SPNEGO is a way to carry the GSSAPI initialization dialog over HTTP through the use of HTTP headers and the bin64 character encoding of the GSSAPI binary data.
At each end (the browser and the CAS server) GSSAPI creates an initialization object with current state about the initialization dialog. Then the two sides exchange blobs of binary bytes that represent an initialization dialog. One side proposes a list of authentication protocols (Kerberos 5, NTLMv2, .). The other side accepts the subset it can support. Then starting with the first protocol there is an exchange of data. In practice the first attempt should be to do a Kerberos 5 authentication with the Browser obtaining a Service Ticket for the host name in the URL and transmitting it to CAS to be validated. Now, the Exchanges back and forth consist of a GET and a response and a GET and a response and so on until the response code is 200. However, if you put this behind a load balancer that does not recognize the integrity of the SPNEGO negotiation sequence, and at some point it swtiches from one CAS server to another in the middle of the dialog, then the second CAS server will not have the GSSAPI initialization object with the correct state and it will fail. You cannot solve this problem by replicating Session data across machines, since the GSSAPI initialization is not part of Session data. Once you start the SPNEGO negotiation then all subsequent traffic until the end of the sequence has to go to the same CAS server. However, if you have a session in places and the load balancer can be configured to route traffic to a server based on JSESSIONID then you might achieve what you want even though it is a secondary effect of having a Session and not a consequence of Session replication within the cluster. From: Barbosa, Bernard [mailto:bernard.barb...@music-group.com] Sent: Thursday, October 28, 2010 1:17 AM To: cas-dev@lists.jasig.org Subject: [cas-dev] CAS-SPNEGO under Load Balancer Issue Hi, I just found an issue with CAS-SPNEGO configuration in our environment. With following details: Our current environment has 2 load balancers running with keepalived and 2 CAS Servers running on failover. Our application that's publicly accessible like confluence and jira is using these CAS server for Authentication. So the configuration is this: A public DNS(sso.dns.com) for CAS is being called whenever there is a request from our applications inside or outside our network which point to the loadbalancer and loadbalancer will redirect the requests to any of the CAS server. So I first tried to configure CAS2 to have the SPNEGO in and it works with this url https://local-server-name/cas/login my question is i tried to access our application inside our network example: http://uat-kb.dns.com <http://uat-kb.dns.com/> and it redirects me to https://sso.dns.com/cas/login?service=http://uat-kb.dns.com which is true but SPNEGO doesn't work. How can I make this work? -- You are currently subscribed to cas-dev@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
