CAS 4.1.7 and SPNEGO

318 views
Skip to first unread message

Colin Wilkinson

unread,
Jul 22, 2016, 12:32:59 AM7/22/16
to CAS Community
Hi CAS Community,

At my work I have been requested see if we can configure CAS to Authenticate with AD using SPNEGO, but I am getting the below exception.  I have tried a variety of things with no success.

I thinking there maybe an issue with regards to how the network is setup.

Basically the network address of the machine is some like this devportal.cc.eee.aa, but the domain of the domain controller that I am required to use for dev is domaindc1.devad,cc.eee.aa.

Basically the server is cc.eee.aa domain, but dc is devad.cc.eee.aa will this even work.

2016-07-22 14:22:03,279 DEBUG [org.jasig.cas.support.spnego.web.flow.SpnegoNegociateCredentialsAction] - <Authorization header [NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==], User Agent header [Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36]>
2016-07-22 14:22:03,285 DEBUG [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - <SPNEGO Authorization header found with 56 bytes>
2016-07-22 14:22:03,292 DEBUG [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - <Obtained token: NTLMSSP��>
2016-07-22 14:22:03,726 INFO [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - <JCIFSSpnegoAuthenticationHandler failed authenticating unknown>
2016-07-22 14:22:03,728 DEBUG [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - <JCIFSSpnegoAuthenticationHandler exception details: Error performing NTLM authentication: jcifs.smb.SmbException: Failed to connect: JCIFS192_30_1C<00>/XX.XX.XX.XX
jcifs.util.transport.TransportException
java.net.ConnectException: Connection refused
        at java.net.PlainSocketImpl.socketConnect(Native Method)
        at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
        at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
        at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
        at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
        at java.net.Socket.connect(Socket.java:589)
        at jcifs.smb.SmbTransport.ssn139(SmbTransport.java:196)
        at jcifs.smb.SmbTransport.negotiate(SmbTransport.java:249)
        at jcifs.smb.SmbTransport.doConnect(SmbTransport.java:322)
        at jcifs.util.transport.Transport.run(Transport.java:241)
        at java.lang.Thread.run(Thread.java:745)

        at jcifs.util.transport.Transport.run(Transport.java:258)
        at java.lang.Thread.run(Thread.java:745)
>
2016-07-22 14:22:03,742 DEBUG [org.jasig.cas.audit.spi.TicketOrCredentialPrincipalResolver] - <Resolving argument [SpnegoCredential] for audit>

Regards,
Colin

Stefan Paetow

unread,
Jul 22, 2016, 6:08:50 AM7/22/16
to CAS Community
> 2016-07-22 14:22:03,728 DEBUG [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - <JCIFSSpnegoAuthenticationHandler exception details: Error performing NTLM authentication: jcifs.smb.SmbException: Failed to connect: JCIFS192_30_1C<00>/XX.XX.XX.XX
> jcifs.util.transport.TransportException
> java.net.ConnectException: Connection refused

Well, who does the IP that the above failure to connect refer to? domaindc1.devad.cc.ee.aa?

Basically Java is trying to make an SMB connection to the KDC server (the domain controller) that is supposed to provide it with a ticket based on your credential and it's getting a connection refused.

Stefan Paetow
Moonshot Industry & Research Liaison Coordinator

t: +44 (0)1235 822 125
gpg: 0x3FCE5142
xmpp: ste...@jabber.dev.ja.net
skype: stefan.paetow.janet

jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.




signature.asc
Message has been deleted

Colin Wilkinson

unread,
Jul 24, 2016, 8:15:59 PM7/24/16
to CAS Community, Stefan...@jisc.ac.uk
Hi,

No that is the weirdest thing the ip CAS machine.

CAS Machine ip address is XX.XX.XX.XX
DEVADDC ip address is YY.YY.YY.YY

The JCIFS Config is as follows, I tried kerberosKdc with ip address and same results.

<bean id="jcifsConfig"
      class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig"
      p:jcifsServicePrincipal="HTTP/devportalweb1.vu.edu.au@DEVAD.VU.EDU.AU"
      p:kerberosDebug="true"
      p:kerberosRealm="DEVAD.VU.EDU.AU"
      p:kerberosConf="/var/lib/tomcat8/webapps/cas/WEB-INF/classes/vuProperties/caskrb5.conf"
      p:kerberosKdc="devaddc1.devad.vu.edu.au"
      p:loginConf="/var/lib/tomcat8/webapps/cas/WEB-INF/classes/vuProperties/login.conf"/>

<bean id="spnegoAuthentication" class="jcifs.spnego.Authentication" />

<bean id="spnegoHandler"
      class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoAuthenticationHandler"
      p:authentication-ref="spnegoAuthentication"
      p:principalWithDomainName="false"
      p:NTLMallowed="true" />

<bean id="spnegoPrincipalResolver"
      class="org.jasig.cas.support.spnego.authentication.principal.SpnegoPrincipalResolver" />

caskrb5.conf is as follows,

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 ticket_lifetime = 24000
 default_realm = DEVAD.VU.EDU.AU
 default_keytab_name = /usr/share/tomcat8/webapps/cas/WEB-INF/classes/vuProperties/svc_casadsso.keytab
 dns_lookup_realm = false
 dns_lookup_kdc = false
 default_tkt_enctypes = rc4-hmac
 default_tgs_enctypes = rc4-hmac

[realms]
 }

[domain_realm]

Colin Wilkinson

unread,
Jul 25, 2016, 12:17:33 AM7/25/16
to CAS Community, Stefan...@jisc.ac.uk
I have managed to solve that issue by adding the following to the JCIFSConfig

 p:jcifsDomain="devad.vu.edu.au"
      p:jcifsDomainController="devaddc1.devad.vu.edu.au"

Question, Is the problem a domain issue.

As you can see by the above configuration. The domain controller information is.
Domain Controller:  devaddc1.devad.vu.edu.au

But the CAS machine configuration is the following.
Domain: vu.edu.au

The machine will need to connect to the devad.vu.edu.au domain correct?

Stefan Paetow

unread,
Jul 25, 2016, 9:21:20 AM7/25/16
to cas-...@apereo.org
>I have managed to solve that issue by adding the following to the
>JCIFSConfig
>
> p:jcifsDomain="devad.vu.edu.au"
> p:jcifsDomainController="devaddc1.devad.vu.edu.au"

That makes sense.

>The machine will need to connect to the devad.vu.edu.au domain correct?

If that's where you get your Kerberos (SPNEGO) ticket from, yes.

With Regards
Reply all
Reply to author
Forward
0 new messages