CAS with SPNEGO always falls back to NTLM

1
votes

we are already using CAS in our „internal“ network with Kerberos in one site and it is working without a problem.

We now want to configure a second site our own, but with a little bit differerent configuration (DNS Names/SPN).

I try to explain.. First the non working config and later the working config with some little changes..

We try to run a CAS with SPNEGO.

We can use a kinit (linux command) with the cas.keytaband get a valid Kerberos ticket from the kdc of REALM2.DE, but it doesn’t work with CAS. CAS always falls back to NTLM. What do we need to do, that it will work? Perhaps he uses the wrong SPN entry from keytab ? I can´t get it.

  • Ubuntu 16 LTS and Ubuntu 18 LTS
  • CAS: 5.2.7
  • REALM1 = Windows Active Directory (there are the users)
  • REALM2 = MIT Linux Kerberos Realm (there is the CAS server)
  • acme.de = the internet domain for the official SSL certificate
  • REALM Trust between REALM1 and REALM2 working.

Description of the not working configuration:

The SPN is like HTTP/[email protected]

/etc/krb5.conf:

    [libdefaults]
    default_keytab_name = /etc/cas/cas.keytab
    [realms]
    REALM1.DE = {
            kdc = ad1.realm1.de
            kdc = ad2.realm1.de
            kdc = ad3.realm1.de
    }
    REALM2.DE = {
            kdc = kerberos.realm2.de
            kdc = kerberos-1.realm2.de
            kdc = kerberos-2.realm2.de
            admin_server = kadmin.realm2.de
    }

cas.properties:

           cas.server.name=https://cas.acme.de:8443
           cas.server.prefix=https://cas.acme.de:8443/cas
           cas.authn.attributeRepository.defaultAttributesToRelease=cn,givenName,uid,mail
           # KERBEROS / SPNEGO
           cas.authn.spnego.kerberosConf=/etc/krb5.conf
         # cas.authn.spnego.mixedModeAuthentication=false
           cas.authn.spnego.mixedModeAuthentication=true
           cas.authn.spnego.cachePolicy=600
           cas.authn.spnego.timeout=300000
           cas.authn.spnego.jcifsServicePrincipal=HTTP/[email protected]
           cas.authn.spnego.jcifsNetbiosWins=
           cas.authn.spnego.loginConf=/etc/cas/login.conf
           cas.authn.spnego.ntlmAllowed=true
           cas.authn.spnego.hostNamePatternString=.+
           cas.authn.spnego.jcifsUsername=
           cas.authn.spnego.useSubjectCredsOnly=false
           cas.authn.spnego.supportedBrowsers=MSIE,Trident,Firefox,AppleWebKit
           cas.authn.spnego.jcifsDomainController=
           cas.authn.spnego.dnsTimeout=2000
           cas.authn.spnego.hostNameClientActionStrategy=hostnameSpnegoClientAction
           cas.authn.spnego.kerberosKdc=192.169.1.3
           cas.authn.spnego.alternativeRemoteHostAttribute=alternateRemoteHeader
           cas.authn.spnego.jcifsDomain=
           cas.authn.spnego.ipsToCheckPattern=
           cas.authn.spnego.kerberosDebug=
           cas.authn.spnego.send401OnAuthenticationFailure=true
           cas.authn.spnego.kerberosRealm=REALM2.DE
           cas.authn.spnego.ntlm=false
           cas.authn.spnego.principalWithDomainName=true
           cas.authn.spnego.jcifsServicePassword=
           cas.authn.spnego.jcifsPassword=
           cas.authn.spnego.spnegoAttributeName=userPrincipalName
           cas.authn.spnego.name=

/etc/cas/login.conf:

    jcifs.spnego.initiate {
              com.sun.security.auth.module.Krb5LoginModule required storeKey=true useKeyTab=true keyTab="/etc/cas/cas.keytab";
    };

   jcifs.spnego.accept {
             com.sun.security.auth.module.Krb5LoginModule required storeKey=true useKeyTab=true keyTab="/etc/cas/cas.keytab";
    };

cas.keytab:

   root@cas:/etc/cas# klist -k /etc/cas/cas.keytab -e -t
   Keytab name: FILE:/etc/cas/cas.keytab

   KVNO Timestamp           Principal
   ---- ------------------- ------------------------------------------------------
   2 17.05.2019 11:38:56 HTTP/[email protected] (aes256-cts-hmac-sha1-96)
   2 17.05.2019 11:38:56 HTTP/[email protected] (aes128-cts-hmac-sha1-96)
   2 17.05.2019 11:38:56 HTTP/[email protected] (arcfour-hmac)
   2 17.05.2019 11:39:03 HTTP/[email protected] (aes256-cts-hmac-sha1-96)
   2 17.05.2019 11:39:03 HTTP/[email protected] (aes128-cts-hmac-sha1-96)
   2 17.05.2019 11:39:03 HTTP/[email protected] (arcfour-hmac)

kinit HTTP/[email protected] -k -t /etc/cas/cas.keytab
klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/[email protected]
Valid starting       Expires              Service principal
04.12.2019 12:54:18  05.12.2019 12:54:18  krbtgt/[email protected]

root@cas:/etc/cas# nslookup cas.acme.d
Server:         192.169.1.1
Address:        192.169.1.1#53

Name:   cas.acme.de
Address: 192.169.1.140

root@cas:/etc/cas# nslookup 192.169.1.140
140.1.169.192.in-addr.arpa      name = cas.realm2.de.

Description of the working configuration:

Just SPN and Internet DNS Name changed

The SPN is like HTTP/[email protected]

/etc/krb5.conf:

   [libdefaults]
   default_keytab_name = /etc/cas/cast.keytab

   [realms]
   REALM1.DE = {
            kdc = ad1.realm1.de
            kdc = ad2.realm1.de
            kdc = ad3.realm1.de
    }
    REALM2.DE = {
            kdc = kerberos.realm2.de
            kdc = kerberos-1.realm2.de
            kdc = kerberos-2.realm2.de
            admin_server = kadmin.realm2.de
    }

cas.properties:

 cas.server.name=https://cast.realm2.de:8443
 cas.server.prefix=https://cast.realm2.de:8443/cas   
 # KERBEROS / SPNEGO
 cas.authn.spnego.kerberosConf=/etc/krb5.conf
#cas.authn.spnego.mixedModeAuthentication=false
 cas.authn.spnego.mixedModeAuthentication=true
 cas.authn.spnego.cachePolicy=600
 cas.authn.spnego.timeout=300000
 cas.authn.spnego.jcifsServicePrincipal=HTTP/[email protected]
 cas.authn.spnego.jcifsNetbiosWins=
 cas.authn.spnego.loginConf=/etc/cas/login.conf
 cas.authn.spnego.ntlmAllowed=true
 cas.authn.spnego.hostNamePatternString=.+
 cas.authn.spnego.jcifsUsername=
 cas.authn.spnego.useSubjectCredsOnly=false
 cas.authn.spnego.supportedBrowsers=MSIE,Trident,Firefox,AppleWebKit
 cas.authn.spnego.jcifsDomainController=
 cas.authn.spnego.dnsTimeout=2000
 cas.authn.spnego.hostNameClientActionStrategy=hostnameSpnegoClientAction
 cas.authn.spnego.kerberosKdc=192.169.1.3
 cas.authn.spnego.alternativeRemoteHostAttribute=alternateRemoteHeader
 cas.authn.spnego.jcifsDomain=
 cas.authn.spnego.ipsToCheckPattern=
 cas.authn.spnego.kerberosDebug=
 cas.authn.spnego.send401OnAuthenticationFailure=true
 cas.authn.spnego.kerberosRealm=REALM2.DE
 cas.authn.spnego.ntlm=false
 cas.authn.spnego.principalWithDomainName=true
 cas.authn.spnego.jcifsServicePassword=
 cas.authn.spnego.jcifsPassword=
 cas.authn.spnego.spnego

/etc/cas/login.conf:

 jcifs.spnego.initiate {
   com.sun.security.auth.module.Krb5LoginModule required storeKey=true useKeyTab=true keyTab="/etc/cas/cas-t.keytab";
};

 jcifs.spnego.accept {
   com.sun.security.auth.module.Krb5LoginModule required storeKey=true useKeyTab=true keyTab="/etc/cas/cas-t.keytab";
};

cast.keytab:

klist -k cas-t.keytab -e -t
Keytab name: FILE:cas-t.keytab

KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
2 04.10.2018 11:17:39 HTTP/[email protected] (aes256-cts-hmac-sha1-96)
2 04.10.2018 11:17:39 HTTP/[email protected] (aes128-cts-hmac-sha1-96)
2 04.10.2018 11:17:39 HTTP/[email protected] (arcfour-hmac)
2 04.10.2018 11:17:42 HTTP/[email protected] (aes256-cts-hmac-sha1-96)
2 04.10.2018 11:17:43 HTTP/[email protected] (aes128-cts-hmac-sha1-96)
2 04.10.2018 11:17:43 HTTP/[email protected] (arcfour-hmac)

kinit HTTP/[email protected] -k -t ./cas-t.keytab
klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/[email protected]

Valid starting       Expires              Service principal
04.12.2019 12:33:51  05.12.2019 12:33:51  krbtgt/[email protected]

root@cas:/etc/cas# nslookup cast.realm2.de
Server:         192.169.1.1
Address:        192.169.1.1#53

Name:   cast.realm2.de
Address: 192.169.1.65

root@cas:/etc/cas# nslookup 192.169.1.65
65.1.169.192.in-addr.arpa       name = cast.realm2.de.

We have already tried to debug on our own, but we can´t get it..

We hope somebody could help us to solve this.

Please let us know, if you need any further informations

Thanks!

1
kerberoscasspnegoapereo
When you say always falls back to NTLM, in what way is falling back? Is an initial Kerb ticket included in the SPNEGO token and CAS fails, forcing it to fall back to NTLM, or is it that the SPNEGO token only ever includes an NTLM token?Steve
Hello @Steve, sorry for the misunderstanding. The problem is, that no Kerb ticket is created on behalf of the CAS. CAS should/must do an kerb-auth.aexlz
The issue is that the resolved SPN cannot be found in the realm KDC it thinks owns the SPN. I would recommend using something like wireshark to verify what SPN is actually being sent to the KDC, and make sure either a) that SPN is registered, or b) that it's doing the correct realm transition.Steve

1 Answers

0
votes

After digging deep with Wireshark, we could solve the problem. In fact it was no CAS-issue, but a KDC-Realm-issue.

The client derived the wrong realm by accessing the cas-server. The client's browser tried to ask the windows-kdc and could not retrieve a service ticket for the given SPN.

After using:

ksetup /AddHostToRealmMap <host name of CAS> <realm>

to force the client requesting the correct linux-kdc, a service-ticket was requested successfully and CAS-authentication worked out well.

Thanks to @Steve for "b) that it's doing the correct realm transition"...