Hi Nicholas,

It's seems to me that Kerberos / SPNEGO client selection strategy is broken 
since Alfresco 5.0.x.

Indeed, there are several other messages in this discussion list referring 
to this problem : here 
<https://groups.google.com/a/apereo.org/d/topic/cas-user/4V8fiuPARI0/discussion>,
 
here 
<https://groups.google.com/a/apereo.org/d/topic/cas-user/HZCbd9ghOM4/discussion>
 
and here 
<https://groups.google.com/a/apereo.org/d/topic/cas-user/PPIe-SPPCtg/discussion>,
 
and I didn't achieved to make it work (IP based) in CAS 5.1.7 release.

SPNEGO Client Selection strategy setup is done in the 
SpengoWebflowConfigurer 
<https://github.com/apereo/cas/blob/2606c6908a6740cdf91dfd950ea3a6e2d95731c5/support/cas-server-support-spnego-webflow/src/main/java/org/apereo/cas/web/flow/SpengoWebflowConfigurer.java#L71>
 
class, using the "cas.authn.spnego.hostNameClientActionStrategy" parameter 
value to set the strategy (default to "hostnameSpnegoClientAction"). You 
can use the "ldapSpnegoClientAction" value to use a LDAP Client Selection 
Strategy.

The problem is the Spring MVC Web Flow is configured for using the 
"START_SPNEGO_AUTHENTICATE" 
action state by default 
<https://github.com/apereo/cas/blob/2606c6908a6740cdf91dfd950ea3a6e2d95731c5/support/cas-server-support-spnego-webflow/src/main/java/org/apereo/cas/web/flow/SpengoWebflowConfigurer.java#L51>,
 
instead of the "EVALUATE_SPNEGO_CLIENT" action state (evaluateClientRequest) 
<https://github.com/apereo/cas/blob/2606c6908a6740cdf91dfd950ea3a6e2d95731c5/support/cas-server-support-spnego-webflow/src/main/java/org/apereo/cas/web/flow/SpengoWebflowConfigurer.java#L71>
.

Therefore, the Client Selection Strategy is never applied. I didn't found 
any way to use CAS configuration properties to add the 
*evaluateClientRequest* action state before the *startSpnegoAuthenticate* 
state.

The only way to do this may be to overidde the 
CasWebflowConstants.STATE_ID_INIT_LOGIN_FORM 
state (as done here 
<https://github.com/apereo/cas/blob/2606c6908a6740cdf91dfd950ea3a6e2d95731c5/support/cas-server-support-spnego-webflow/src/main/java/org/apereo/cas/web/flow/SpengoWebflowConfigurer.java#L51>)
 
in a custom bean and configure it to transition to the 
evaluateClientRequest state.

I may have missed something, and I hope a CAS Developer can clarify it.

Regards,

Charles






Le jeudi 17 mai 2018 07:47:54 UTC+2, Nicholas Wylie a écrit :
>
> Hi CAS Community,
>
> I've successfully configured CAS 5.2 with LDAP/SPNEGO authentication 
> against our Active Directory.
>
> What we have noticed though is that non-domain joined computers see a 
> pop-up prompt for credentials when they visit the CAS login page. From my 
> reading, I believe we can fix this by configuring the LDAP Client Selection 
> Strategy for SPNEGO, but the documentation for which properties need to be 
> configured seems to be a bit scarce.
>
> Can someone offer any guidance (or a link to some documentation) as to 
> which properties I need to configure to use the LDAP Client Selection 
> Strategy?
>
> Thanks,
> Nicholas
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/9f3f6c1a-5510-498d-afe6-ea478a2de75c%40apereo.org.

Reply via email to