Hi Nicholas,

It's seems to me that Kerberos / SPNEGO client selection strategy is broken 
since Alfresco 5.0.x.

Indeed, there are several other messages in this discussion list referring 
to this problem : here 
and here 
and I didn't achieved to make it work (IP based) in CAS 5.1.7 release.

SPNEGO Client Selection strategy setup is done in the 
class, using the "cas.authn.spnego.hostNameClientActionStrategy" parameter 
value to set the strategy (default to "hostnameSpnegoClientAction"). You 
can use the "ldapSpnegoClientAction" value to use a LDAP Client Selection 

The problem is the Spring MVC Web Flow is configured for using the 
action state by default 
instead of the "EVALUATE_SPNEGO_CLIENT" action state (evaluateClientRequest) 

Therefore, the Client Selection Strategy is never applied. I didn't found 
any way to use CAS configuration properties to add the 
*evaluateClientRequest* action state before the *startSpnegoAuthenticate* 

The only way to do this may be to overidde the 
state (as done here 
in a custom bean and configure it to transition to the 
evaluateClientRequest state.

I may have missed something, and I hope a CAS Developer can clarify it.



Le jeudi 17 mai 2018 07:47:54 UTC+2, Nicholas Wylie a écrit :
> Hi CAS Community,
> I've successfully configured CAS 5.2 with LDAP/SPNEGO authentication 
> against our Active Directory.
> What we have noticed though is that non-domain joined computers see a 
> pop-up prompt for credentials when they visit the CAS login page. From my 
> reading, I believe we can fix this by configuring the LDAP Client Selection 
> Strategy for SPNEGO, but the documentation for which properties need to be 
> configured seems to be a bit scarce.
> Can someone offer any guidance (or a link to some documentation) as to 
> which properties I need to configure to use the LDAP Client Selection 
> Strategy?
> Thanks,
> Nicholas

- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 

Reply via email to