Hi, I tried to follow the instructions on this page https://apereo.github.io/cas/6.4.x/authentication/SPNEGO-Authentication.html#spnego-authentication and managed to go a it futher. Then I installed an empty WordPress site, using CAS authentication through "Authorizer" extension. I can see some SPNEGO dialog in the CAS logfile, and it seems he considers a Kerberos token. Good starting point ! But in the end, the SPNENGO authentication fails and it falls back to the login form (which works). "klist" on the client shows a ticket for CAS HTTP principal. Here is what I managed to track during the different steps. It seems my CAS server is not able to handle the provided informations (a LDAP handler trying to process a token ?), but I don't know what to do at that level. I have tried numerous configuration properties I have found here and there but many seem deprecated or have changed. Can someone help me guess where the problem is ? Thanks W11 login (KRB server) --------------------------------- 2022-02-15T17:10:44 AS-REQ USER_ID@MY_REALM from IPv4:CLIENT_IP for krbtgt/MY_REALM@MY_REALM 2022-02-15T17:10:44 Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ 2022-02-15T17:10:44 sending 281 bytes to IPv4:CLIENT_IP 2022-02-15T17:10:44 AS-REQ USER_ID@MY_REALM from IPv4:CLIENT_IP for krbtgt/MY_REALM@MY_REALM 2022-02-15T17:10:44 Client sent patypes: ENC-TS 2022-02-15T17:10:44 Looking for PK-INIT(ietf) pa-data -- USER_ID@MY_REALM 2022-02-15T17:10:44 Looking for PK-INIT(win2k) pa-data -- USER_ID@MY_REALM 2022-02-15T17:10:44 Looking for ENC-TS pa-data -- USER_ID@MY_REALM 2022-02-15T17:10:44 ENC-TS Pre-authentication succeeded -- USER_ID@MY_REALM using aes256-cts-hmac-sha1-96 2022-02-15T17:10:44 ENC-TS pre-authentication succeeded -- USER_ID@MY_REALM 2022-02-15T17:10:44 AS-REQ authtime: 2022-02-15T17:10:44 starttime: unset endtime: 2022-02-16T17:10:44 renew till: 2022-02-22T17:10:44 2022-02-15T17:10:44 Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, arcfour-hmac-md5, 24, -135, des-cbc-md5, using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96 2022-02-15T17:10:44 Requested flags: renewable-ok, renewable, forwardable 2022-02-15T17:10:44 sending 645 bytes to IPv4:CLIENT_IP 2022-02-15T17:10:44 TGS-REQ USER_ID@MY_REALM from IPv4:CLIENT_IP for krbtgt/MY_AD_REALM@MY_REALM [renewable, forwardable] 2022-02-15T17:10:44 TGS-REQ authtime: 2022-02-15T17:10:44 starttime: 2022-02-15T17:10:44 endtime: 2022-02-16T17:10:44 renew till: 2022-02-22T17:10:44 2022-02-15T17:10:44 sending 598 bytes to IPv4:CLIENT_IP 2022-02-15T17:10:45 TGS-REQ USER_ID@MY_REALM from IPv4:CLIENT_IP for cifs/dataserver1@MY_REALM [renewable, forwardable] 2022-02-15T17:10:45 Searching referral for dataserver1 2022-02-15T17:10:45 Server not found in database: cifs/dataserver1@MY_REALM: Unknown code hdb 3 2022-02-15T17:10:45 Failed building TGS-REP to IPv4:CLIENT_IP 2022-02-15T17:10:45 tgs-req: sending error: -1765328377 to client 2022-02-15T17:10:45 sending 105 bytes to IPv4:CLIENT_IP 2022-02-15T17:10:45 TGS-REQ USER_ID@MY_REALM from IPv4:CLIENT_IP for krbtgt/MY_REALM@MY_REALM [renewable-ok, renewable, forwarded, forwardable] 2022-02-15T17:10:45 TGS-REQ authtime: 2022-02-15T17:10:44 starttime: 2022-02-15T17:10:45 endtime: 2022-02-16T17:10:44 renew till: 2022-02-22T17:10:44 2022-02-15T17:10:45 sending 652 bytes to IPv4:CLIENT_IP 2022-02-15T17:10:45 TGS-REQ USER_ID@MY_REALM from IPv4:CLIENT_IP for ldap/AD_SRV.my-ad.domain@MY_REALM [renewable, forwardable] 2022-02-15T17:10:45 Searching referral for AD_SRV.my-ad.domain 2022-02-15T17:10:45 Returning a referral to realm MY_AD_REALM for server ldap/AD_SRV.my-ad.domain@MY_REALM that was not found 2022-02-15T17:10:45 Adding server referral to MY_AD_REALM 2022-02-15T17:10:45 TGS-REQ authtime: 2022-02-15T17:10:44 starttime: 2022-02-15T17:10:45 endtime: 2022-02-16T17:10:44 renew till: 2022-02-22T17:10:44 2022-02-15T17:10:45 sending 821 bytes to IPv4:CLIENT_IP Click on CAS auth link W11 client (KRB SERVER) ------------------------------------------------------------------------- 2022-02-15T17:11:23 TGS-REQ USER_ID@MY_REALM from IPv4:CLIENT_IP for HTTP/testlogin.my.domain@MY_REALM [renewable, forwardable] 2022-02-15T17:11:23 TGS-REQ authtime: 2022-02-15T17:10:44 starttime: 2022-02-15T17:11:23 endtime: 2022-02-16T17:10:44 renew till: 2022-02-22T17:10:44 2022-02-15T17:11:23 sending 810 bytes to IPv4:CLIENT_IP CAS server ---------------- ============================================================= WHO: audit:unknown WHAT: {result=Service Access Granted, requiredAttributes={}} ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED APPLICATION: CAS WHEN: Tue Feb 15 17:17:19 CET 2022 CLIENT IP ADDRESS: CLIENT_IP SERVER IP ADDRESS: CAS_SRV_EXTERNAL_IP ============================================================= > 2022-02-15 17:17:19,524 DEBUG [org.apereo.cas.web.flow.login.InitialFlowSetupAction] - 2022-02-15 17:17:19,526 DEBUG [org.apereo.cas.web.flow.login.InitialFlowSetupAction] - 2022-02-15 17:17:19,527 DEBUG [org.apereo.cas.web.flow.authentication.RegisteredServiceAuthenticationPolicySingleSignOnParticipationStrategy] - 2022-02-15 17:17:19,528 DEBUG [org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - 2022-02-15 17:17:19,530 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - 2022-02-15 17:17:19,535 DEBUG [org.apereo.cas.web.flow.client.BaseSpnegoKnownClientSystemsFilterAction] - 2022-02-15 17:17:19,535 DEBUG [org.apereo.cas.web.flow.client.BaseSpnegoKnownClientSystemsFilterAction] - 2022-02-15 17:17:19,536 WARN [org.apereo.cas.web.flow.client.BaseSpnegoKnownClientSystemsFilterAction] - 2022-02-15 17:17:19,536 DEBUG [org.apereo.cas.web.flow.client.BaseSpnegoKnownClientSystemsFilterAction] - 2022-02-15 17:17:19,538 DEBUG [org.apereo.cas.web.flow.client.BaseSpnegoKnownClientSystemsFilterAction] - 2022-02-15 17:17:19,542 DEBUG [org.apereo.cas.support.spnego.util.ReverseDNSRunnable] - 2022-02-15 17:17:19,545 DEBUG [org.apereo.cas.web.flow.client.BaseSpnegoKnownClientSystemsFilterAction] - 2022-02-15 17:17:19,545 DEBUG [org.apereo.cas.web.flow.client.HostNameSpnegoKnownClientSystemsFilterAction] - 2022-02-15 17:17:19,545 INFO [org.apereo.cas.web.flow.client.BaseSpnegoKnownClientSystemsFilterAction] - 2022-02-15 17:17:19,545 DEBUG [org.apereo.cas.web.flow.SpnegoNegotiateCredentialsAction] - 2022-02-15 17:17:19,545 DEBUG [org.apereo.cas.web.flow.SpnegoNegotiateCredentialsAction] - 2022-02-15 17:17:19,545 DEBUG [org.apereo.cas.web.flow.SpnegoNegotiateCredentialsAction] - 2022-02-15 17:17:19,546 DEBUG [org.apereo.cas.web.flow.SpnegoCredentialsAction] - 2022-02-15 17:17:19,546 DEBUG [org.apereo.cas.web.flow.SpnegoCredentialsAction] - 2022-02-15 17:17:19,546 WARN [org.apereo.cas.web.flow.SpnegoCredentialsAction] - 2022-02-15 17:17:19,546 INFO [org.apereo.cas.web.flow.actions.AbstractNonInteractiveCredentialsAction] - 2022-02-15 17:17:19,546 INFO [org.apereo.cas.web.flow.SpnegoCredentialsAction] - 2022-02-15 17:17:19,599 DEBUG [org.apereo.cas.web.view.CasReloadableMessageBundle] - 2022-02-15 17:17:19,601 DEBUG [org.apereo.cas.web.view.CasReloadableMessageBundle] - 2022-02-15 17:17:19,608 DEBUG [org.apereo.cas.web.view.CasReloadableMessageBundle] - 2022-02-15 17:17:19,713 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - 2022-02-15 17:17:19,717 DEBUG [org.apereo.cas.web.flow.login.InitialFlowSetupAction] - 2022-02-15 17:17:19,726 DEBUG [org.apereo.cas.web.flow.login.InitialFlowSetupAction] - 2022-02-15 17:17:19,727 DEBUG [org.apereo.cas.web.flow.authentication.RegisteredServiceAuthenticationPolicySingleSignOnParticipationStrategy] - 2022-02-15 17:17:19,728 DEBUG [org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver] - 2022-02-15 17:17:19,729 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - 2022-02-15 17:17:19,730 DEBUG [org.apereo.cas.web.flow.client.BaseSpnegoKnownClientSystemsFilterAction] - 2022-02-15 17:17:19,731 DEBUG [org.apereo.cas.web.flow.client.BaseSpnegoKnownClientSystemsFilterAction] - 2022-02-15 17:17:19,731 WARN [org.apereo.cas.web.flow.client.BaseSpnegoKnownClientSystemsFilterAction] - 2022-02-15 17:17:19,731 DEBUG [org.apereo.cas.web.flow.client.BaseSpnegoKnownClientSystemsFilterAction] - 2022-02-15 17:17:19,731 DEBUG [org.apereo.cas.web.flow.client.BaseSpnegoKnownClientSystemsFilterAction] - 2022-02-15 17:17:19,733 DEBUG [org.apereo.cas.support.spnego.util.ReverseDNSRunnable] - 2022-02-15 17:17:19,734 DEBUG [org.apereo.cas.web.flow.client.BaseSpnegoKnownClientSystemsFilterAction] - 2022-02-15 17:17:19,734 DEBUG [org.apereo.cas.web.flow.client.HostNameSpnegoKnownClientSystemsFilterAction] - 2022-02-15 17:17:19,734 INFO [org.apereo.cas.web.flow.client.BaseSpnegoKnownClientSystemsFilterAction] - 2022-02-15 17:17:19,734 DEBUG [org.apereo.cas.web.flow.SpnegoNegotiateCredentialsAction] - 2022-02-15 17:17:19,735 DEBUG [org.apereo.cas.web.flow.SpnegoCredentialsAction] - 2022-02-15 17:17:19,735 DEBUG [org.apereo.cas.web.flow.SpnegoCredentialsAction] - 2022-02-15 17:17:19,735 DEBUG [org.apereo.cas.web.flow.SpnegoCredentialsAction] - 2022-02-15 17:17:19,735 DEBUG [org.apereo.cas.web.flow.SpnegoCredentialsAction] -
-- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/20220215164930.B5096C00A1%40smtp04.mail.de.
