Hello everybody, Here is my problem :
Our information system rely upon cas 5.2.3 to enable SSO. We have webapps that communicate with soap ws and rest APIs. SSO is configured to perform username+password authentication via a rest API, and every application uses cas 2.0 protocol. So far everything works fine, TGT and PGT are granted, st and pt are validated, no problem. Now we want to use spnego/Kerberos authentication on one of our webapps instead of the classic form/username+password auth. We managed to configure cas to perform spnego authentication on this webapp. The user type the url of the webapp, negotiation occurs and the user is connected to the application. The logs show that TGT and PGT are being granted for the webapp. The problem is when the application try to get a proxy ticket for another backend cas-protected application (soap ws or rest api). We made a TCP dump to monitor the exchange between CAS and the webapp, and we noticed that everything worked fine until the webapp uses its PGT to get a pt for the soap ws. the CAS reject the request stating that the service is not allowed. Without spnego everything works fine, the soap ws is allowed. From here we tried tinkering with CAS and service configuration without success. In the end We were wondering if what we are trying to do is possible ? Mix spnego auth with username+password auth ? Has anyone here done that, using which CAS configuration ? As far as I understand the CAS protocol, once TGT and PGT are granted, the auth method is irrelevant, only the tickets are used to delegate authority... Any help would be greatly appreciated. Regards Arnaud. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/5d928e45-1213-4029-baec-4b4040a8c0af%40apereo.org.
