Dean, I am just returning to this now; I'm still seeing the same issues as when you originally sent this message. I haven't tried with Firefox (can't install it on my workstation, since I am in a fairly locked-down environment), but I have enabled integrated Windows authentication in IE, as the manual indicates.
I did see in a previous message on the mailing list that the 'servicePrincipalName' attribute of the SPN in AD should be 'HTTP/server.my.dom...@my.domain'. When I use an LDAP browser to look at the SPN's entry in my AD, I see two attributes: userPrincipalName -> HTTP/server.my.dom...@my.domain servicePrincipalName -> HTTP/server.my.domain So, assuming Arnaud's comment in that regard is correct, I seem to have the wrong values there. Is there any way you could confirm that matches up with what you have set for your AD SPN user? I might be grasping at straws... 'klist' and 'kinit' seem to be working fine from the command line; I guess I'm still a little foggy on what the communication flow is between the three participating parties (the KDC, my app server running CAS, and the end user) that determines whether CAS gets a kerberos token or an NTLM token from the user's browser... where else might I have screwed this up? Much appreciated! - Bill On Mon, Mar 22, 2010 at 11:18 AM, Dean Heisey <deanh...@noa.nintendo.com>wrote: > It is the browser that is sending the token. Have you tried spnego with > Firefox? > > > > There are three things that are different in your setup: > > > > 1) You are running on Solaris, I am on RedHat Enterprise Linux v5 > > 2) Your encryption is DES, I am RC4-HMAC…have you checked the AD logs > to see if any errors are being generated? > > 3) I am not using a keytab file. > > > > Every time I ran into these types of issues, it was the AD user. Once you > have that communication path working don’t touch it unless you absolutely > have to. The AD portion seems to be the most unstable when it comes to > changing users/SPN combinations. > > > > · What version of AD are you running? > > · Also, you only have one SPN associated with this user, correct. > I noticed that if you add SPNs to the user, only the primary SPN is used. > By primary, I mean the SPN that shows up in the AD admin console as the > users login i.e. HTTP/<your host here> > > > > > > *From:* William Markmann [via Jasig] [mailto:[hidden > email]<http://n4.nabble.com/user/SendEmail.jtp?type=node&node=1677769&i=0>] > > *Sent:* Monday, March 22, 2010 7:49 AM > *To:* Dean Heisey > *Subject:* Re: Problem with SPNEGO (Getting NTLM token instead of > Kerberos) > > > > Dean, > > > > Thanks for the guidance. I talked to the AD admins and they did generate > the keytab from domain controller (the same machine that is listed as the > KDC in my kerberos config). So, still no luck there. Also, if delegation > weren't working properly, I wouldn't even be able to authenticate using > 'kinit', right? In my (possibly flawed) mental model of how this all works, > once I have 'kinit' working, everything is good from the Kerberos / AD side > of the equation, and we just need to focus on getting the app server -> > browser communication working properly. Am I thinking about this wrong? > > What factors actually affect whether the SPNEGO login action gets NTLM vs > Kerberos data? I've read through the source of SpnegoCredentialsAction, and > it looks like it gets one or the other -- what's actually determining which > is sent? > > > > Thanks, - Bill > > On Fri, Mar 19, 2010 at 7:53 PM, Dean Heisey <[hidden > email]<http://n4.nabble.com/user/SendEmail.jtp?type=node&node=1677730&i=0>> > wrote: > > > I ran into something like this where the kerberos was not working with my > AD, > When you regenerated your keytab for the new AD user/spn did you run the > ktpass on your Active Directory DOmain server? That gives you access to > the > Delegation tab on the AD user and computer administrator tab. Go check the > CAS User manual SPNEGO section. I updated it recently to include my > experiences. > > Dean > -- > View this message in context: > http://n4.nabble.com/Problem-with-SPNEGO-Getting-NTLM-token-instead-of-Kerberos-tp1598650p1629470.html > Sent from the CAS Users mailing list archive at Nabble.com. > > > -- > You are currently subscribed to [hidden > email]<http://n4.nabble.com/user/SendEmail.jtp?type=node&node=1677730&i=1>as: > [hidden > email]<http://n4.nabble.com/user/SendEmail.jtp?type=node&node=1677730&i=2> > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > > > -- > Bill Markmann > > Counterpoint Consulting, Inc. > (p) 571-338-2455 > (f) 202-403-3425 > (e) [hidden > email]<http://n4.nabble.com/user/SendEmail.jtp?type=node&node=1677730&i=3> > > (w) http://www.counterpointconsulting.com/ > > -- > > You are currently subscribed to [hidden email] > <http://n4.nabble.com/user/SendEmail.jtp?type=node&node=1677730&i=4> as: > [hidden email] > <http://n4.nabble.com/user/SendEmail.jtp?type=node&node=1677730&i=5> > > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > ------------------------------ > > View message @ > http://n4.nabble.com/Problem-with-SPNEGO-Getting-NTLM-token-instead-of-Kerberos-tp1598650p1677730.html > To unsubscribe from Re: Problem with SPNEGO (Getting NTLM token instead of > Kerberos), click here. > > > > ------------------------------ > View this message in context: RE: Problem with SPNEGO (Getting NTLM token > instead of > Kerberos)<http://n4.nabble.com/Problem-with-SPNEGO-Getting-NTLM-token-instead-of-Kerberos-tp1598650p1677769.html> > > Sent from the CAS Users mailing list > archive<http://n4.nabble.com/CAS-Users-f255676.html>at Nabble.com. > > -- > You are currently subscribed to cas-user@lists.jasig.org as: > b...@counterpointconsulting.com > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- Bill Markmann Counterpoint Consulting, Inc. (p) 571-338-2455 (f) 202-403-3425 (e) b...@counterpointconsulting.com (w) http://www.counterpointconsulting.com/ -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
