官方文档:https://wiki.jasig.org/display/CASUM/SPNEGO
The advantage of configuring SPNEGO is that users that are logged in to the AD domain will be logged in automatically at CAS, without any interaction asking for the password yet again. Note that this may not be desirable.
登录域后就可以直接登录cas了
参考 http://jcbay.iteye.com/blog/708020
apache集成 http://edu.codepub.com/2011/0225/29644.php
16 楼
zdx3578 刚刚
引用
C:\Users\Administrator>ktpass.exe /out spn.keytab /princ HTTP/test.zdxcas.com@BQ
.TEST /pass * /mapuser [email protected] /ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
--
这样的命令手动输入密码就24 错误
--
C:\Users\Administrator>ktpass.exe /out spn.keytab /princ HTTP/test.zdxcas.com@BQ
.TEST /pass 123qweGHJOII /mapuser [email protected] /ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
密码在命令里写好不手动输入后生产的keytab文件就ok,使用这样的文件就完成ok,一起顺利,域用户打开firefox后ie后cas server 自动登录完成。
问题原因应该是
Cause 2: If you are using the keytab to get the key (e.g., by setting the useKeyTab option to true in the Krb5LoginModule entry in the JAAS login configuration file), then the key might have changed since you updated the keytab.
Solution 2: Consult your Kerberos documentation to generate a new keytab and use that keytab.
Cause 4: The Kerberos realm name is not all uppercase.
Solution 4: Make the Kerberos realm name all uppercase. Note: It is recommended to have all uppercase realm names. For details, refer to the Naming Conventions for the Realm Names and Hostnames section of this tutorial.
.TEST /pass * /mapuser [email protected] /ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
--
这样的命令手动输入密码就24 错误
--
C:\Users\Administrator>ktpass.exe /out spn.keytab /princ HTTP/test.zdxcas.com@BQ
.TEST /pass 123qweGHJOII /mapuser [email protected] /ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
密码在命令里写好不手动输入后生产的keytab文件就ok,使用这样的文件就完成ok,一起顺利,域用户打开firefox后ie后cas server 自动登录完成。
zdx3578 写道
KRB Error: error code is 24 error Message is Pre-authentication information was invalid ?
问题原因应该是
Cause 2: If you are using the keytab to get the key (e.g., by setting the useKeyTab option to true in the Krb5LoginModule entry in the JAAS login configuration file), then the key might have changed since you updated the keytab.
Solution 2: Consult your Kerberos documentation to generate a new keytab and use that keytab.
Cause 4: The Kerberos realm name is not all uppercase.
Solution 4: Make the Kerberos realm name all uppercase. Note: It is recommended to have all uppercase realm names. For details, refer to the Naming Conventions for the Realm Names and Hostnames section of this tutorial.
http://www.xioxu.com/?p=325006
# javax.security.auth.login.LoginException: KrbException: Pre-authentication information was invalid (24) - Preauthentication failed
Cause 1: The password entered is incorrect.
Solution 1: Verify the password.
Cause 2: If you are using the keytab to get the key (e.g., by setting the useKeyTab option to true in the Krb5LoginModule entry in the JAAS login configuration file), then the key might have changed since you updated the keytab.
Solution 2: Consult your Kerberos documentation to generate a new keytab and use that keytab.
Cause 3: Clock skew - If the time on the KDC and on the client differ significanlty (typically 5 minutes), this error can be returned.
Solution 3: Synchronize the clocks (or have a system administrator do so).
Cause 4: The Kerberos realm name is not all uppercase.
Solution 4: Make the Kerberos realm name all uppercase. Note: It is recommended to have all uppercase realm names. For details, refer to the Naming Conventions for the Realm Names and Hostnames section of this tutorial.
还是没解决掉!
# javax.security.auth.login.LoginException: KrbException: Pre-authentication information was invalid (24) - Preauthentication failed
Cause 1: The password entered is incorrect.
Solution 1: Verify the password.
Cause 2: If you are using the keytab to get the key (e.g., by setting the useKeyTab option to true in the Krb5LoginModule entry in the JAAS login configuration file), then the key might have changed since you updated the keytab.
Solution 2: Consult your Kerberos documentation to generate a new keytab and use that keytab.
Cause 3: Clock skew - If the time on the KDC and on the client differ significanlty (typically 5 minutes), this error can be returned.
Solution 3: Synchronize the clocks (or have a system administrator do so).
Cause 4: The Kerberos realm name is not all uppercase.
Solution 4: Make the Kerberos realm name all uppercase. Note: It is recommended to have all uppercase realm names. For details, refer to the Naming Conventions for the Realm Names and Hostnames section of this tutorial.
还是没解决掉!
KRB Error: error code is 24 error Message is Pre-authentication information was invalid ?
官方例子:
https://wiki.jasig.org/display/CASC/Saml11TicketValidationFilter+Example
https://wiki.jasig.org/display/CASC/JA-SIG+Java+Client+Simple+WebApp+Sample
https://wiki.jasig.org/display/CASC/Saml11TicketValidationFilter+Example
https://wiki.jasig.org/display/CASC/JA-SIG+Java+Client+Simple+WebApp+Sample
-rwxr-xr-x 1 zdx zdx 86635 2011-03-05 03:10 cas-client-core-3.2.0.jar*
-rwxr-xr-x 1 zdx zdx 12160 2011-03-05 03:10 cas-client-integration-tomcat-common-3.2.0.jar*
-rwxr-xr-x 1 zdx zdx 20191 2011-03-05 03:10 cas-client-integration-tomcat-v6-3.2.0.jar*
-rwxr-xr-x 1 zdx zdx 52915 2011-03-05 03:10 commons-logging-1.1.jar*
-rwxr-xr-x 1 zdx zdx 12160 2011-03-05 03:10 cas-client-integration-tomcat-common-3.2.0.jar*
-rwxr-xr-x 1 zdx zdx 20191 2011-03-05 03:10 cas-client-integration-tomcat-v6-3.2.0.jar*
-rwxr-xr-x 1 zdx zdx 52915 2011-03-05 03:10 commons-logging-1.1.jar*
http://www.howtoforge.com/how-to-set-up-apache-tomcat-mod_jk-sso-cas-mod_auth_cas