JMR -- interesting. No obvious differences between the test machine and the non-working one? I think I read somewhere that the Kerberos exchange wouldn't work properly if you were running IE from the same machine as your app server, so that might explain your non-working case... although I can't seem to locate where I'd read that now. :-)
When you do 'klist -k' does your keytab user for that server show up with a fully-qualified domain name (with the .domain.es before the @DOMAIN.ES)? I didn't include that; I wonder if that's the problem. Thanks, - Bill On Thu, Nov 6, 2008 at 12:22 PM, JMRodriguez <[EMAIL PROTECTED]> wrote: > > I'm in the same situation. I'm not using JBoss but Tomcat55. > > We have a _working_ CAS-SPNEGO on a test machine: W2kServer, AD, Tomcat55. > Here's the relevant part of our WORKING deployerConfigContext.xml: > ---------------------- > <!-- SPNEGO --> > <bean name="jcifsConfig" > class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig"> > <property name="jcifsServicePrincipal" > value="HTTP/[EMAIL PROTECTED]" /> > <property name="jcifsServicePassword" value="*****" /> > <property name="kerberosDebug" value="true" /> > <property name="kerberosRealm" value="DOMAIN.ES" /> > <property name="kerberosKdc" value="192.168.1.1" /> > <property name="loginConf" value="C:/Archivos de > programa/Apache Software > Foundation/Tomcat 5.5/webapps/cas/WEB-INF/login.conf" /> > </bean> > ----------------------- > Note the FQDN server.domain.es (not only server, but server.domain.es). > > But our production environment doesn't work. We have there two W2003Server > (PDC and SDC), AD and a W2003Server Tomcat55. If we open IExplore from the > Tomcat machine, we obtain a NTLM token; from other machine we reach a > Kerberos token, but it fails with: Unable to obtain the output token > required. > > > That's all info I cna give you. I hope someone can help us. > > > JMRodriguez > > -- > View this message in context: > http://www.nabble.com/SPNEGO-fails-back-to-NTLM-%28won%27t-do-Kerberos%29-tp20365070p20365611.html > Sent from the CAS Users mailing list archive at Nabble.com. > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
