0) Gecko/20100101 Firefox/53.0] is authorized to proceed>

2018-01-09 13:47:33,490 DEBUG [org.apereo.cas.authentication.adaptive.DefaultAdaptiveAuthenticationPolicy] - <Adaptive authentication policy has authorized client [fe80:0:0:0:459b:8012:528e:462a%20] to proceed.>

2018-01-09 13:47:33,491 DEBUG [org.apereo.cas.web.support.WebUtils] - <Evaluating request to determine if warning cookie should be generated>

2018-01-09 13:47:33,491 DEBUG [org.apereo.cas.web.support.WebUtils] - <Evaluating request to determine if warning cookie should be generated>

2018-01-09 13:47:33,493 DEBUG [org.apereo.cas.authentication.RegisteredServiceAuthenticationHandlerResolver] - <Authentication handlers used for this transaction are [JcifsSpnegoAuthenticationHandler,QueryDatabaseAuthenticationHandler,HttpBasedServiceCredentialsAuthenticationHandler,AcceptUsersAuthenticationHandler,LdapAuthenticationHandler]>

2018-01-09 13:47:33,494 DEBUG [org.apereo.cas.support.spnego.authentication.handler.support.JcifsSpnegoAuthenticationHandler] - <Processing SPNEGO authentication>

2018-01-09 13:47:33,526 DEBUG [org.apereo.cas.support.spnego.authentication.handler.support.JcifsSpnegoAuthenticationHandler] - <Authenticated SPNEGO principal [null]>

2018-01-09 13:47:33,527 DEBUG [org.apereo.cas.support.spnego.authentication.handler.support.JcifsSpnegoAuthenticationHandler] - <Retrieving the next token for authentication>

2018-01-09 13:47:33,528 DEBUG [org.apereo.cas.support.spnego.authentication.handler.support.JcifsSpnegoAuthenticationHandler] - <Setting nextToken in credential>

2018-01-09 13:47:33,530 DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <[JcifsSpnegoAuthenticationHandler] exception details: [Principal is null, the processing of the SPNEGO Token failed].>

2018-01-09 13:47:33,531 DEBUG [org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler] - <Credential is not one of username/password and is not accepted by handler [QueryDatabaseAuthenticationHandler]>

2018-01-09 13:47:33,532 DEBUG [org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler] - <Credential is not one of username/password and is not accepted by handler [AcceptUsersAuthenticationHandler]>

2018-01-09 13:47:33,532 DEBUG [org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler] - <Credential is not one of username/password and is not accepted by handler [LdapAuthenticationHandler]>

2018-01-09 13:47:33,533 ERROR [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Authentication has failed. Credentials may be incorrect or CAS cannot find authentication handler that supports [unknown] of type [SpnegoCredential].>

2018-01-09 13:47:33,534 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN

=============================================================

WHO: unknown

WHAT: Supplied credentials: [unknown]

ACTION: AUTHENTICATION_FAILED

APPLICATION: CAS

WHEN: Tue Jan 09 13:47:33 ALMT 2018

CLIENT IP ADDRESS: fe80:0:0:0:459b:8012:528e:462a%20

SERVER IP ADDRESS: fe80:0:0:0:459b:8012:528e:462a%20

=============================================================

>

Has anyone here had the same issue or knows how to solve it?
I suspect it's a bug.

Thanks.

[Ss Zz]

This error happens, because SPNEGO is not configured properly.

These minimum parameters are set in my cas.properties :

cas.authn.spnego.jcifsDomain=domen.com

cas.authn.spnego.jcifsDomainController=domen.com

cas.authn.spnego.jcifsServicePassword=XXXXX

cas.authn.spnego.jcifsServicePrincipal=HTTP/XXXX...@domen.com

cas.authn.spnego.jcifsUsername=XXX

cas.authn.spnego.jcifsPassword=XXX

cas.authn.spnego.kerberosConf=D:\\applications\\buap-services\\cas\\webapps\\cas\\WEB-INF\\classes\\krb.conf

cas.authn.spnego.kerberosDebug=true

cas.authn.spnego.kerberosKdc=kdcserver.domen.com

cas.authn.spnego.kerberosRealm=domen.com

cas.authn.spnego.loginConf=file:/D:/applications/buap-services/cas/webapps/cas/WEB-INF/classes/login.conf

cas.authn.spnego.mixedModeAuthentication=false

cas.authn.spnego.ntlm=false

cas.authn.spnego.ntlmAllowed=true

cas.authn.spnego.principalWithDomainName=false

cas.authn.spnego.send401OnAuthenticationFailure=true

cas.authn.spnego.supportedBrowsers=MSIE,Trident,Firefox,AppleWebKit

cas.authn.spnego.timeout=300000 

....

Also you should set LDAP properties for SPNEGO :

....... 

cas.authn.spnego.ldap.ldapUrl=ldap://some_server.domen.com

cas.authn.spnego.ldap.baseDn=DC=XXXXXXXXXX,DC=net

cas.authn.spnego.ldap.userFilter=(uid={user})

cas.authn.spnego.ldap.bindDn=CN=XXXXXXXXXXXXX,OU=Local,OU=Service Accounts,OU=Users,OU=Enterprise,DC=XXXXXXXXXXX,DC=net

cas.authn.spnego.ldap.bindCredential=XXXXXXXXXXXXX

cas.authn.spnego.ldap.providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider

cas.authn.spnego.ldap.connectTimeout=5000

cas.authn.spnego.ldap.useStartTls=false

.......

Also if you are using AES 256 then you need replace policy files in your java8:

C:\Program Files\Java\jre1.8.0_111\lib\security

local_policy.jar

US_export_policy.jar