Sunday, 15 June 2014

java - CAS SSO with AD (SPNEGO) -



java - CAS SSO with AD (SPNEGO) -

i'm trying create deployment automatic login using spnego; based on tutorial: http://jasig.github.io/cas/development/installation/spnego-authentication.html

i want utilize our advertisement key distribution center, our domain users automatically logged in our application via cas.

we have user in our domain, has spn set

a keytab file has been generated user, , have set in login.conf file

here relevant section of cas config:

<bean id="jcifsconfig" class="org.jasig.cas.support.spnego.authentication.handler.support.jcifsconfig"> <property name="jcifsserviceprincipal" value="***spn***" /> <property name="kerberosdebug" value="true" /> <property name="kerberosrealm" value="***realm/domain***" /> <property name="kerberoskdc" value="***active directory ip***" /> <property name="loginconf" value="***path login.conf***" /> </bean>

login conf is

jcifs.spnego.initiate { com.sun.security.auth.module.krb5loginmodule required storekey=true usekeytab=true keytab="***path tp keytab***"; }; jcifs.spnego.accept { com.sun.security.auth.module.krb5loginmodule required storekey=true usekeytab=true keytab="***path tp keytab***"; };

the problem ntlmssp token client browser. can see kind of negotiation has been started, authentication fails.

the tutorial/howto references kerberos configuration in "test spn account" section. not understand. should install kerberos server on machine hosts cas (it not prefer)? not seem logical me want advertisement provide kerberos tickets?

any help appreciated!

thanks, mark.

edit:

this question bothers me: the tutorial/howto references kerberos configuration in "test spn account" section. not understand. should install kerberos server on machine hosts cas (it not prefer)? not seem logical me want advertisement provide kerberos tickets?

you have configure browser spnego cas site.

doing can anywhere easy ( safari on os/x out of box) hard ( getting explorer trust website out of domain. ).

old explorer version example

if getting ntlm packets, means browser not recognize site 1 of sites can utilize kerberos credentials access.

java spring-security active-directory kerberos cas

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)