Arnaud,
Is the service URL changing in any way when spnego is used?
Before a PT is issued, CAS contacts the proxy callback. Is this prevented in
any way with spnego?
I have not used spnego so just making some guesses.
Here is log config:
<!-- DEBUG Response code from server matched [###] may be useful for
debugging proxy
Created HTTP post message payload [POST URL] on logout -->
<AsyncLogger name="org.apereo.cas.util.http.SimpleHttpClient"
level="error" />
Ray
On Wed, 2018-09-12 at 14:30 -0700, Arnaud N. wrote:
Hello everybody,
Here is my problem :
Our information system rely upon cas 5.2.3 to enable SSO. We have webapps that
communicate with soap ws and rest APIs.
SSO is configured to perform username+password authentication via a rest API,
and every application uses cas 2.0 protocol.
So far everything works fine, TGT and PGT are granted, st and pt are validated,
no problem.
Now we want to use spnego/Kerberos authentication on one of our webapps instead
of the classic form/username+password auth. We managed to configure cas to
perform spnego authentication on this webapp. The user type the url of the
webapp, negotiation occurs and the user is connected to the application. The
logs show that TGT and PGT are being granted for the webapp. The problem is
when the application try to get a proxy ticket for another backend
cas-protected application (soap ws or rest api). We made a TCP dump to monitor
the exchange between CAS and the webapp, and we noticed that everything worked
fine until the webapp uses its PGT to get a pt for the soap ws. the CAS reject
the request stating that the service is not allowed. Without spnego everything
works fine, the soap ws is allowed. From here we tried tinkering with CAS and
service configuration without success.
In the end We were wondering if what we are trying to do is possible ? Mix
spnego auth with username+password auth ? Has anyone here done that, using
which CAS configuration ? As far as I understand the CAS protocol, once TGT and
PGT are granted, the auth method is irrelevant, only the tickets are used to
delegate authority...
Any help would be greatly appreciated.
Regards
Arnaud.
--
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | [email protected]
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1536789665.2860.19.camel%40uvic.ca.
