Hi,
If you enable SPNEGO on MSIE, if outside AD, it will always prompt.
It may be the same on Chrome, i can't remember exactly.
The solution we used here is to enable SPNEGO on Firefox only, and we
advise users to use firefox.
cu
"Petr Gašparík - AMI Praha a.s." <[email protected]> a écrit :
Hi,
I have still that *annoying login dialog, *that I dont want to see.
[image: Vložený obrázek 1]
How to get rid of it? SPNEGO is working in domain ok, I see dialog only
OUTSIDE of AD domain.
I mean: if SPNEGO fails, show LoginView
*My configuration (details obfruscated):*
*cas.properties:*
## SPNEGO kerberos
cas.authn.spnego.kerberosConf=/etc/krb5.conf
cas.authn.spnego.jcifsServicePrincipal=HTTP/kdcserver.example.com@VAD1
cas.authn.spnego.kerberosRealm=VAD1
cas.authn.spnego.kerberosKdc=10.123.45.67
cas.authn.spnego.kerberosDebug=true
cas.authn.spnego.mixedModeAuthentication=true
cas.authn.spnego.ntlmAllowed=false
cas.authn.spnego.ntlm=false
cas.authn.spnego.send401OnAuthenticationFailure=false
krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = VAD1
default_keytab_name = /etc/krb5.keytab
dns_lookup_realm = false
dns_lookup_kdc = false
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = bc4-hmac
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
[realms]
VAD1 = {
kdc = ad1v.vad1.example.com
kdc = ad2v.vad1.example.com
kdc = ad4v.vad1.example.com
admin_server = ad2v.vad1.example.com
}
[domain_realm]
.vad1.example.com = VAD1
vad1.example.com = VAD1
[login]
krb4_convert = false
krb4_get_tickets = false
[am1v-as1@am1v-as1 etc]
--
s pozdravem
Petr Gašparík
solution architect
gsm: [+420] 603 523 860
e-mail: [email protected]
AMI Praha a.s.
Pláničkova 11
162 00 Praha 6
tel.: [+420] 274 783 239
web: www.ami.cz
[image: AMI Praha a.s.]
[image: AMI Praha a.s.]
<http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/audit-roli-a-opravneni-sap>
Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
písemnou formu.
2017-04-06 12:06 GMT+02:00 Pascal Rigaux <[email protected]>:
On 06/04/2017 10:46, Petr Gašparík - AMI Praha a.s. wrote:
1. Try SPNEGO auth
2. If it fails, show browser dialog for Kerberos login (L/P from AD)
3. If it fails, show login page for LDAP auth
Now, how to get rid of step 2?
You can't do it for Internet Explorer or Chrome on Windows.
That's why we only allow SPNEGO on Firefox!
If you can modify the user-agent when you are sure SPNEGO will work,
for example by adding "Kerberos", you can add it the "supportedBrowser"
whitelist.
cu
--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/M
ailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- You received this message because you are subscribed to the Google
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to [email protected].
To view this discussion on the web visit https://groups.google.com/a/ap
ereo.org/d/msgid/cas-user/31dbb5c4-f8b2-7fc9-35a4-efe35c096d
a2%40univ-paris1.fr.
--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines:
https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABAspd3Md_mahDY2PnDi_8WxvwLp8582TFjW%3D74cykw5eKBJUw%40mail.gmail.com.
--
Pascal Rigaux
--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/20170603185101.Horde.AUWY7GrjIvCrP0sfYty8xNa%40courrier.univ-paris1.fr.
