Hi,
I have still that *annoying login dialog, *that I dont want to see.
[image: Vložený obrázek 1]
How to get rid of it? SPNEGO is working in domain ok, I see dialog only
OUTSIDE of AD domain.
I mean: if SPNEGO fails, show LoginView
*My configuration (details obfruscated):*
*cas.properties:*
## SPNEGO kerberos
cas.authn.spnego.kerberosConf=/etc/krb5.conf
cas.authn.spnego.jcifsServicePrincipal=HTTP/kdcserver.example.com@VAD1
cas.authn.spnego.kerberosRealm=VAD1
cas.authn.spnego.kerberosKdc=10.123.45.67
cas.authn.spnego.kerberosDebug=true
cas.authn.spnego.mixedModeAuthentication=true
cas.authn.spnego.ntlmAllowed=false
cas.authn.spnego.ntlm=false
cas.authn.spnego.send401OnAuthenticationFailure=false
krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = VAD1
default_keytab_name = /etc/krb5.keytab
dns_lookup_realm = false
dns_lookup_kdc = false
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = bc4-hmac
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
[realms]
VAD1 = {
kdc = ad1v.vad1.example.com
kdc = ad2v.vad1.example.com
kdc = ad4v.vad1.example.com
admin_server = ad2v.vad1.example.com
}
[domain_realm]
.vad1.example.com = VAD1
vad1.example.com = VAD1
[login]
krb4_convert = false
krb4_get_tickets = false
[am1v-as1@am1v-as1 etc]
--
s pozdravem
Petr Gašparík
solution architect
gsm: [+420] 603 523 860
e-mail: [email protected]
AMI Praha a.s.
Pláničkova 11
162 00 Praha 6
tel.: [+420] 274 783 239
web: www.ami.cz
[image: AMI Praha a.s.]
[image: AMI Praha a.s.]
<http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/audit-roli-a-opravneni-sap>
Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
písemnou formu.
2017-04-06 12:06 GMT+02:00 Pascal Rigaux <[email protected]>:
> On 06/04/2017 10:46, Petr Gašparík - AMI Praha a.s. wrote:
>
>> 1. Try SPNEGO auth
>> 2. If it fails, show browser dialog for Kerberos login (L/P from AD)
>> 3. If it fails, show login page for LDAP auth
>>
>> Now, how to get rid of step 2?
>>
>
> You can't do it for Internet Explorer or Chrome on Windows.
> That's why we only allow SPNEGO on Firefox!
>
> If you can modify the user-agent when you are sure SPNEGO will work,
> for example by adding "Kerberos", you can add it the "supportedBrowser"
> whitelist.
>
> cu
>
> --
> - CAS gitter chatroom: https://gitter.im/apereo/cas
> - CAS mailing list guidelines: https://apereo.github.io/cas/M
> ailing-Lists.html
> - CAS documentation website: https://apereo.github.io/cas
> - CAS project website: https://github.com/apereo/cas
> --- You received this message because you are subscribed to the Google
> Groups "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To view this discussion on the web visit https://groups.google.com/a/ap
> ereo.org/d/msgid/cas-user/31dbb5c4-f8b2-7fc9-35a4-efe35c096d
> a2%40univ-paris1.fr.
>
--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABAspd3Md_mahDY2PnDi_8WxvwLp8582TFjW%3D74cykw5eKBJUw%40mail.gmail.com.
