[cas-user] CAS 4.1.7 and SPNEGO

[Colin Wilkinson]

Hi CAS Community,

At my work I have been requested see if we can configure CAS to Authenticate with AD using SPNEGO, but I am getting the below exception.  I have tried a variety of things with no success.

I thinking there maybe an issue with regards to how the network is setup.

Basically the network address of the machine is some like this devportal.cc.eee.aa, but the domain of the domain controller that I am required to use for dev is domaindc1.devad,cc.eee.aa.

Basically the server is cc.eee.aa domain, but dc is devad.cc.eee.aa will this even work.

2016-07-22 14:22:03,279 DEBUG [org.jasig.cas.support.spnego.web.flow.SpnegoNegociateCredentialsAction] - <Authorization header [NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==], User Agent header [Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36]>

2016-07-22 14:22:03,285 DEBUG [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - <SPNEGO Authorization header found with 56 bytes>

2016-07-22 14:22:03,292 DEBUG [org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - <Obtained token: NTLMSSP��>

2016-07-22 14:22:03,726 INFO [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - <JCIFSSpnegoAuthenticationHandler failed authenticating unknown>

2016-07-22 14:22:03,728 DEBUG [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - <JCIFSSpnegoAuthenticationHandler exception details: Error performing NTLM authentication: jcifs.smb.SmbException: Failed to connect: JCIFS192_30_1C<00>/XX.XX.XX.XX

jcifs.util.transport.TransportException

java.net.ConnectException: Connection refused

        at java.net.PlainSocketImpl.socketConnect(Native Method)

        at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)

        at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)

        at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)

        at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)

        at java.net.Socket.connect(Socket.java:589)

        at jcifs.smb.SmbTransport.ssn139(SmbTransport.java:196)

        at jcifs.smb.SmbTransport.negotiate(SmbTransport.java:249)

        at jcifs.smb.SmbTransport.doConnect(SmbTransport.java:322)

        at jcifs.util.transport.Transport.run(Transport.java:241)

        at java.lang.Thread.run(Thread.java:745)

        at jcifs.util.transport.Transport.run(Transport.java:258)

        at java.lang.Thread.run(Thread.java:745)

>

2016-07-22 14:22:03,742 DEBUG [org.jasig.cas.audit.spi.TicketOrCredentialPrincipalResolver] - <Resolving argument [SpnegoCredential] for audit>

Regards,

Colin

--
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To post to this group, send email to cas-...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/e44e185f-9852-4245-9a3b-81c50c406407%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

[Stefan Paetow]

> 2016-07-22 14:22:03,728 DEBUG [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - <JCIFSSpnegoAuthenticationHandler exception details: Error performing NTLM authentication: jcifs.smb.SmbException: Failed to connect: JCIFS192_30_1C<00>/XX.XX.XX.XX
> jcifs.util.transport.TransportException
> java.net.ConnectException: Connection refused

Well, who does the IP that the above failure to connect refer to? domaindc1.devad.cc.ee.aa?

Basically Java is trying to make an SMB connection to the KDC server (the domain controller) that is supposed to provide it with a ticket based on your credential and it's getting a connection refused.

Stefan Paetow
Moonshot Industry & Research Liaison Coordinator

t: +44 (0)1235 822 125
gpg: 0x3FCE5142
xmpp: ste...@jabber.dev.ja.net
skype: stefan.paetow.janet

jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.

--
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To post to this group, send email to cas-...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/50AD3738-C9D3-47F8-8499-582FA4979A30%40jisc.ac.uk.

[Colin Wilkinson]

Hi,

No that is the weirdest thing the ip CAS machine.

The JCIFS Config is as follows, I tried kerberosKdc with ip address and same results.

<bean id="jcifsConfig"

      class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig"

      p:jcifsServicePrincipal="HTTP/devportalwe...@DEVAD.VU.EDU.AU"

      p:kerberosDebug="true"

      p:kerberosRealm="DEVAD.VU.EDU.AU"

      p:kerberosConf="/var/lib/tomcat8/webapps/cas/WEB-INF/classes/vuProperties/caskrb5.conf"

      p:kerberosKdc="devaddc1.devad.vu.edu.au"

      p:loginConf="/var/lib/tomcat8/webapps/cas/WEB-INF/classes/vuProperties/login.conf"/>

<bean id="spnegoAuthentication" class="jcifs.spnego.Authentication" />

<bean id="spnegoHandler"

      class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoAuthenticationHandler"

      p:authentication-ref="spnegoAuthentication"

      p:principalWithDomainName="false"

      p:NTLMallowed="true" />

<bean id="spnegoPrincipalResolver"

      class="org.jasig.cas.support.spnego.authentication.principal.SpnegoPrincipalResolver" />

caskrb5.conf is as follows,

[logging]

 default = FILE:/var/log/krb5libs.log

 kdc = FILE:/var/log/krb5kdc.log

 admin_server = FILE:/var/log/kadmind.log

[libdefaults]

 ticket_lifetime = 24000

 default_realm = DEVAD.VU.EDU.AU

 default_keytab_name = /usr/share/tomcat8/webapps/cas/WEB-INF/classes/vuProperties/svc_casadsso.keytab

 dns_lookup_realm = false

 dns_lookup_kdc = false

 default_tkt_enctypes = rc4-hmac

 default_tgs_enctypes = rc4-hmac

[realms]

 DEVAD.VU.EDU.AU = {

  kdc = devaddc1.devad.vu.edu.au:88

 }

[domain_realm]

 .devad.vu.edu.au = DEVAD.VU.EDU.AU

 devad.vu.edu.au = DEVAD.VU.EDU.AU

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/f2538a74-2978-4ded-b7fa-3936baf08a8c%40apereo.org.

[Colin Wilkinson]

Hi,

No that is the weirdest thing the ip CAS machine.

CAS Machine ip address is XX.XX.XX.XX

DEVADDC ip address is YY.YY.YY.YY

The JCIFS Config is as follows, I tried kerberosKdc with ip address and same results.

<bean id="jcifsConfig"

      class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig"

      p:jcifsServicePrincipal="HTTP/devportalweb1.vu.edu.au@DEVAD.VU.EDU.AU"

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/4e08f924-31ec-4478-9f23-5395478af00f%40apereo.org.

[Colin Wilkinson]

I have managed to solve that issue by adding the following to the JCIFSConfig

 p:jcifsDomain="devad.vu.edu.au"

      p:jcifsDomainController="devaddc1.devad.vu.edu.au"

Question, Is the problem a domain issue.

As you can see by the above configuration. The domain controller information is.

Domain: devad.vu.edu.au

Domain Controller:  devaddc1.devad.vu.edu.au

But the CAS machine configuration is the following.

CAS Address:  devportalweb1.vu.edu.au

Domain: vu.edu.au

The machine will need to connect to the devad.vu.edu.au domain correct?

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/514f0bdc-d8c5-42a1-8e14-f6c23fd9fbce%40apereo.org.

[Stefan Paetow]

>I have managed to solve that issue by adding the following to the
>JCIFSConfig
>
> p:jcifsDomain="devad.vu.edu.au"
> p:jcifsDomainController="devaddc1.devad.vu.edu.au"

That makes sense.

>The machine will need to connect to the devad.vu.edu.au domain correct?

If that's where you get your Kerberos (SPNEGO) ticket from, yes.

With Regards

Stefan Paetow
Moonshot Industry & Research Liaison Coordinator

t: +44 (0)1235 822 125
gpg: 0x3FCE5142
xmpp: ste...@jabber.dev.ja.net
skype: stefan.paetow.janet

jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by
guarantee which is registered in England under Company No. 5747339, VAT
No. GB 197 0632 86. Jisc¹s registered office is: One Castlepark, Tower
Hill, Bristol, BS2 0JA. T 0203 697 5800.



--
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To post to this group, send email to cas-...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/D3BBCF03.13A26%25stefan.paetow%40jisc.ac.uk.