带广告的CAS SSO(SPNEGO)
[英]CAS SSO with AD (SPNEGO)
问题描述
I'm trying to create a deployment with automatic login by using SPNEGO; 
我正在尝试使用SPNEGO创建具有自动登录的部署; based on this tutorial: http://jasig.github.io/cas/development/installation/SPNEGO-Authentication.html 基于本教程: http : //jasig.github.io/cas/development/installation/SPNEGO-Authentication.html
I want to use our AD as a Key Distribution Center, so that our domain users are automatically logged in to our application via CAS. 我想将我们的广告用作密钥分发中心,以便我们的域用户通过CAS自动登录到我们的应用程序。
We have a user in our domain, it has an SPN set 我们的域中有一个用户,它有一个SPN集
A keytab file has been generated for this user, and I have set it in the login.conf file 已经为此用户生成了一个密钥表文件,我已经在login.conf文件中进行了设置
Here is the relevant section of cas config: 这是cas config的相关部分:
<bean id="jcifsConfig" class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig">
<property name="jcifsServicePrincipal" value="***SPN***" />
<property name="kerberosDebug" value="true" />
<property name="kerberosRealm" value="***REALM/DOMAIN***" />
<property name="kerberosKdc" value="***Active Directory IP***" />
<property name="loginConf" value="***Path to login.conf***" />
</bean>
Login conf is 登录conf为
jcifs.spnego.initiate {
com.sun.security.auth.module.Krb5LoginModule required storeKey=true useKeyTab=true keyTab="***Path tp keytab***";
};
jcifs.spnego.accept {
com.sun.security.auth.module.Krb5LoginModule required storeKey=true useKeyTab=true keyTab="***Path tp keytab***";
};
The problem is that all I get is an NTLMSSP token from the client browser. 问题是我得到的只是来自客户端浏览器的NTLMSSP令牌。 So I can see that some kind of negotiation has been started, but the authentication always fails. 因此,我可以看到某种协商已经开始,但是身份验证始终失败。
The tutorial/howto references a Kerberos configuration in the "Test SPN account" section. 教程/方法在“测试SPN帐户”部分中引用了Kerberos配置。 This is something I do not understand. 我不明白这一点。 Should I install a Kerberos server on the machine which hosts CAS (it is not something I would prefer)? 我是否应该在承载CAS的计算机上安装Kerberos服务器(我不希望这样做)? It does not seem logical to me as I want AD to provide the Kerberos tickets? 对我来说,这似乎不合逻辑,因为我希望AD提供Kerberos票证?
Any help is appreciated! 任何帮助表示赞赏!
Thanks, Mark. 谢谢马克。
Edit: 编辑:
This is the question that really bothers me: The tutorial/howto references a Kerberos configuration in the "Test SPN account" section. 这是一个真正困扰我的问题: 教程/方法在“测试SPN帐户”部分中引用了Kerberos配置。 This is something I do not understand. 我不明白这一点。 Should I install a Kerberos server on the machine which hosts CAS (it is not something I would prefer)? 我是否应该在承载CAS的计算机上安装Kerberos服务器(我不希望这样做)? It does not seem logical to me as I want AD to provide the Kerberos tickets? 对我来说,这似乎不合逻辑,因为我希望AD提供Kerberos票证?
1 个解决方案
解决方案1
0 2014-06-24 17:40:46
You have to configure the browser to do SPNEGO with your CAS site. 您必须配置浏览器以对您的CAS站点执行SPNEGO。
Doing this can be anywhere from easy ( Safari on OS/X does it out of the box) to very difficult ( Getting Explorer to trust a website out of your domain. ). 从容易(OS / X上的Safari即开即用)到非常困难(让Explorer信任您的域之外的网站),这一切都可以。
Old Explorer Version Example 旧浏览器版本示例
If you are getting NTLM like packets, that means the browser does not recognize your site as one of the sites that it can use kerberos credentials to access. 如果您正在获得像包一样的NTLM,则表示浏览器无法将您的站点识别为可以使用kerberos凭据访问的站点之一。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.