Before getting started it will help to understand the steps involved in SPNEGO authentication. There are three actors involved, the client, the CAS server, and the ActiveDirectory DomainController/KDC.
This only happens for the first request, when there is no CAS ticket associated with the users session. Once CAS grants a ticket, this will not happen again until the CAS ticket expires
Including the Handler
In the pom.xml file for your CAS Maven2 WAR Overlay, add the following dependency:
This is the implementation of an AuthenticationHandler for SPNEGO supports. This Handler support both NTLM and Kerberos. NTLM is disabled by default. This class supports the following properties:
This class is the configuration helper for JCIFS and the Spring framework. This class supports the following properties:
First action of a SPNEGO flow : negociation. The server checks if the negociation string is in the request header:
Second action of a SPNEGO flow : decode the gssapi-data and build a new SpnegoCredentials.
Set up the Active Directory
A service account should be created. This account is called a Service Principal Name account (SPN account).
Create the User
Now that the user account has been created and updated, we need to create a service principal setting for the created user account. This is automatically handled by exporting a keytab file for the created account.
Create the Keytab File
The Keytab file enables a trust link between the CAS server and the Key Distribution Center (KDC). This file contains a cryptographic key. The ktpass tool, which comes from the Windows Resource Kit, is used to generate this file. Be sure that you are running the command on your server where your Active Directory is installed and you are logged in as an administrator.
In a console, enter the command:
This command will generate the myspnaccount.keytab file which has to be copied on the CAS server in order to test Kerberos from a bash using the MIT Kerberos V. Additionally when the properties of the spn account are viewed in Active Directory Users and Computers, a new delegation tab is displayed.
The syntax can be confusing. Here's an example assuming the samAccountName of the service account is "cassp", the fully qualified domain name of the CAS server is "cas.gasper.local", and a domain name of "gasper.local":
Test the SPN account
First configure MIT Kerberos V on the server. The file is <literal>/etc/krb5.conf</literal>. Here is an example:
Then verify that your are able to read the keytab file:
Then verify that your are able to read the keytab file :
Another test is to try the command:
You should not be prompted for a password. Here's the command using the example domain:
Set up Browser
Internet Explorer (min 5.01)
Firefox (min 0.9)
Set Up CAS
Set up the login webflow
The CAS 3 Login Webflow needs to be modified. This webflow is located in /WEB-INF/login-webflow.xml. There are 2 new action states which are placed before the state viewLoginForm.
And 2 existing transitions need to be update:
diff against version 3.5.2:
Two beans are needed for the login flow. Those beans are:
diff against cas version 3.5.2:
In the bean authenticationManager, add:
There is also the jcifsConfig bean which needs to be added.
diff against cas version 3.5.2:
Copy or create the file /path/to/WEB-INF/login.conf
Changes for JBoss
JBoss has its own security manager so specifying the login.conf file above has no effect. This was solved by amending a section in the login-config.xml file in the /SERVER-ROOT/server/default/conf directory as follows:
This means that JBoss defaults to using the Kerberos login module when no others are specified. This can be extracted to a custom application policy and specified in a jboss-web.xml file so that it can be explicitly selected.
You need the jcifs and jcifs-ext jars in order to make spnego working. They can be downloaded from http://developer.jasig.org/repo/content/groups/m2-legacy/org/samba/jcifs/
If there any dependency problems, you can run 'mvn compile' in the cas source. After that, your maven repo (~/.m2 by defualt) will contain all the dependency jars, go cherrypick!