APM Kerberos/SPNEGO to Tomcat (CAS)
We are working on setting up SPNEGO authentication with Apereo CAS (https://apereo.github.io/cas/4.2.x/index.html) running on Linux, and I have a few things I would like clarification on. We need APM to present a logon page to a user, and then use Kerberos to authenticate them to the CAS server. It looks like a user account is required for the CAS service, and that ktpass.exe must be used to export the keytab file for that user. Here are the questions I have: How many Active Directory user accounts are needed for this? I assume we need a delegation account for the F5s, and we also need a service account for CAS. Or do we need to use the same delegation account for the CAS service as well? If two accounts are needed, what do the corresponding SPNs need to be? Here is the hostname information: castst.company.com - URL of the application that users will be accessing. Points to an F5 VIP. castst01.company.local - Hostname of CAS server. Refuses any traffic not for castst.company.com, forcing users to go through the F5. For the delegation account, would I set the SPN to be HTTP/castst.company.com@COMPANY.LOCAL? And then for the service account set it to be HOST/castst01.company.local@COMPANY.LOCAL? Thanks in advance. P.S. Specific documentation regarding the CAS configuration can be found here: https://wiki.jasig.org/display/CASUM/SPNEGO https://apereo.github.io/cas/4.2.x/installation/SPNEGO-Authentication.html496Views0likes2Comments