On Wed, Feb 11, 2009 at 4:17 PM, sol myr <[email protected]> wrote: > Thanks very much for replying. > > Sorry for being vague - we'd like the client to obtain a Kerberos ticket, > use it to log into the SSO server, which would validate the Kerberos ticket > and then allow the client to access the business application. > > When the SSO server is specifically CAS, it feels like lots of indirection > and round-trips (involving both Kerberos ticket *and* CAS TGC)...
Actually, you'll present your Kerberos ticket to CAS, which will validate it and generate its own internal session identifier, which is the TGC. From that point forward whenever a service uses CAS, it will be issued a one time Service Ticket. No further Kerberos or Ticket Granting Tickets are created. > > So I wondered whether it's really what people do (assuming they want > Kerberos)? I'm not sure I follow your question. You either need to configure all of your applications to utilize Kerberos authentication, or to use CAS for authentication. > > Or is there some magical "trick" to issue only one ticket (kerberos) and > skip the extra TGC? If nothing else, maybe configure CAS to work like > ticket-less SOO servers (say, josso)...? If you only want a Kerberos ticket, then why aren't you just using Kerberos? The TGC isn't extra. Its the internal CAS identifier for your session. > > > Thanks again. > > > --- On *Wed, 2/11/09, Scott Battaglia <[email protected]>* wrote: > > From: Scott Battaglia <[email protected]> > Subject: Re: [cas-user] CAS + Kerberos integration ? > To: [email protected] > Date: Wednesday, February 11, 2009, 6:59 AM > > You'll need clarification from your security people on what Kerberos > authentication actually means. > > If you need each application to speak to Kerberos directly, then CAS won't > help you. If you need CAS to speak to Kerberos, you can either use SPNEGO > (if you use a Windows system) or the JAAS module to speak to Kerberos and > then all of your applications would just speak to CAS. > > -Scott > > > On Wed, Feb 11, 2009 at 8:30 AM, sol myr <[email protected]> wrote: > >> Hi, >> >> We are evaluation CAS. >> Our security guys require Kerberos authentication (note: all our machines >> are Windows, servers and clients alike). Now we were wondering: how does >> CAS support Kerberos, exactly? In particular : >> >> Is it possible/customary to configure CAS to use Kerberos tickets >> *instead* of CAS tickets? Or is it Kerberos tickets *in addition* to CAS >> tickets (so that the client first obtains a kerberos ticket, which >> CAS-server validates and then issues a CAS TGC )? >> >> Thanks very much. >> >> >> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
