Forum Discussion

Nifford's avatar
Nifford
Icon for Nimbostratus rankNimbostratus
Jul 19, 2016

APM Kerberos/SPNEGO to Tomcat (CAS)

We are working on setting up SPNEGO authentication with Apereo CAS (https://apereo.github.io/cas/4.2.x/index.html) running on Linux, and I have a few things I would like clarification on.

 

We need APM to present a logon page to a user, and then use Kerberos to authenticate them to the CAS server.

 

It looks like a user account is required for the CAS service, and that ktpass.exe must be used to export the keytab file for that user.

 

Here are the questions I have:

 

  1. How many Active Directory user accounts are needed for this? I assume we need a delegation account for the F5s, and we also need a service account for CAS. Or do we need to use the same delegation account for the CAS service as well?

     

  2. If two accounts are needed, what do the corresponding SPNs need to be? Here is the hostname information:

     

castst.company.com - URL of the application that users will be accessing. Points to an F5 VIP.

 

castst01.company.local - Hostname of CAS server. Refuses any traffic not for castst.company.com, forcing users to go through the F5.

 

For the delegation account, would I set the SPN to be HTTP/castst.company.com@COMPANY.LOCAL? And then for the service account set it to be HOST/castst01.company.local@COMPANY.LOCAL?

 

Thanks in advance.

 

P.S. Specific documentation regarding the CAS configuration can be found here:

 

https://wiki.jasig.org/display/CASUM/SPNEGO

 

https://apereo.github.io/cas/4.2.x/installation/SPNEGO-Authentication.html

 

  • APM Kerberos does protocol transition, so it doesn't really matter what the external URL is. You can use a single internal account, but it's recommended to have two separate accounts - one for the service itself and one for the delegation account to access the service. The delegation account is used by APM to request an S4U ticket to the service and its name is arbitrary (but unique). So for example,

     

    Your delegation account might be HOST/krb.company.local@COMPANY.LOCAL

     

    Your service account would be HTTP/castst.company.com@COMPANY.LOCAL

     

    And the delegation account would be configured to delegate to the service account (with the "any protocol" option to enable S4U).