Unable to obtain principal from KERBEROS token
137 views
Skip to first unread message
Andrea Prandini
Mar 14, 2016, 8:25:12 AM3/14/16
to CAS Community
Hi
I'm configuring a CAS server (3.2.1) installed on a Windows Server 2012 (jvm oracle 1.7) and I need to implement the Intergated Windows Authentication with the AD domain.
I've created a casspnego user on AD and I've used the ktpass command to map the service and create the keytab file.
I've used these parameters: -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL
These are the CAS configurations
<property name="jcifsServicePrincipal" value="HTTP/srv240.d...@DOMAIN.AD" />
<property name="jcifsServicePassword" value="xxxxx" />
<property name="jcifsUsername" value="casspnego" />
<property name="jcifsPassword" value="xxxxxx" />
<property name="kerberosDebug" value="true" />
<property name="kerberosRealm" value="DOMAIN.AD" />
<property name="kerberosKdc" value="xxx.xxx.xxx.xxx" />
<property name="loginConf" value="................../webapps/cas/WEB-INF/login.conf" />
Testing the automatic login with the IE on the local server the process fails. Here the CAS server log
SPNEGO Authorization header found with 164 bytes
Obtained token: `y + �o0m�00.
+ �7
*�H�� *�H��
+ �7 �9 7NTLMSSP �� � 1
But this is not a problem. I need that it works on the users workstations.
Testing from a user workstation in the domain I can see in the log a longer token that looks like a kerberos token, but the CAS server can't obtains the principal name. I tried to change the DES encryption flag and resetting the password but nothing change
Can someone help me to understand where the problem is.
Thanks
Andrea
Andrea Prandini
Mar 15, 2016, 6:04:59 AM3/15/16
to jasig-cas-user, cas-...@apereo.org
RESOLVED
Redoing all the process from the beginning with some changes:
- disabling DES encryption on user (AD2008)
- changing casspnego's password, avoiding special chars
- using -crypto ALL and -mapuser with the full qualified name in the KTPASS command
I don't know which of these resolve the problem. Every time this process it's a kind of alchemy.
“Everything is going to be fine in the end. If it's not fine it's not the end.” [O.Wilde]
Il giorno lunedì 14 marzo 2016 13:25:13 UTC+1, Andrea Prandini ha scritto:
HiI'm configuring a CAS server (3.2.1) installed on a Windows Server 2012 (jvm oracle 1.7) and I need to implement the Intergated Windows Authentication with the AD domain.I've created a casspnego user on AD and I've used the ktpass command to map the service and create the keytab file.I've used these parameters: -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPALThese are the CAS configurations
<property name="jcifsServicePrincipal" value="HTTP/srv240.domain.ad@DOMAIN.AD" />
<property name="jcifsServicePassword" value="xxxxx" /><property name="jcifsUsername" value="casspnego" /><property name="jcifsPassword" value="xxxxxx" /><property name="kerberosDebug" value="true" /><property name="kerberosRealm" value="DOMAIN.AD" /><property name="kerberosKdc" value="xxx.xxx.xxx.xxx" /><property name="loginConf" value="................../webapps/cas/WEB-INF/login.conf" />Testing the automatic login with the IE on the local server the process fails. Here the CAS server logSPNEGO Authorization header found with 164 bytesObtained token: `y + �o0m�00.+ �7*�H�� *�H��+ �7 �9 7NTLMSSP �� � 1But this is not a problem. I need that it works on the users workstations.Testing from a user workstation in the domain I can see in the log a longer token that looks like a kerberos token, but the CAS server can't obtains the principal name. I tried to change the DES encryption flag and resetting the password but nothing changeCan someone help me to understand where the problem is.ThanksAndrea
--
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
Fredrik Jönsson
Mar 15, 2016, 7:38:43 AM3/15/16
to Andrea Prandini, jasig-cas-user, cas-...@apereo.org
Hi,
What you want to do for debugging is enable debug=true in the JAAS configuration for the Krb5 authenticators. That gives you a lot of information about what’s going on in the kerberos negotiation itself.
/Fredrik
> 15 mars 2016 kl. 11:04 skrev Andrea Prandini <apra...@gmail.com>:
>
> RESOLVED
>
> Redoing all the process from the beginning with some changes:
> - disabling DES encryption on user (AD2008)
> - changing casspnego's password, avoiding special chars
> - using -crypto ALL and -mapuser with the full qualified name in the KTPASS command
>
> I don't know which of these resolve the problem. Every time this process it's a kind of alchemy.
>
> “Everything is going to be fine in the end. If it's not fine it's not the end.” [O.Wilde]
>
>
>
>
>
> Il giorno lunedì 14 marzo 2016 13:25:13 UTC+1, Andrea Prandini ha scritto:
> Hi
>
> I'm configuring a CAS server (3.2.1) installed on a Windows Server 2012 (jvm oracle 1.7) and I need to implement the Intergated Windows Authentication with the AD domain.
> I've created a casspnego user on AD and I've used the ktpass command to map the service and create the keytab file.
> I've used these parameters: -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL
>
> These are the CAS configurations
> <property name="jcifsServicePrincipal" value="HTTP/srv240.d...@DOMAIN.AD" />
What you want to do for debugging is enable debug=true in the JAAS configuration for the Krb5 authenticators. That gives you a lot of information about what’s going on in the kerberos negotiation itself.
/Fredrik
> 15 mars 2016 kl. 11:04 skrev Andrea Prandini <apra...@gmail.com>:
>
> RESOLVED
>
> Redoing all the process from the beginning with some changes:
> - disabling DES encryption on user (AD2008)
> - changing casspnego's password, avoiding special chars
> - using -crypto ALL and -mapuser with the full qualified name in the KTPASS command
>
> I don't know which of these resolve the problem. Every time this process it's a kind of alchemy.
>
> “Everything is going to be fine in the end. If it's not fine it's not the end.” [O.Wilde]
>
>
>
>
>
> Il giorno lunedì 14 marzo 2016 13:25:13 UTC+1, Andrea Prandini ha scritto:
> Hi
>
> I'm configuring a CAS server (3.2.1) installed on a Windows Server 2012 (jvm oracle 1.7) and I need to implement the Intergated Windows Authentication with the AD domain.
> I've created a casspnego user on AD and I've used the ktpass command to map the service and create the keytab file.
> I've used these parameters: -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL
>
> These are the CAS configurations
> <property name="jcifsServicePassword" value="xxxxx" />
> <property name="jcifsUsername" value="casspnego" />
> <property name="jcifsPassword" value="xxxxxx" />
> <property name="kerberosDebug" value="true" />
> <property name="kerberosRealm" value="DOMAIN.AD" />
> <property name="kerberosKdc" value="xxx.xxx.xxx.xxx" />
> <property name="loginConf" value="................../webapps/cas/WEB-INF/login.conf" />
>
> Testing the automatic login with the IE on the local server the process fails. Here the CAS server log
>
> SPNEGO Authorization header found with 164 bytes
> Obtained token: `y + �o0m�00.
> + �7
> *�H�� *�H��
> + �7 �9 7NTLMSSP �� � 1
>
> But this is not a problem. I need that it works on the users workstations.
> Testing from a user workstation in the domain I can see in the log a longer token that looks like a kerberos token, but the CAS server can't obtains the principal name. I tried to change the DES encryption flag and resetting the password but nothing change
> Can someone help me to understand where the problem is.
> Thanks
> Andrea
>
> --
> You received this message because you are subscribed to the Google Groups "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
> <property name="jcifsUsername" value="casspnego" />
> <property name="jcifsPassword" value="xxxxxx" />
> <property name="kerberosDebug" value="true" />
> <property name="kerberosRealm" value="DOMAIN.AD" />
> <property name="kerberosKdc" value="xxx.xxx.xxx.xxx" />
> <property name="loginConf" value="................../webapps/cas/WEB-INF/login.conf" />
>
> Testing the automatic login with the IE on the local server the process fails. Here the CAS server log
>
> SPNEGO Authorization header found with 164 bytes
> Obtained token: `y + �o0m�00.
> + �7
> *�H�� *�H��
> + �7 �9 7NTLMSSP �� � 1
>
> But this is not a problem. I need that it works on the users workstations.
> Testing from a user workstation in the domain I can see in the log a longer token that looks like a kerberos token, but the CAS server can't obtains the principal name. I tried to change the DES encryption flag and resetting the password but nothing change
> Can someone help me to understand where the problem is.
> Thanks
> Andrea
>
> --
> You received this message because you are subscribed to the Google Groups "CAS Community" group.
> --
> You received this message because you are subscribed to the Google Groups "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
> You received this message because you are subscribed to the Google Groups "CAS Community" group.
Andrea Prandini
Mar 16, 2016, 4:25:10 AM3/16/16
to Fredrik Jönsson, jasig-cas-user, cas-...@apereo.org
Thanks!
Andrea
Reply all
Reply to author
Forward
0 new messages