Today, it works a little better : I get 401, my browser send its ticket... but no authentication :
Caused by: KrbException: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC I have to declare my keytab as default keytab in /etc/krb5.conf to get authenticated (keytab is read *before* login.conf) ! It was not necessary with CASv3.5. If my keytab is not declared in /etc/krb5.conf, login.conf is not read either, why ?? Last test, with only a few parameters : cas.authn.spnego.kerberosConf=/etc/krb5.conf cas.authn.spnego.mixedModeAuthentication=false cas.authn.spnego.jcifsServicePrincipal=HTTP/[email protected] cas.authn.spnego.ntlmAllowed=false cas.authn.spnego.hostNamePatternString=.+ cas.authn.spnego.supportedBrowsers=MSIE,Firefox,AppleWebKit cas.authn.spnego.hostNameClientActionStrategy=hostnameSpnegoClientAction cas.authn.spnego.ipsToCheckPattern=172.+ cas.authn.spnego.send401OnAuthenticationFailure=false cas.authn.spnego.principalWithDomainName=false it works... Is the documentation needing update ? Regards. Le 10/08/2016 à 17:42, Philippe MARASSE a écrit : > Folks, > > I'm testing my freshly installed cas 5.0.0RC1-SNAPSHOT with SPNEGO, > following instructions at > https://apereo.github.io/cas/development/installation/SPNEGO-Authentication.html > > Everything looks right at tomcat startup (krb5 princpal (fixed @, kdc, > etc.), My browser get a 401 with WWW-Authenticate: Negotiate as > expected. So it sends its Authorization: Negotiate header, but CAS does > not seem to catch the header (see attached catalina.out log file) and > throws a NullPointerException. > > Tomcat is behind Apache + mod_jk, packetSize has been increased to 16k. > > Am I missing something ? > > Regards. > -- Philippe MARASSE Responsable pôle Infrastructures - DSIO Centre Hospitalier Henri Laborit CS 10587 - 370 avenue Jacques Cœur 86021 Poitiers Cedex Tel : 05.49.44.57.19 -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/e1b3772b-8210-abf7-5151-3b85dd10e5ef%40ch-poitiers.fr. For more options, visit https://groups.google.com/a/apereo.org/d/optout.
