Hi, I tried to follow the instructions on this page https://apereo.github.io/cas/6.4.x/authentication/SPNEGO-Authentication.html#spnego-authentication and managed to go a it futher. Then I installed an empty WordPress site, using CAS authentication through "Authorizer" extension. I can see some SPNEGO dialog in the CAS logfile, and it seems he considers a Kerberos token. Good starting point ! But in the end, the SPNENGO authentication fails and it falls back to the login form (which works). "klist" on the client shows a ticket for CAS HTTP principal. Here is what I managed to track during the different steps. It seems my CAS server is not able to handle the provided informations (a LDAP handler trying to process a token ?), but I don't know what to do at that level. I have tried numerous configuration properties I have found here and there but many seem deprecated or have changed. Can someone help me guess where the problem is ? Thanks W11 login (KRB server) --------------------------------- 2022-02-15T17:10:44 AS-REQ USER_ID@MY_REALM from IPv4:CLIENT_IP for krbtgt/MY_REALM@MY_REALM 2022-02-15T17:10:44 Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ 2022-02-15T17:10:44 sending 281 bytes to IPv4:CLIENT_IP 2022-02-15T17:10:44 AS-REQ USER_ID@MY_REALM from IPv4:CLIENT_IP for krbtgt/MY_REALM@MY_REALM 2022-02-15T17:10:44 Client sent patypes: ENC-TS 2022-02-15T17:10:44 Looking for PK-INIT(ietf) pa-data -- USER_ID@MY_REALM 2022-02-15T17:10:44 Looking for PK-INIT(win2k) pa-data -- USER_ID@MY_REALM 2022-02-15T17:10:44 Looking for ENC-TS pa-data -- USER_ID@MY_REALM 2022-02-15T17:10:44 ENC-TS Pre-authentication succeeded -- USER_ID@MY_REALM using aes256-cts-hmac-sha1-96 2022-02-15T17:10:44 ENC-TS pre-authentication succeeded -- USER_ID@MY_REALM 2022-02-15T17:10:44 AS-REQ authtime: 2022-02-15T17:10:44 starttime: unset endtime: 2022-02-16T17:10:44 renew till: 2022-02-22T17:10:44 2022-02-15T17:10:44 Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, arcfour-hmac-md5, 24, -135, des-cbc-md5, using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96 2022-02-15T17:10:44 Requested flags: renewable-ok, renewable, forwardable 2022-02-15T17:10:44 sending 645 bytes to IPv4:CLIENT_IP 2022-02-15T17:10:44 TGS-REQ USER_ID@MY_REALM from IPv4:CLIENT_IP for krbtgt/MY_AD_REALM@MY_REALM [renewable, forwardable] 2022-02-15T17:10:44 TGS-REQ authtime: 2022-02-15T17:10:44 starttime: 2022-02-15T17:10:44 endtime: 2022-02-16T17:10:44 renew till: 2022-02-22T17:10:44 2022-02-15T17:10:44 sending 598 bytes to IPv4:CLIENT_IP 2022-02-15T17:10:45 TGS-REQ USER_ID@MY_REALM from IPv4:CLIENT_IP for cifs/dataserver1@MY_REALM [renewable, forwardable] 2022-02-15T17:10:45 Searching referral for dataserver1 2022-02-15T17:10:45 Server not found in database: cifs/dataserver1@MY_REALM: Unknown code hdb 3 2022-02-15T17:10:45 Failed building TGS-REP to IPv4:CLIENT_IP 2022-02-15T17:10:45 tgs-req: sending error: -1765328377 to client 2022-02-15T17:10:45 sending 105 bytes to IPv4:CLIENT_IP 2022-02-15T17:10:45 TGS-REQ USER_ID@MY_REALM from IPv4:CLIENT_IP for krbtgt/MY_REALM@MY_REALM [renewable-ok, renewable, forwarded, forwardable] 2022-02-15T17:10:45 TGS-REQ authtime: 2022-02-15T17:10:44 starttime: 2022-02-15T17:10:45 endtime: 2022-02-16T17:10:44 renew till: 2022-02-22T17:10:44 2022-02-15T17:10:45 sending 652 bytes to IPv4:CLIENT_IP 2022-02-15T17:10:45 TGS-REQ USER_ID@MY_REALM from IPv4:CLIENT_IP for ldap/AD_SRV.my-ad.domain@MY_REALM [renewable, forwardable] 2022-02-15T17:10:45 Searching referral for AD_SRV.my-ad.domain 2022-02-15T17:10:45 Returning a referral to realm MY_AD_REALM for server ldap/AD_SRV.my-ad.domain@MY_REALM that was not found 2022-02-15T17:10:45 Adding server referral to MY_AD_REALM 2022-02-15T17:10:45 TGS-REQ authtime: 2022-02-15T17:10:44 starttime: 2022-02-15T17:10:45 endtime: 2022-02-16T17:10:44 renew till: 2022-02-22T17:10:44 2022-02-15T17:10:45 sending 821 bytes to IPv4:CLIENT_IP Click on CAS auth link W11 client (KRB SERVER) ------------------------------------------------------------------------- 2022-02-15T17:11:23 TGS-REQ USER_ID@MY_REALM from IPv4:CLIENT_IP for HTTP/testlogin.my.domain@MY_REALM [renewable, forwardable] 2022-02-15T17:11:23 TGS-REQ authtime: 2022-02-15T17:10:44 starttime: 2022-02-15T17:11:23 endtime: 2022-02-16T17:10:44 renew till: 2022-02-22T17:10:44 2022-02-15T17:11:23 sending 810 bytes to IPv4:CLIENT_IP CAS server ---------------- ============================================================= WHO: audit:unknown WHAT: {result=Service Access Granted, requiredAttributes={}} ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED APPLICATION: CAS WHEN: Tue Feb 15 17:17:19 CET 2022 CLIENT IP ADDRESS: CLIENT_IP SERVER IP ADDRESS: CAS_SRV_EXTERNAL_IP ============================================================= > 2022-02-15 17:17:19,524 DEBUG [org.apereo.cas.web.flow.login.InitialFlowSetupAction] - 2022-02-15 17:17:19,526 DEBUG [org.apereo.cas.web.flow.login.InitialFlowSetupAction] - 2022-02-15 17:17:19,527 DEBUG [org.apereo.cas.web.flow.authentication.RegisteredServiceAuthenticationPolicySingleSignOnParticipationStrategy] - 2022-02-15 17:17:19,528 DEBUG [org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - 2022-02-15 17:17:19,530 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - 2022-02-15 17:17:19,535 DEBUG [org.apereo.cas.web.flow.client.BaseSpnegoKnownClientSystemsFilterAction] - 2022-02-15 17:17:19,535 DEBUG [org.apereo.cas.web.flow.client.BaseSpnegoKnownClientSystemsFilterAction] - 2022-02-15 17:17:19,536 WARN [org.apereo.cas.web.flow.client.BaseSpnegoKnownClientSystemsFilterAction] - 2022-02-15 17:17:19,536 DEBUG [org.apereo.cas.web.flow.client.BaseSpnegoKnownClientSystemsFilterAction] - 2022-02-15 17:17:19,538 DEBUG [org.apereo.cas.web.flow.client.BaseSpnegoKnownClientSystemsFilterAction] - 2022-02-15 17:17:19,542 DEBUG [org.apereo.cas.support.spnego.util.ReverseDNSRunnable] - 2022-02-15 17:17:19,545 DEBUG [org.apereo.cas.web.flow.client.BaseSpnegoKnownClientSystemsFilterAction] - 2022-02-15 17:17:19,545 DEBUG [org.apereo.cas.web.flow.client.HostNameSpnegoKnownClientSystemsFilterAction] - 2022-02-15 17:17:19,545 INFO [org.apereo.cas.web.flow.client.BaseSpnegoKnownClientSystemsFilterAction] - 2022-02-15 17:17:19,545 DEBUG [org.apereo.cas.web.flow.SpnegoNegotiateCredentialsAction] - 2022-02-15 17:17:19,545 DEBUG [org.apereo.cas.web.flow.SpnegoNegotiateCredentialsAction] - 2022-02-15 17:17:19,545 DEBUG [org.apereo.cas.web.flow.SpnegoNegotiateCredentialsAction] - 2022-02-15 17:17:19,546 DEBUG [org.apereo.cas.web.flow.SpnegoCredentialsAction] - 2022-02-15 17:17:19,546 DEBUG [org.apereo.cas.web.flow.SpnegoCredentialsAction] - 2022-02-15 17:17:19,546 WARN [org.apereo.cas.web.flow.SpnegoCredentialsAction] - 2022-02-15 17:17:19,546 INFO [org.apereo.cas.web.flow.actions.AbstractNonInteractiveCredentialsAction] - 2022-02-15 17:17:19,546 INFO [org.apereo.cas.web.flow.SpnegoCredentialsAction] - 2022-02-15 17:17:19,599 DEBUG [org.apereo.cas.web.view.CasReloadableMessageBundle] - 2022-02-15 17:17:19,601 DEBUG [org.apereo.cas.web.view.CasReloadableMessageBundle] - 2022-02-15 17:17:19,608 DEBUG [org.apereo.cas.web.view.CasReloadableMessageBundle] - 2022-02-15 17:17:19,713 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - 2022-02-15 17:17:19,717 DEBUG [org.apereo.cas.web.flow.login.InitialFlowSetupAction] - 2022-02-15 17:17:19,726 DEBUG [org.apereo.cas.web.flow.login.InitialFlowSetupAction] - 2022-02-15 17:17:19,727 DEBUG [org.apereo.cas.web.flow.authentication.RegisteredServiceAuthenticationPolicySingleSignOnParticipationStrategy] - 2022-02-15 17:17:19,728 DEBUG [org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - 2022-02-15 17:17:19,729 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - 2022-02-15 17:17:19,730 DEBUG [org.apereo.cas.web.flow.client.BaseSpnegoKnownClientSystemsFilterAction] - 2022-02-15 17:17:19,731 DEBUG [org.apereo.cas.web.flow.client.BaseSpnegoKnownClientSystemsFilterAction] - 2022-02-15 17:17:19,731 WARN [org.apereo.cas.web.flow.client.BaseSpnegoKnownClientSystemsFilterAction] - 2022-02-15 17:17:19,731 DEBUG [org.apereo.cas.web.flow.client.BaseSpnegoKnownClientSystemsFilterAction] - 2022-02-15 17:17:19,731 DEBUG [org.apereo.cas.web.flow.client.BaseSpnegoKnownClientSystemsFilterAction] - 2022-02-15 17:17:19,733 DEBUG [org.apereo.cas.support.spnego.util.ReverseDNSRunnable] - 2022-02-15 17:17:19,734 DEBUG [org.apereo.cas.web.flow.client.BaseSpnegoKnownClientSystemsFilterAction] - 2022-02-15 17:17:19,734 DEBUG [org.apereo.cas.web.flow.client.HostNameSpnegoKnownClientSystemsFilterAction] - 2022-02-15 17:17:19,734 INFO [org.apereo.cas.web.flow.client.BaseSpnegoKnownClientSystemsFilterAction] - 2022-02-15 17:17:19,734 DEBUG [org.apereo.cas.web.flow.SpnegoNegotiateCredentialsAction] - 2022-02-15 17:17:19,735 DEBUG [org.apereo.cas.web.flow.SpnegoCredentialsAction] - 2022-02-15 17:17:19,735 DEBUG [org.apereo.cas.web.flow.SpnegoCredentialsAction] - 2022-02-15 17:17:19,735 DEBUG [org.apereo.cas.web.flow.SpnegoCredentialsAction] - 2022-02-15 17:17:19,735 DEBUG [org.apereo.cas.web.flow.SpnegoCredentialsAction] -
-- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/20220215164930.B5096C00A1%40smtp04.mail.de.
