Skip to end of metadata
Go to start of metadata
Table of Contents

CAS Server's Java Version

Icon

SPNEGO support is tightly couple to the version of the JVM used by CAS. Full compatibility for SPNEGO requires JDK 1.6u19 and greater. For information about the particulars of using an older version of Java, view Version 21 of this page. 

SPNEGO Basics

Before getting started it will help to understand the steps involved in SPNEGO authentication.  There are three actors involved, the client, the CAS server, and the ActiveDirectory DomainController/KDC. 

Assumptions:

  • Client is logged in to a windows domain
  • Client is Windows XP pro SP2 or greater running IE 6 or IE 7
  • CAS is running on a UNIX server configured for kerberos against the AD server in the windows domain.

Spnego Steps:

  1. Client sends CAS:               HTTP GET to CAS  for cas protected page
  2. CAS responds:                    HTTP 401 - Access Denied WWW-Authenticate: Negotiate
  3. Client sends ticket request:  Kerberos(KRB_TGS_REQ) Requesting  ticket for HTTP/<Fully qualified domain name of CAS>@KERBEROS REALM
  4. Kerberos KDC responds:      Kerberos(KRB_TGS_REP) Granting ticket for HTTP/<Fully qualified domain name of CAS>@KERBEROS REALM
  5. Client sends CAS:               HTTP GET Authorization: Negotiate w/SPNEGO Token
  6. CAS responds:                    HTTP 200 - OK WWW-Authenticate w/SPNEGO response + requested page.

This only happens for the first request, when there is no CAS ticket associated with the users session.  Once CAS grants a ticket, this will not happen again until the CAS ticket expires

Including the Handler

In the pom.xml file for your CAS Maven2 WAR Overlay, add the following dependency:

Core Classes

JCIFSSpnegoAuthenticationHandler

This is the implementation of an AuthenticationHandler for SPNEGO supports. This Handler support both NTLM and Kerberos. NTLM is disabled by default. This class supports the following properties:

  • principalWithDomainName - boolean to enable or disable domain name in the returned netid
  • NTLMallowed - allows to authenticate using SPNEGO/NTLM token

JCIFSConfig

This class is the configuration helper for JCIFS and the Spring framework. This class supports the following properties:

  • jcifsServicePrincipal - set the Service Principal Name
  • jcifsServicePassword - set the password for the principal name
  • kerberosDebug - boolean to enable or disable the debug mode on Kerberos
  • kerberosRealm - set the Realm
  • kerberosKdc - set the KDC address
  • loginConf - path to the login.conf

SpnegoNegociateCredentialsAction

First action of a SPNEGO flow : negociation. The server checks if the negociation string is in the request header:

  • If found do nothing and return success()
  • else add a WWW-Authenticate response header and a 401 response status, then return success()

SpnegoCredentialsAction

Second action of a SPNEGO flow : decode the gssapi-data and build a new SpnegoCredentials.
Once AbstractNonInteractiveCredentialsAction has executed the authentication procedure, this action check whether a principal is present in Credentials and add correspondings response headers.

Configuration

Set up the Active Directory

A service account should be created. This account is called a Service Principal Name account (SPN account).

Create the User

  1. Start the Active Directory User and Computers from the Administration Tools menu.
  2. Right click on the Users Repository and select New > User
  3. Enter user information (by example myspnaccount for user login), press Next.
  4. Enter the password and select Password never expires and click on Next and then on Finish.

Now that the user account has been created and updated, we need to create a service principal setting for the created user account. This is automatically handled by exporting a keytab file for the created account.

Create the Keytab File

The Keytab file enables a trust link between the CAS server and the Key Distribution Center (KDC). This file contains a cryptographic key. The ktpass tool, which comes from the Windows Resource Kit, is used to generate this file. Be sure that you are running the command on your server where your Active Directory is installed and you are logged in as an administrator.

In a console, enter the command:

ktpass.exe /out myspnaccount.keytab /princ HTTP/your.server.name.here@YOUR.REALM.HERE /pass * /mapuser
myspnaccount@YOUR.REALM.HERE /ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT

This command will generate the myspnaccount.keytab file which has to be copied on the CAS server in order to test Kerberos from a bash using the MIT Kerberos V. Additionally when the properties of the spn account are viewed in Active Directory Users and Computers, a new delegation tab is displayed.

The syntax can be confusing. Here's an example assuming the samAccountName of the service account is "cassp", the fully qualified domain name of the CAS server is "cas.gasper.local", and a domain name of "gasper.local":

ktpass.exe /out cassp.keytab /princ HTTP/cas.gasper.local@GASPER.LOCAL /pass * /mapuser cassp@GASPER.LOCAL /ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT


Test the SPN account

First configure MIT Kerberos V on the server. The file is <literal>/etc/krb5.conf</literal>. Here is an example:

Then verify that your are able to read the keytab file:

klist -k

Then verify that your are able to read the keytab file :

kinit a_user_in_the_realm@YOUR.REALM.HERE
klist

Another test is to try the command:

kinit -V HTTP/your.server.name.here@YOUR.REALM.HERE -k -t /home/cas/kerberos/myspnaccount.keytab

You should not be prompted for a password. Here's the command using the example domain:

kinit -V HTTP/cas.gasper.local@GASPER.LOCAL -k -t /home/user/kerberos/cas.keytab

Set up Browser

Internet Explorer (min 5.01)

  1. In Internet Explorer, click Internet Options on the Tools menu.
  2. Click on the Advanced tab, click to select the Enable Integrated Windows Authentication (requires restart) check box in the Security section, and then click OK.
  3. Click on the Security tab, click to select Local Intranet then click on Sites, then click on Advanced.
  4. Enter https://your.server.name.here_ and validate by clicking on _Add and OK.
  5. Restart Internet Explorer.

Firefox (min 0.9)

  1. In Firefox, enter about:config as url and click on Go.
  2. On the line network.negotiate-auth.trusted-uris, right click on Modify and enter _https://your.server.name.here_
Icon

Kerberos authentication does not work from a browser hosted on the CAS SSO server. See this CAS Users thread.

Set Up CAS

Set up the login webflow

The CAS 3 Login Webflow needs to be modified. This webflow is located in /WEB-INF/login-webflow.xml. There are 2 new action states which are placed before the state viewLoginForm.

And 2 existing transitions need to be update:

  • In the decision-state gatewayRequestCheck, replace reference to viewLoginForm by startAuthenticate
  • In the decision-state renewRequestCheck, replace reference to viewLoginForm by startAuthenticate

diff against version 3.5.2:

 Expand source

/WEB-INF/cas-servlet.xml

Two beans are needed for the login flow. Those beans are:

diff against cas version 3.5.2:

 Expand source

/WEB-INF/deployerConfigContext.xml

In the bean authenticationManager, add:
*_ org.jasig.cas.adaptors.spnego.authentication.principal.SpnegoCredentialsToPrincipalResolver_ as credentialsToPrincipalResolvers
*_ org.jasig.cas.adaptors.spnego.authentication.handler.support.JCIFSSpnegoAuthenticationHandler_ as authenticationHandlers

There is also the jcifsConfig bean which needs to be added.

diff against cas version 3.5.2:

 Expand source

/WEB-INF/login.conf

Copy or create the file /path/to/WEB-INF/login.conf

Changes for JBoss

JBoss has its own security manager so specifying the login.conf file above has no effect. This was solved by amending a section in the login-config.xml file in the /SERVER-ROOT/server/default/conf directory as follows:

This means that JBoss defaults to using the Kerberos login module when no others are specified. This can be extracted to a custom application policy and specified in a jboss-web.xml file so that it can be explicitly selected.

 

ClassNotFound jcifs/spnego/AuthenticationException

You need the jcifs and jcifs-ext jars in order to make spnego working. They can be downloaded from http://developer.jasig.org/repo/content/groups/m2-legacy/org/samba/jcifs/

If there any dependency problems, you can run 'mvn compile' in the cas source. After that, your maven repo (~/.m2 by defualt) will contain all the dependency jars, go cherrypick!

 

  • No labels