Hello, I modfied the login-webflow.xml as described in the documentation mentioned. Please see attached file from last post.
The problem is that's i'm not getting a 401 response to the browser - it only loops till a stack overflow and than sends a HTTP 500 response with the negotiate header. The browser doesn't reply on this HTTP 500 response as it is expected. My setup is a Debian 8 with tomcat8 installed via apt. In front of the tomcat is a haproxy to handle ssl. I have also tried it bypassing the haproxy - also no success. Kerberos auth. is working on other services with my browser. Hope that helps - if more informations are needed I will kinldy provide them. Greetings Florian Am Montag, 11. Juli 2016 18:49:16 UTC+2 schrieb Misagh Moayyed: > > I am not sure I follow. With your changes SPNEGO works, is what you’re > saying? > > If so, review: > https://apereo.github.io/cas/4.2.x/installation/SPNEGO-Authentication.html#webflow-configuration > > > -- > Misagh > > From: itshorty AT <[email protected]> <javascript:> > Reply: itshorty AT <[email protected]> <javascript:> > Date: July 11, 2016 at 9:39:19 AM > To: CAS Community <[email protected]> <javascript:> > Cc: [email protected] <javascript:> <[email protected]> <javascript:> > Subject: [cas-user] Re: CAS 4.2.3 + SPNEGO setup > > I think there is maybe a error in the changed login-webflow.xml. > > I changed 2 occurences of viewLoginForm with startSpnegoAuthenticate. > File is attached. > > > > Am Montag, 11. Juli 2016 10:28:29 UTC+2 schrieb itshorty AT: >> >> Hi again, >> >> missed that a request returns HTTP500 instead of HTTP401 Auth. Required. >> But the HTTP500 response contains the WWW-Authenticate: Neogotiate header. >> >> Greetings Florian >> >> Am Montag, 11. Juli 2016 10:26:13 UTC+2 schrieb itshorty AT: >>> >>> Hi, >>> >>> I'm also trying to setup CAS 4.2.3 + SPNEGO + LDAP against Microsoft AD. >>> >>> I have the same problem - seems like it's looping in the webflow as it >>> dies in a StackOverflowException: >>> >>> 2016-07-11 10:20:33,845 DEBUG [org.springframework.webflow.engine. >>> ActionState] - <Entering state 'startSpnegoAuthenticate' of flow 'login' >>> > >>> 2016-07-11 10:20:33,845 DEBUG [org.springframework.webflow.execution. >>> ActionExecutor] - <Executing [EvaluateAction@33ddde4 expression = >>> negociateSpnego, resultExpression = [null]]> >>> 2016-07-11 10:20:33,845 DEBUG [org.springframework.webflow.execution. >>> ActionExecutor] - <Executing org.jasig.cas.support.spnego.web.flow. >>> SpnegoNegociateCredentialsAction@127a33d7> >>> 2016-07-11 10:20:33,845 DEBUG [org.jasig.cas.support.spnego.web.flow. >>> SpnegoNegociateCredentialsAction] - <Authorization header [null], User >>> Agent header [Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/ >>> 20100101 Firefox/38.0 OWASMIME/4.0500]> >>> 2016-07-11 10:20:33,847 DEBUG [org.jasig.cas.support.spnego.web.flow. >>> SpnegoNegociateCredentialsAction] - <Authorization header not found or >>> does not match the message prefix [Negotiate ]. Sending [WWW- >>> Authenticate] header [Negotiate]> >>> 2016-07-11 10:20:33,848 DEBUG [org.jasig.cas.support.spnego.web.flow. >>> SpnegoNegociateCredentialsAction] - <Mixed-mode authentication is >>> disabled. Executing completion of response> >>> 2016-07-11 10:20:33,849 DEBUG [org.springframework.webflow.execution. >>> ActionExecutor] - <Finished executing org.jasig.cas.support.spnego.web. >>> flow.SpnegoNegociateCredentialsAction@127a33d7; result = success> >>> 2016-07-11 10:20:33,849 DEBUG [org.springframework.webflow.execution. >>> ActionExecutor] - <Finished executing [EvaluateAction@33ddde4 expression >>> = negociateSpnego, resultExpression = [null]]; result = success> >>> 2016-07-11 10:20:33,849 DEBUG [org.springframework.webflow.engine. >>> Transition] - <Executing [Transition@5cf1b6b2 on = success, to = spnego >>> ]> >>> 2016-07-11 10:20:33,849 DEBUG [org.springframework.webflow.engine. >>> Transition] - <Exiting state 'startSpnegoAuthenticate'> >>> 2016-07-11 10:20:33,849 DEBUG [org.springframework.webflow.engine. >>> ActionState] - <Entering state 'spnego' of flow 'login'> >>> 2016-07-11 10:20:33,849 DEBUG [org.springframework.webflow.execution. >>> ActionExecutor] - <Executing [EvaluateAction@7b568a3c expression = >>> spnego, resultExpression = [null]]> >>> 2016-07-11 10:20:33,849 DEBUG [org.springframework.webflow.execution. >>> ActionExecutor] - <Executing org.jasig.cas.support.spnego.web.flow. >>> SpnegoCredentialsAction@37510309> >>> 2016-07-11 10:20:33,849 DEBUG [org.springframework.webflow.execution. >>> ActionExecutor] - <Finished executing org.jasig.cas.support.spnego.web. >>> flow.SpnegoCredentialsAction@37510309; result = error> >>> 2016-07-11 10:20:33,849 DEBUG [org.springframework.webflow.execution. >>> ActionExecutor] - <Finished executing [EvaluateAction@7b568a3c >>> expression = spnego, resultExpression = [null]]; result = error> >>> 2016-07-11 10:20:33,849 DEBUG [org.springframework.webflow.engine. >>> Transition] - <Executing [Transition@1118fca on = error, to = >>> ticketGrantingTicketCheck]> >>> 2016-07-11 10:20:33,849 DEBUG [org.springframework.webflow.engine. >>> Transition] - <Exiting state 'spnego'> >>> 2016-07-11 10:20:33,849 DEBUG [org.springframework.webflow.engine. >>> ActionState] - <Entering state 'ticketGrantingTicketCheck' of flow >>> 'login'> >>> 2016-07-11 10:20:33,849 DEBUG [org.springframework.webflow.execution. >>> ActionExecutor] - <Executing [EvaluateAction@28c02a7d expression = >>> ticketGrantingTicketCheckAction, resultExpression = [null]]> >>> 2016-07-11 10:20:33,849 DEBUG [org.springframework.webflow.execution. >>> AnnotatedAction] - <Putting action execution attributes map[[empty]]> >>> 2016-07-11 10:20:33,849 DEBUG [org.springframework.webflow.execution. >>> ActionExecutor] - <Executing org.jasig.cas.web.flow. >>> TicketGrantingTicketCheckAction@16c24b14> >>> 2016-07-11 10:20:33,849 DEBUG [org.springframework.webflow.execution. >>> ActionExecutor] - <Finished executing org.jasig.cas.web.flow. >>> TicketGrantingTicketCheckAction@16c24b14; result = notExists> >>> 2016-07-11 10:20:33,849 DEBUG [org.springframework.webflow.execution. >>> AnnotatedAction] - <Clearing action execution attributes map[[empty]]> >>> 2016-07-11 10:20:33,849 DEBUG [org.springframework.webflow.execution. >>> ActionExecutor] - <Finished executing [EvaluateAction@28c02a7d >>> expression = ticketGrantingTicketCheckAction, resultExpression = [null >>> ]]; result = notExists> >>> 2016-07-11 10:20:33,849 DEBUG [org.springframework.webflow.engine. >>> Transition] - <Executing [Transition@60258971 on = notExists, to = >>> gatewayRequestCheck]> >>> 2016-07-11 10:20:33,849 DEBUG [org.springframework.webflow.engine. >>> Transition] - <Exiting state 'ticketGrantingTicketCheck'> >>> 2016-07-11 10:20:33,849 DEBUG [org.springframework.webflow.engine. >>> DecisionState] - <Entering state 'gatewayRequestCheck' of flow 'login'> >>> 2016-07-11 10:20:33,850 DEBUG [org.springframework.webflow.engine. >>> Transition] - <Executing [Transition@2f02c45 on = *, to = >>> serviceAuthorizationCheck]> >>> 2016-07-11 10:20:33,850 DEBUG [org.springframework.webflow.engine. >>> Transition] - <Exiting state 'gatewayRequestCheck'> >>> 2016-07-11 10:20:33,850 DEBUG [org.springframework.webflow.engine. >>> ActionState] - <Entering state 'serviceAuthorizationCheck' of flow >>> 'login'> >>> 2016-07-11 10:20:33,850 DEBUG [org.springframework.webflow.execution. >>> ActionExecutor] - <Executing [EvaluateAction@65ea6784 expression = >>> serviceAuthorizationCheck, resultExpression = [null]]> >>> 2016-07-11 10:20:33,850 DEBUG [org.springframework.webflow.execution. >>> AnnotatedAction] - <Putting action execution attributes map[[empty]]> >>> 2016-07-11 10:20:33,850 DEBUG [org.springframework.webflow.execution. >>> ActionExecutor] - <Executing org.jasig.cas.web.flow. >>> ServiceAuthorizationCheck@62b99ff8> >>> 2016-07-11 10:20:33,850 DEBUG [org.springframework.webflow.execution. >>> AnnotatedAction] - <Clearing action execution attributes map[[empty]]> >>> 2016-07-11 10:20:33,852 DEBUG [org.springframework.web.servlet. >>> DispatcherServlet] - <Could not complete request> >>> org.springframework.web.util.NestedServletException: Handler processing >>> failed; nested exception is java.lang.StackOverflowError >>> at org.springframework.web.servlet.DispatcherServlet. >>> triggerAfterCompletionWithError(DispatcherServlet.java:1303) ~[ >>> DispatcherServlet.class:4.2.3.RELEASE] >>> at org.springframework.web.servlet.DispatcherServlet.doDispatch( >>> DispatcherServlet.java:977) ~[DispatcherServlet.class:4.2.3.RELEASE] >>> at org.springframework.web.servlet.DispatcherServlet.doService( >>> DispatcherServlet.java:893) ~[DispatcherServlet.class:4.2.3.RELEASE] >>> at org.springframework.web.servlet.FrameworkServlet. >>> processRequest(FrameworkServlet.java:970) ~[FrameworkServlet.class:4.2. >>> 3.RELEASE] >>> at org.springframework.web.servlet.FrameworkServlet.doGet( >>> FrameworkServlet.java:861) ~[FrameworkServlet.class:4.2.3.RELEASE] >>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:618) >>> ~[tomcat8-servlet-api-8.0.14.jar:?] >>> at org.springframework.web.servlet.FrameworkServlet.service( >>> FrameworkServlet.java:846) ~[FrameworkServlet.class:4.2.3.RELEASE] >>> >>> >>> Greetings Florian >>> >>> >>> Am Montag, 11. Juli 2016 09:20:31 UTC+2 schrieb Antti Sirviö: >>>> >>>> Hello, >>>> >>>> I'm currently exprimenting with CAS 4.2.3 + SPNEGO setup, and run into >>>> some problems. I followed the wiki instructions of setting up SPNEGO, >>>> but it seems that I've missed something or didn't understand something >>>> correctly. >>>> >>>> Currently, I have working kerberos setup with AD (keytab is ok, and >>>> kinit is working as it should), and login.conf located in /etc/cas/ >>>> (the location is specified inside the cas.properties file). Also >>>> modifications to the login-webflow.xml are done (replaced >>>> to=viewLoginForm actions with to=startSpnegoAuthenticate) >>>> >>>> Now, when I try to authenticate, I get 500 internal server error. Logs >>>> show following behaviour: >>>> >>>> 2016-07-11 10:06:54,755 DEBUG >>>> [org.springframework.webflow.engine.ActionState] - <Entering state >>>> 'ticketGrantingTicketCheck' of flow 'login'> >>>> 2016-07-11 10:06:54,755 DEBUG >>>> [org.springframework.webflow.execution.ActionExecutor] - <Executing >>>> [EvaluateAction@3bf69b2b expression = ticketGrantingTicketCheckAction, >>>> resultExpression = [null]]> >>>> 2016-07-11 10:06:54,755 DEBUG >>>> [org.springframework.webflow.execution.AnnotatedAction] - <Putting action >>>> execution attributes map[[empty]]> >>>> 2016-07-11 10:06:54,755 DEBUG >>>> [org.springframework.webflow.execution.ActionExecutor] - <Executing >>>> org.jasig.cas.web.flow.TicketGrantingTicketCheckAction@26573ce1> >>>> 2016-07-11 10:06:54,755 DEBUG >>>> [org.springframework.webflow.execution.ActionExecutor] - <Finished >>>> executing org.jasig.cas.web.flow.TicketGrantingTicketCheckAction@26573ce1; >>>> result = notExists> >>>> 2016-07-11 10:06:54,755 DEBUG >>>> [org.springframework.webflow.execution.AnnotatedAction] - <Clearing action >>>> execution attributes map[[empty]]> >>>> 2016-07-11 10:06:54,755 DEBUG >>>> [org.springframework.webflow.execution.ActionExecutor] - <Finished >>>> executing [EvaluateAction@3bf69b2b expression = >>>> ticketGrantingTicketCheckAction, resultExpression = [null]]; result = >>>> notExists> >>>> 2016-07-11 10:06:54,755 DEBUG >>>> [org.springframework.webflow.engine.Transition] - <Executing >>>> [Transition@7ae23c26 on = notExists, to = gatewayRequestCheck]> >>>> 2016-07-11 10:06:54,755 DEBUG >>>> [org.springframework.webflow.engine.Transition] - <Exiting state >>>> 'ticketGrantingTicketCheck'> >>>> 2016-07-11 10:06:54,755 DEBUG >>>> [org.springframework.webflow.engine.DecisionState] - <Entering state >>>> 'gatewayRequestCheck' of flow 'login'> >>>> 2016-07-11 10:06:54,755 DEBUG >>>> [org.springframework.webflow.engine.Transition] - <Executing >>>> [Transition@43fd721f on = *, to = serviceAuthorizationCheck]> >>>> 2016-07-11 10:06:54,755 DEBUG >>>> [org.springframework.webflow.engine.Transition] - <Exiting state >>>> 'gatewayRequestCheck'> >>>> 2016-07-11 10:06:54,755 DEBUG >>>> [org.springframework.webflow.engine.ActionState] - <Entering state >>>> 'serviceAuthorizationCheck' of flow 'login'> >>>> 2016-07-11 10:06:54,755 DEBUG >>>> [org.springframework.webflow.execution.ActionExecutor] - <Executing >>>> [EvaluateAction@20aff67 expression = serviceAuthorizationCheck, >>>> resultExpression = [null]]> >>>> 2016-07-11 10:06:54,755 DEBUG >>>> [org.springframework.webflow.execution.AnnotatedAction] - <Putting action >>>> execution attributes map[[empty]]> >>>> 2016-07-11 10:06:54,755 DEBUG >>>> [org.springframework.webflow.execution.ActionExecutor] - <Executing >>>> org.jasig.cas.web.flow.ServiceAuthorizationCheck@7b8ba682> >>>> 2016-07-11 10:06:54,755 DEBUG >>>> [org.springframework.webflow.execution.ActionExecutor] - <Finished >>>> executing org.jasig.cas.web.flow.ServiceAuthorizationCheck@7b8ba682; >>>> result >>>> = success> >>>> 2016-07-11 10:06:54,755 DEBUG >>>> [org.springframework.webflow.execution.AnnotatedAction] - <Clearing action >>>> execution attributes map[[empty]]> >>>> 2016-07-11 10:06:54,755 DEBUG >>>> [org.springframework.webflow.execution.ActionExecutor] - <Finished >>>> executing [EvaluateAction@20aff67 expression = serviceAuthorizationCheck, >>>> resultExpression = [null]]; result = success> >>>> 2016-07-11 10:06:54,755 DEBUG >>>> [org.springframework.webflow.engine.Transition] - <Executing >>>> [Transition@78e25983 on = *, to = generateLoginTicket]> >>>> 2016-07-11 10:06:54,755 DEBUG >>>> [org.springframework.webflow.engine.Transition] - <Exiting state >>>> 'serviceAuthorizationCheck'> >>>> 2016-07-11 10:06:54,755 DEBUG >>>> [org.springframework.webflow.engine.ActionState] - <Entering state >>>> 'generateLoginTicket' of flow 'login'> >>>> 2016-07-11 10:06:54,755 DEBUG >>>> [org.springframework.webflow.execution.ActionExecutor] - <Executing >>>> [EvaluateAction@a6fdfbc expression = >>>> generateLoginTicketAction.generate(flowRequestContext), resultExpression = >>>> [null]]> >>>> 2016-07-11 10:06:54,755 DEBUG >>>> [org.springframework.webflow.execution.AnnotatedAction] - <Putting action >>>> execution attributes map[[empty]]> >>>> 2016-07-11 10:06:54,755 DEBUG >>>> [org.jasig.cas.web.flow.GenerateLoginTicketAction] - <Generated login >>>> ticket LT-346-BXiKx6UYxpODpnR5Pcey-xxxxxxxxxxx> >>>> 2016-07-11 10:06:54,756 DEBUG >>>> [org.springframework.webflow.execution.AnnotatedAction] - <Clearing action >>>> execution attributes map[[empty]]> >>>> 2016-07-11 10:06:54,756 DEBUG >>>> [org.springframework.webflow.execution.ActionExecutor] - <Finished >>>> executing [EvaluateAction@a6fdfbc expression = >>>> generateLoginTicketAction.generate(flowRequestContext), resultExpression = >>>> [null]]; result = generated> >>>> 2016-07-11 10:06:54,756 DEBUG >>>> [org.springframework.webflow.engine.Transition] - <Executing >>>> [Transition@692cd498 on = generated, to = startSpnegoAuthenticate]> >>>> 2016-07-11 10:06:54,756 DEBUG >>>> [org.springframework.webflow.engine.Transition] - <Exiting state >>>> 'generateLoginTicket'> >>>> 2016-07-11 10:06:54,756 DEBUG >>>> [org.springframework.webflow.engine.ActionState] - <Entering state >>>> 'startSpnegoAuthenticate' of flow 'login'> >>>> 2016-07-11 10:06:54,756 DEBUG >>>> [org.springframework.webflow.execution.ActionExecutor] - <Executing >>>> [EvaluateAction@142933c8 expression = negociateSpnego, resultExpression = >>>> [null]]> >>>> 2016-07-11 10:06:54,756 DEBUG >>>> [org.springframework.webflow.execution.ActionExecutor] - <Executing >>>> org.jasig.cas.support.spnego.web.flow.SpnegoNegociateCredentialsAction@1abe21d0> >>>> 2016-07-11 10:06:54,756 DEBUG >>>> [org.jasig.cas.support.spnego.web.flow.SpnegoNegociateCredentialsAction] - >>>> <Authorization header [null], User Agent header [Mozilla/5.0 (Windows NT >>>> 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko]> >>>> 2016-07-11 10:06:54,757 DEBUG >>>> [org.jasig.cas.support.spnego.web.flow.SpnegoNegociateCredentialsAction] - >>>> <Authorization header not found or does not match the message prefix >>>> [Negotiate ]. Sending [WWW-Authenticate] header [Negotiate]> >>>> 2016-07-11 10:06:54,758 DEBUG >>>> [org.springframework.webflow.execution.ActionExecutor] - <Finished >>>> executing >>>> org.jasig.cas.support.spnego.web.flow.SpnegoNegociateCredentialsAction@1abe21d0; >>>> >>>> result = success> >>>> 2016-07-11 10:06:54,758 DEBUG >>>> [org.springframework.webflow.execution.ActionExecutor] - <Finished >>>> executing [EvaluateAction@142933c8 expression = negociateSpnego, >>>> resultExpression = [null]]; result = success> >>>> 2016-07-11 10:06:54,758 DEBUG >>>> [org.springframework.webflow.engine.Transition] - <Executing >>>> [Transition@1d6b7385 on = success, to = spnego]> >>>> 2016-07-11 10:06:54,758 DEBUG >>>> [org.springframework.webflow.engine.Transition] - <Exiting state >>>> 'startSpnegoAuthenticate'> >>>> 2016-07-11 10:06:54,758 DEBUG >>>> [org.springframework.webflow.engine.ActionState] - <Entering state >>>> 'spnego' >>>> of flow 'login'> >>>> 2016-07-11 10:06:54,758 DEBUG >>>> [org.springframework.webflow.execution.ActionExecutor] - <Executing >>>> [EvaluateAction@2c49b6e2 expression = spnego, resultExpression = [null]]> >>>> 2016-07-11 10:06:54,758 DEBUG >>>> [org.springframework.webflow.execution.ActionExecutor] - <Executing >>>> org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction@31c7f7c5> >>>> 2016-07-11 10:06:54,758 DEBUG >>>> [org.springframework.webflow.execution.ActionExecutor] - <Finished >>>> executing >>>> org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction@31c7f7c5; >>>> result = error> >>>> 2016-07-11 10:06:54,758 DEBUG >>>> [org.springframework.webflow.execution.ActionExecutor] - <Finished >>>> executing [EvaluateAction@2c49b6e2 expression = spnego, resultExpression = >>>> [null]]; result = error> >>>> 2016-07-11 10:06:54,758 DEBUG >>>> [org.springframework.webflow.engine.Transition] - <Executing >>>> [Transition@53ba1570 on = error, to = ticketGrantingTicketCheck]> >>>> 2016-07-11 10:06:54,758 DEBUG >>>> [org.springframework.webflow.engine.Transition] - <Exiting state 'spnego'> >>>> >>>> This is repeated about hundred times, and finally the client sees an >>>> error message from the cas server. So does anyone have an idea what's >>>> wrong with the configuration? >>>> >>>> And one another question, how to configure ldap fallback for SPNEGO? >>>> >>>> -- >>>> Antti Sirviö >>>> >>>> -- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] <javascript:>. > To post to this group, send email to [email protected] <javascript:>. > Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/ > . > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/b0f41012-c101-4c33-ac02-316e0b4902d4%40apereo.org > > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/b0f41012-c101-4c33-ac02-316e0b4902d4%40apereo.org?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/a/apereo.org/d/optout. > > -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/7ec3653c-9c03-48c6-9231-71855cbbe4a2%40apereo.org. For more options, visit https://groups.google.com/a/apereo.org/d/optout.
