CAS SSO with AD (SPNEGO)

Question

I'm trying to create a deployment with automatic login by using SPNEGO; based on this tutorial: http://jasig.github.io/cas/development/installation/SPNEGO-Authentication.html

I want to use our AD as a Key Distribution Center, so that our domain users are automatically logged in to our application via CAS.

We have a user in our domain, it has an SPN set

A keytab file has been generated for this user, and I have set it in the login.conf file

Here is the relevant section of cas config:

<bean id="jcifsConfig" class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig">
    <property name="jcifsServicePrincipal" value="***SPN***" />
    <property name="kerberosDebug" value="true" />
    <property name="kerberosRealm" value="***REALM/DOMAIN***" />
    <property name="kerberosKdc" value="***Active Directory IP***" />
    <property name="loginConf" value="***Path to login.conf***" />
</bean>

Login conf is

jcifs.spnego.initiate {
   com.sun.security.auth.module.Krb5LoginModule required storeKey=true useKeyTab=true keyTab="***Path tp keytab***";
};
jcifs.spnego.accept {
   com.sun.security.auth.module.Krb5LoginModule required storeKey=true useKeyTab=true keyTab="***Path tp keytab***";
};

The problem is that all I get is an NTLMSSP token from the client browser. So I can see that some kind of negotiation has been started, but the authentication always fails.

The tutorial/howto references a Kerberos configuration in the "Test SPN account" section. This is something I do not understand. Should I install a Kerberos server on the machine which hosts CAS (it is not something I would prefer)? It does not seem logical to me as I want AD to provide the Kerberos tickets?

Any help is appreciated!

Thanks, Mark.

Edit:

This is the question that really bothers me: The tutorial/howto references a Kerberos configuration in the "Test SPN account" section. This is something I do not understand. Should I install a Kerberos server on the machine which hosts CAS (it is not something I would prefer)? It does not seem logical to me as I want AD to provide the Kerberos tickets?

Answer 1

You have to configure the browser to do SPNEGO with your CAS site.

Doing this can be anywhere from easy ( Safari on OS/X does it out of the box) to very difficult ( Getting Explorer to trust a website out of your domain. ).

Old Explorer Version Example

If you are getting NTLM like packets, that means the browser does not recognize your site as one of the sites that it can use kerberos credentials to access.