I have an OpenLDAP server and I am very sure that the users itself are falid since I can log in with them with JXplorer. But when I go to CAS and I type in username and password, I just see the username in "Supplied credentials" and not the password too. This problem appeared when I changed my deployerConfigContext.xmlwith a "newer" one.
2016-09-15 11:45:33,747 INFO [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - <LdapAuthenticationHandler failed authenticating anon>
2016-09-15 11:45:33,747 INFO [org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: anon
WHAT: Supplied credentials: [anon]
ACTION: AUTHENTICATION_FAILED
APPLICATION: CAS
WHEN: Thu Sep 15 11:45:33 CEST 2016
CLIENT IP ADDRESS: 0:0:0:0:0:0:0:1
SERVER IP ADDRESS: 0:0:0:0:0:0:0:1
=============================================================
I just see the username in "Supplied credentials" and not the password too
You will never ever see the password.
Up your logs to DEBUG and that should tell you more.
Related
I'm trying to get LDAP to work via CAS 4.0.
When I log in, I get the following in my catalina.out log:
2018-07-03 13:25:01,426 INFO [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - <AcceptUsersAuthenticationHandler failed authenticating administrator+password>
2018-07-03 13:25:01,448 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: supplied credentials: [administrator+password]
ACTION: AUTHENTICATION_FAILED
APPLICATION: CAS
WHEN: Tue Jul 03 13:25:01 UTC 2018
CLIENT IP ADDRESS: 10.1.1.8
SERVER IP ADDRESS: 10.1.1.69
=============================================================
2018-07-03 13:25:01,450 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: 1 errors, 0 successes
ACTION: TICKET_GRANTING_TICKET_NOT_CREATED
APPLICATION: CAS
WHEN: Tue Jul 03 13:25:01 UTC 2018
CLIENT IP ADDRESS: 10.1.1.8
SERVER IP ADDRESS: 10.1.1.69
=============================================================
My deployerConfigContext.xml is at https://pastebin.com/mR1NvNWx
My cas.properties is at https://pastebin.com/YSyUcVtL
I've tried to set it up using instructions at https://apereo.github.io/cas/4.0.x/installation/LDAP-Authentication.html
As far as I can tell, i've followed the instructions correctly. At this point, I'm not sure where I should be looking, as the log isn't really descriptive as to the cause of the problem(it looks like bad username/password but, they're definitely correct). I also note that the log doesn't seem to mention ldap at all:
https://pastebin.com/A0U16YqG
Does anyone have any ideas, or able to point me in the right direction?
Got Ldap context on server
This is a part of Debug message.Was the first bind successful?
2X Mar 201X 15:36:36,880 DEBUG [ambari-client-thread-37] FilterBasedLdapUserSearch:115 - Searching for user 'XXXX', with user search [ searchFilter: '(&(sAMAccountName={0})(objectClass=posixAccount))', searchBase: '', scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ]
2X Mar 201X 15:36:36,917 DEBUG [ambari-client-thread-37] AbstractContextSource:349 - Got Ldap context on server 'ldap://rXXX92.corp.XXX.com:389/DC=corp,DC=XXX,DC=com'
2X Mar 201X 15:36:36,929 DEBUG [ambari-client-thread-37] DefaultAuthenticationEventPublisher:94 - No event was found for the exception org.apache.ambari.server.security.authorization.InvalidUsernamePasswordCombinationException
2X Mar 201X 15:36:36,929 DEBUG [ambari-client-thread-37] AmbariBasicAuthenticationFilter:185 - Authentication request for failed: org.apache.ambari.server.security.authorization.InvalidUsernamePasswordCombinationException: Unable to sign in. Invalid username/password combination.
No.
Looks like LDAP credentials are wrong: "Unable to sign in. Invalid username/password combination"
I am still seeing the following exception while trying to access SQL Server using Kerberos. What am I missing?
Connecting to jdbc:sqlserver://SERVER:PORT;databaseName=DB_NAME;integratedSecurity=true;authenticationScheme=JavaKerberos;applicationName=GAA-MFI-Switches; using com.microsoft.sqlserver.jdbc.SQLServerDriver = USER
Integrated authentication failed. ClientConnectionId:4d83d195-c50c-404e-8bb0-39d90d1b9fda
Some notes:
I created my keytab file KEY_TAB.keytab
Confirmed that my user has permission to access the database through SSMS
Initialized the krb cache like this:
kinit -k -t KEY_TAB.keytab USER#DOMAIN.COM
Ran 'klist" and verified that I can see my principal there:
>klist
Ticket cache: FILE:/tmp/krb5cc_cdc104145_9Z6n4S
Default principal: USER#DOMAIN.COM
Valid starting Expires Service principal
12/01/2017 14:19:10 12/02/2017 00:19:10 krbtgt/COMAIN.COM#DOMAIN.COM
renew until 12/08/2017 14:19:10
12/01/2017 14:19:38 12/02/2017 00:19:10 MSSQLSvc/[PLACEHOLDER].com:1433#DOMAIN.COM
renew until 12/08/2017 14:19:10
12/01/2017 14:19:48 12/02/2017 00:19:10 HTTP/[PLACEHOLDER].com#DOMAIN.COM
renew until 12/08/2017 14:19:10
What am I missing?
I'm currently trying to implement Devise with LDAP Authentication on RAILS3. I've got it setup and it appears to connect and try to auth, but appears to fail. I don't seem to get any sort of real error messages to work with so its very difficult to take it any further.
Log of login session:
Started POST "/users/sign_in" for 192.168.160.1 at Tue Dec 06 05:20:16 +0000 2011
Processing by Devise::SessionsController#create as HTML
Parameters: {"commit"=>"Sign in", "authenticity_token"=>"G2tEq9gPpJiN0RhanTd8HMWno62F+1oLWbU4xdX78bg=", "utf8"=>"\342\234\223", "user"=>{"remember_me"=>"0", "password"=>"[FILTERED]", "login"=>"richmond#email.com"}}
User Load (0.1ms) SELECT `users`.* FROM `users` WHERE `users`.`login` = 'richmond#email.com' LIMIT 1
LDAP: LDAP dn lookup: mail=richmond#email.com
LDAP: LDAP search for login: mail=richmond#email.com
LDAP: Authorizing user mail=richmond#email.com,ou=groupxx,o=company.com
LDAP: LDAP dn lookup: mail=richmond#email.com
LDAP: LDAP search for login: mail=richmond#email.com
Completed 401 Unauthorized in 7147ms
Processing by Devise::SessionsController#new as HTML
Parameters: {"commit"=>"Sign in", "authenticity_token"=>"G2tEq9gPpJiN0RhanTd8HMWno62F+1oLWbU4xdX78bg=", "utf8"=>"\342\234\223", "user"=>{"remember_me"=>"0", "password"=>"[FILTERED]", "login"=>"richmond#email.com"}}
Rendered devise/shared/_links.erb (0.1ms)
Rendered devise/sessions/new.html.erb within layouts/application (5.0ms)
Completed 200 OK in 23ms (Views: 21.4ms | ActiveRecord: 0.0ms)
Started GET "/assets/defaults.js" for 192.168.160.1 at Tue Dec 06 05:20:23 +0000 2011
Served asset /defaults.js - 404 Not Found (3ms)
ActionController::RoutingError (No route matches [GET] "/assets/defaults.js"):
Rendered /usr/local/lib/ruby/gems/1.8/gems/actionpack-3.1.0/lib/action_dispatch/middleware/templates/rescues/routing_error.erb within rescues/layout (0.5ms)
ldap config:
development:
host: ldap.company.com
port: 636
attribute: mail
base: ou=groupxx,o=company.com
#admin_user: cn=admin,dc=test,dc=com
#admin_password: admin_password
ssl: true
# <<: *AUTHORIZATIONS
I don't have access to the LDAP server so I cannot confirm anything from that end. The main issue I have is that I cannot get any error messages out of the login process - Is it not able to find the user? Does it find the user but fail login? Why does it do 2 LDAP searches?
same issue here. Did a ldapsearch, which works however. Company is running an ActiveDirectory server here:
ldapsearch -Z -h ldap.company.com -p 389 -s sub -D
"cn=somebody,ou=my_ou,dc=ldap,dc=company,dc=com" -W -b
"dc=ldap,dc=company,dc=com" "(&(cn=somebody))" mail
Solution:
I have found the solution: In config/initializers/devise.rb I missed to activate config.ldap_use_admin_to_bind = true. Only with this flag, devise_ldap_authenticatable really uses the BindDN (i.e. admin_user, admin_password which both have to be uncommented) defined at config/ldap.yml.
I found out the problem I had was that the LDAP server my company (IBM) uses was using a different protocol standard to the ones officially supported by NET-LDAP.
You simply need to change the PagedResults Control Type to a slightly different standard:
#PagedResults = "1.2.840.113556.1.4.319" # Microsoft evil from RFC 2696
PagedResults = "2.16.840.1.113730.3.4.2" # IBM Bluepages compatible ControlType
Full code change details here.
I forked it and fixed it over here on GitHub.
I did encounter the same problem on my ActiveDirectory. I tried using the bind user but it didn´t help either. I changed devise according to screencast 210 to use the username field. Here´s my ldap.yml
development:
host: dcburda0
port: 636
attribute: cn
base: OU=Organisation,DC=mydomain,DC=com
admin_user: CN=username,OU=Support Center Muenchen,OU=name GmbH,OU=Organisation,DC=mydomain,DC=com
admin_password: password
ssl: true
I have been trying to follow the guidelines in this Microsoft article to authenticate
against Apache with Kerberos and AD. I have successfully tested the communication between the apache server and the AD server with kinit. However when I attempt to access a restricted page on the server with IE I get an Internal server error and the following appears in the apache error log.
[Wed Sep 24 14:18:15 2008] [debug] src/mod_auth_kerb.c(1483): [client 172.31.37.38] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Wed Sep 24 14:18:15 2008] [debug] src/mod_auth_kerb.c(1174): [client 172.31.37.38] Acquiring creds for HTTP/srvnfssol1.dev.local#DEV.LOCAL
[Wed Sep 24 14:18:15 2008] [error] [client 172.31.37.38] gss_acquire_cred() failed: Miscellaneous failure (see text) (Key table entry not found)
I have run a truss on the apache process and confirmed that it is in fact loading up the keytab file ok. I am wondering if there is something wrong with the format of the keytab file...
HTTP/srvnfssol1.dev.local#DEV.LOCAL
I am not sure what I am missing though. Or what other things to check.
Any suggestions?
Thanks
Peter
Ok. Keytabs are supposed to contain the Service principal name, in this case "HTTP/srvnfssol1.dev.local#DEV.LOCAL" and the encryption key. I see where the MS docs say just to echo that to a file, but I don't think that's right.
You'll need to use the ktpass utility to create the keytab. The MS docs are here.
In particular, you'll need to specify KRB5_NT_SRV_HST, and most of the rest of the options can be default.
Sample of it on my machine:
C:\>ktpass /out test.keytab /princ HTTP/srvnfssol1.dev.local#DEV.LOCAL
/ptype KRB5_NT_SRV_HST /pass *
Type the password for HTTP/srvnfssol1.dev.local:
Key created.
Output keytab to test.keytab:
Keytab version: 0x502
keysize 62 HTTP/srvnfssol1.dev.local#DEV.LOCAL
ptype 3 (KRB5_NT_SRV_HST) vno 1 etype 0x1 (DES-CBC-CRC)
keylength 8 (0xa7f1fb38041c199e)
If the active directory server is the KDC, you'll need to use the /map <name> argument, where <name> is the computer account in active directory representing the server.
Some details on how all this works. When you browse to the website it should respond with a WWW-Authenticate: Negotiate header, and your browser will send a request to the KDC (active directory server) to get a kerberos ticket for the service. The AD server will look up the encryption key for the ticket using the service principal name, and send an encrypted service ticket back to the browser. Once the browser has the service ticket, it'll reissue the HTTP request with an authenticate header containing the ticket. The apache server will look up its key in the keytab, decrypt the ticket, and grant access.
The "key table entry not found" error happens because apache isn't finding itself in the keytab. Can also happen if the name resolution/realms aren't set up right.
You should be able to see all the kerberos requests AP-REQ/AP-REP/TGS-REQ/TGS-REP using wireshark on the client, tcp or udp port 88.