SPNEGO and "Attempting to create TicketGrantingTicket for Principal is null"

Wed, 28 Jan 2009 04:12:41 -0800 

Hello,
Can anyone help me with SPNEGO authentication? I try to do that for some time, but with no success. I've many posts about putting together CAS with AD, but I feel like I miss some one little detail. 


I'm trying to use CAS with Liferay 5.1.2 on Tomcat 6.0.18. All that on 
Linux.



As you can see in attached configuration I tried both Kerberos and NTLM. 
I would prefer former, but that's not a hard requirement. Either way I 
end up with that in CAS logs:



2009-01-28 12:48:04,820 DEBUG 
[org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - 
<Action 'SpnegoCredentialsAction' beginning execution>
2009-01-28 12:48:04,820 DEBUG 
[org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - 
<SPNEGO Authorization header found with 56 bytes>
2009-01-28 12:48:04,822 DEBUG 
[org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - 
<Obtained token: NTLMSSP��   >
2009-01-28 12:48:04,826 DEBUG 
[org.jasig.cas.CentralAuthenticationServiceImpl] - <Attempting to create 
TicketGrantingTicket for Principal is null>
2009-01-28 12:48:04,906 DEBUG 
[org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - 
<Unable to obtain the output token required.>
2009-01-28 12:48:04,906 DEBUG 
[org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - 
<Setting HTTP Status to 401>
2009-01-28 12:48:04,906 DEBUG 
[org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction] - 
<Action 'SpnegoCredentialsAction' completed execution; result is 'error'>



I tried sniffing wire to see what's going on between client (IE) and 
CAS. When using Kerberos on CAS side, IE doesn't seem to use Kerberos 
and sends NTLM (as in logs above). When trying NTLM everything seems to 
go far further and ends with SMB message from AD:


"NT Status: STATUS_LOGON_FAILURE (0xc000006d)"

Has anyone any clues or hints for me? Any help is much appreciated.

Regards

Jacek Bilski

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans";
	   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
	   xmlns:p="http://www.springframework.org/schema/p";
	   xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd";>
	<bean id="authenticationManager"
		class="org.jasig.cas.authentication.AuthenticationManagerImpl">
		<property name="credentialsToPrincipalResolvers">
			<list>
				<bean class="org.jasig.cas.support.spnego.authentication.principal.SpnegoCredentialsToPrincipalResolver" />
				<bean class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" />
				<bean class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" />
			</list>
		</property>
		<property name="authenticationHandlers">
			<list>
				<bean class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoAuthenticationHandler">
					<property name="authentication">
						<bean class="jcifs.spnego.Authentication" />
					</property>
					<property name="principalWithDomainName" value="false" />
					<property name="NTLMallowed" value="true"/>
				</bean>
				<bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
					p:httpClient-ref="httpClient" />
				<bean class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler">
					<property name="filter" value="sAMAccountName=%u" />
					<property name="searchBase" value="***" />
					<property name="contextSource" ref="contextSource" />
					<property name="ignorePartialResultException" value="yes" />
				</bean>
			</list>
		</property>
	</bean>

	<bean id="contextSource" class="org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource">
		<property name="pooled" value="true"/>
		<property name="urls">
			<list>
				<value>***</value>
			</list>
		</property>
		<property name="userName" value="***"/>
		<property name="password" value="***"/>
		<property name="baseEnvironmentProperties">
			<map>
				<entry>
					<key>
						<value>java.naming.security.authentication</value>
					</key>
					<value>simple</value>
				</entry>
			</map>
		</property>
	</bean>
	<bean id="userDetailsService" class="org.springframework.security.userdetails.memory.InMemoryDaoImpl">
		<property name="userMap">
			<value>
			
			</value>
		</property>
	</bean>
	<bean id="attributeRepository"
		class="org.jasig.services.persondir.support.StubPersonAttributeDao">
		<property name="backingMap">
			<map>
				<entry key="uid" value="uid" />
				<entry key="eduPersonAffiliation" value="eduPersonAffiliation" /> 
				<entry key="groupMembership" value="groupMembership" />
			</map>
		</property>
	</bean>
	
	<bean name="jcifsConfig" class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig">
    	<property name="jcifsDomain" value="KGHM" />
        <property name="jcifsDomainController" value="ad.kghm.stermedia.pl" />
		<!--property name="jcifsServicePrincipal" value="HTTP/***" />
		<property name="jcifsServicePassword" value="liferay" />
		<property name="kerberosDebug" value="true" />
		<property name="kerberosRealm" value="***" />
		<property name="kerberosKdc" value="***" /-->
		<property name="loginConf" value="/WEB-INF/login.conf" />
	</bean>
	<bean
		id="serviceRegistryDao"
		class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl" />
</beans>


jcifs.spnego.initiate {
        com.sun.security.auth.module.Krb5LoginModule optional storeKey=true 
useKeyTab=true keyTab=/home/dino/CAS/liferay.keytab;
    com.sun.security.auth.module.NTLoginModule required;
};
jcifs.spnego.accept {
        com.sun.security.auth.module.Krb5LoginModule optional storeKey=true 
useKeyTab=true keyTab=/home/dino/CAS/liferay.keytab;
    com.sun.security.auth.module.NTLoginModule required;
};


_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas






















					Reply via email to