aexlz
Reputation: 11
CAS with SPNEGO always falls back to NTLM
we are already using CAS in our „internal“ network with Kerberos in one site and it is working without a problem.
We now want to configure a second site our own, but with a little bit differerent configuration (DNS Names/SPN).
I try to explain.. First the non working config and later the working config with some little changes..
We try to run a CAS with SPNEGO.
We can use a kinit (linux command) with the cas.keytaband get a valid Kerberos ticket from the kdc of REALM2.DE, but it doesn’t work with CAS. CAS always falls back to NTLM. What do we need to do, that it will work? Perhaps he uses the wrong SPN entry from keytab ? I can´t get it.
- Ubuntu 16 LTS and Ubuntu 18 LTS
- CAS: 5.2.7
- REALM1 = Windows Active Directory (there are the users)
- REALM2 = MIT Linux Kerberos Realm (there is the CAS server)
- acme.de = the internet domain for the official SSL certificate
- REALM Trust between REALM1 and REALM2 working.
Description of the not working configuration:
The SPN is like HTTP/[email protected]
/etc/krb5.conf:
[libdefaults]
default_keytab_name = /etc/cas/cas.keytab
[realms]
REALM1.DE = {
kdc = ad1.realm1.de
kdc = ad2.realm1.de
kdc = ad3.realm1.de
}
REALM2.DE = {
kdc = kerberos.realm2.de
kdc = kerberos-1.realm2.de
kdc = kerberos-2.realm2.de
admin_server = kadmin.realm2.de
}
cas.properties:
cas.server.name=https://cas.acme.de:8443
cas.server.prefix=https://cas.acme.de:8443/cas
cas.authn.attributeRepository.defaultAttributesToRelease=cn,givenName,uid,mail
# KERBEROS / SPNEGO
cas.authn.spnego.kerberosConf=/etc/krb5.conf
# cas.authn.spnego.mixedModeAuthentication=false
cas.authn.spnego.mixedModeAuthentication=true
cas.authn.spnego.cachePolicy=600
cas.authn.spnego.timeout=300000
cas.authn.spnego.jcifsServicePrincipal=HTTP/[email protected]
cas.authn.spnego.jcifsNetbiosWins=
cas.authn.spnego.loginConf=/etc/cas/login.conf
cas.authn.spnego.ntlmAllowed=true
cas.authn.spnego.hostNamePatternString=.+
cas.authn.spnego.jcifsUsername=
cas.authn.spnego.useSubjectCredsOnly=false
cas.authn.spnego.supportedBrowsers=MSIE,Trident,Firefox,AppleWebKit
cas.authn.spnego.jcifsDomainController=
cas.authn.spnego.dnsTimeout=2000
cas.authn.spnego.hostNameClientActionStrategy=hostnameSpnegoClientAction
cas.authn.spnego.kerberosKdc=192.169.1.3
cas.authn.spnego.alternativeRemoteHostAttribute=alternateRemoteHeader
cas.authn.spnego.jcifsDomain=
cas.authn.spnego.ipsToCheckPattern=
cas.authn.spnego.kerberosDebug=
cas.authn.spnego.send401OnAuthenticationFailure=true
cas.authn.spnego.kerberosRealm=REALM2.DE
cas.authn.spnego.ntlm=false
cas.authn.spnego.principalWithDomainName=true
cas.authn.spnego.jcifsServicePassword=
cas.authn.spnego.jcifsPassword=
cas.authn.spnego.spnegoAttributeName=userPrincipalName
cas.authn.spnego.name=
/etc/cas/login.conf:
jcifs.spnego.initiate {
com.sun.security.auth.module.Krb5LoginModule required storeKey=true useKeyTab=true keyTab="/etc/cas/cas.keytab";
};
jcifs.spnego.accept {
com.sun.security.auth.module.Krb5LoginModule required storeKey=true useKeyTab=true keyTab="/etc/cas/cas.keytab";
};
cas.keytab:
root@cas:/etc/cas# klist -k /etc/cas/cas.keytab -e -t
Keytab name: FILE:/etc/cas/cas.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
2 17.05.2019 11:38:56 HTTP/[email protected] (aes256-cts-hmac-sha1-96)
2 17.05.2019 11:38:56 HTTP/[email protected] (aes128-cts-hmac-sha1-96)
2 17.05.2019 11:38:56 HTTP/[email protected] (arcfour-hmac)
2 17.05.2019 11:39:03 HTTP/[email protected] (aes256-cts-hmac-sha1-96)
2 17.05.2019 11:39:03 HTTP/[email protected] (aes128-cts-hmac-sha1-96)
2 17.05.2019 11:39:03 HTTP/[email protected] (arcfour-hmac)
kinit HTTP/[email protected] -k -t /etc/cas/cas.keytab
klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/[email protected]
Valid starting Expires Service principal
04.12.2019 12:54:18 05.12.2019 12:54:18 krbtgt/[email protected]
root@cas:/etc/cas# nslookup cas.acme.d
Server: 192.169.1.1
Address: 192.169.1.1#53
Name: cas.acme.de
Address: 192.169.1.140
root@cas:/etc/cas# nslookup 192.169.1.140
140.1.169.192.in-addr.arpa name = cas.realm2.de.
Description of the working configuration:
Just SPN and Internet DNS Name changed
The SPN is like HTTP/[email protected]
/etc/krb5.conf:
[libdefaults]
default_keytab_name = /etc/cas/cast.keytab
[realms]
REALM1.DE = {
kdc = ad1.realm1.de
kdc = ad2.realm1.de
kdc = ad3.realm1.de
}
REALM2.DE = {
kdc = kerberos.realm2.de
kdc = kerberos-1.realm2.de
kdc = kerberos-2.realm2.de
admin_server = kadmin.realm2.de
}
cas.properties:
cas.server.name=https://cast.realm2.de:8443
cas.server.prefix=https://cast.realm2.de:8443/cas
# KERBEROS / SPNEGO
cas.authn.spnego.kerberosConf=/etc/krb5.conf
#cas.authn.spnego.mixedModeAuthentication=false
cas.authn.spnego.mixedModeAuthentication=true
cas.authn.spnego.cachePolicy=600
cas.authn.spnego.timeout=300000
cas.authn.spnego.jcifsServicePrincipal=HTTP/[email protected]
cas.authn.spnego.jcifsNetbiosWins=
cas.authn.spnego.loginConf=/etc/cas/login.conf
cas.authn.spnego.ntlmAllowed=true
cas.authn.spnego.hostNamePatternString=.+
cas.authn.spnego.jcifsUsername=
cas.authn.spnego.useSubjectCredsOnly=false
cas.authn.spnego.supportedBrowsers=MSIE,Trident,Firefox,AppleWebKit
cas.authn.spnego.jcifsDomainController=
cas.authn.spnego.dnsTimeout=2000
cas.authn.spnego.hostNameClientActionStrategy=hostnameSpnegoClientAction
cas.authn.spnego.kerberosKdc=192.169.1.3
cas.authn.spnego.alternativeRemoteHostAttribute=alternateRemoteHeader
cas.authn.spnego.jcifsDomain=
cas.authn.spnego.ipsToCheckPattern=
cas.authn.spnego.kerberosDebug=
cas.authn.spnego.send401OnAuthenticationFailure=true
cas.authn.spnego.kerberosRealm=REALM2.DE
cas.authn.spnego.ntlm=false
cas.authn.spnego.principalWithDomainName=true
cas.authn.spnego.jcifsServicePassword=
cas.authn.spnego.jcifsPassword=
cas.authn.spnego.spnego
/etc/cas/login.conf:
jcifs.spnego.initiate {
com.sun.security.auth.module.Krb5LoginModule required storeKey=true useKeyTab=true keyTab="/etc/cas/cas-t.keytab";
};
jcifs.spnego.accept {
com.sun.security.auth.module.Krb5LoginModule required storeKey=true useKeyTab=true keyTab="/etc/cas/cas-t.keytab";
};
cast.keytab:
klist -k cas-t.keytab -e -t
Keytab name: FILE:cas-t.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
2 04.10.2018 11:17:39 HTTP/[email protected] (aes256-cts-hmac-sha1-96)
2 04.10.2018 11:17:39 HTTP/[email protected] (aes128-cts-hmac-sha1-96)
2 04.10.2018 11:17:39 HTTP/[email protected] (arcfour-hmac)
2 04.10.2018 11:17:42 HTTP/[email protected] (aes256-cts-hmac-sha1-96)
2 04.10.2018 11:17:43 HTTP/[email protected] (aes128-cts-hmac-sha1-96)
2 04.10.2018 11:17:43 HTTP/[email protected] (arcfour-hmac)
kinit HTTP/[email protected] -k -t ./cas-t.keytab
klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/[email protected]
Valid starting Expires Service principal
04.12.2019 12:33:51 05.12.2019 12:33:51 krbtgt/[email protected]
root@cas:/etc/cas# nslookup cast.realm2.de
Server: 192.169.1.1
Address: 192.169.1.1#53
Name: cast.realm2.de
Address: 192.169.1.65
root@cas:/etc/cas# nslookup 192.169.1.65
65.1.169.192.in-addr.arpa name = cast.realm2.de.
We have already tried to debug on our own, but we can´t get it..
We hope somebody could help us to solve this.
Please let us know, if you need any further informations
Thanks!
Upvotes: 1
Views: 603
Answers (1)
aexlz
Reputation: 11
After digging deep with Wireshark, we could solve the problem. In fact it was no CAS-issue, but a KDC-Realm-issue.
The client derived the wrong realm by accessing the cas-server. The client's browser tried to ask the windows-kdc and could not retrieve a service ticket for the given SPN.
After using:
ksetup /AddHostToRealmMap <host name of CAS> <realm>
to force the client requesting the correct linux-kdc, a service-ticket was requested successfully and CAS-authentication worked out well.
Thanks to @Steve for "b) that it's doing the correct realm transition"...
Upvotes: 0
Related Questions
- Exception - Client not found in Kerberos database (6) with spnego-Kerberos IWA
- Optional SPNEGO Kerberos authentication
- CAS Spnego - KrbException: Checksum failed
- SPNEGO in tomcat always prompting password
- keycloak spnego authentication fails with "The underlying mechanism context has not been initialized", "result = ACCEPT_INCOMPLETE"
- Generate SPNEGO Token Failured
- Defective token detected - IWA with SPNEGO on tomcat
- SSO authentication, response is always NTLM
- Spnego Kerberos Authentication gives "Request is a replay (34)" error for Windows 7 users
- SPNEGO Kerberos Single Sign On does not work in AD domain for tomcat server