I'm trying to create a deployment with automatic login by using SPNEGO; based on this tutorial: http://jasig.github.io/cas/development/installation/SPNEGO-Authentication.html
I want to use our AD as a Key Distribution Center, so that our domain users are automatically logged in to our application via CAS.
We have a user in our domain, it has an SPN set
A keytab file has been generated for this user, and I have set it in the login.conf file
Here is the relevant section of cas config:
<bean id="jcifsConfig" class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig">
<property name="jcifsServicePrincipal" value="***SPN***" />
<property name="kerberosDebug" value="true" />
<property name="kerberosRealm" value="***REALM/DOMAIN***" />
<property name="kerberosKdc" value="***Active Directory IP***" />
<property name="loginConf" value="***Path to login.conf***" />
</bean>
Login conf is
jcifs.spnego.initiate {
com.sun.security.auth.module.Krb5LoginModule required storeKey=true useKeyTab=true keyTab="***Path tp keytab***";
};
jcifs.spnego.accept {
com.sun.security.auth.module.Krb5LoginModule required storeKey=true useKeyTab=true keyTab="***Path tp keytab***";
};
The problem is that all I get is an NTLMSSP token from the client browser. So I can see that some kind of negotiation has been started, but the authentication always fails.
The tutorial/howto references a Kerberos configuration in the "Test SPN account" section. This is something I do not understand. Should I install a Kerberos server on the machine which hosts CAS (it is not something I would prefer)? It does not seem logical to me as I want AD to provide the Kerberos tickets?
Any help is appreciated!
Thanks, Mark.
Edit:
This is the question that really bothers me: The tutorial/howto references a Kerberos configuration in the "Test SPN account" section. This is something I do not understand. Should I install a Kerberos server on the machine which hosts CAS (it is not something I would prefer)? It does not seem logical to me as I want AD to provide the Kerberos tickets?