Thanks very-very much (saved me hours of banging my head against the wall).
--- On Wed, 2/11/09, Scott Battaglia <[email protected]> wrote: From: Scott Battaglia <[email protected]> Subject: Re: [cas-user] CAS + Kerberos integration ? To: [email protected] Date: Wednesday, February 11, 2009, 1:28 PM On Wed, Feb 11, 2009 at 4:17 PM, sol myr <[email protected]> wrote: Thanks very much for replying. Sorry for being vague - we'd like the client to obtain a Kerberos ticket, use it to log into the SSO server, which would validate the Kerberos ticket and then allow the client to access the business application. When the SSO server is specifically CAS, it feels like lots of indirection and round-trips (involving both Kerberos ticket *and* CAS TGC)... Actually, you'll present your Kerberos ticket to CAS, which will validate it and generate its own internal session identifier, which is the TGC. From that point forward whenever a service uses CAS, it will be issued a one time Service Ticket. No further Kerberos or Ticket Granting Tickets are created. So I wondered whether it's really what people do (assuming they want Kerberos)?I'm not sure I follow your question. You either need to configure all of your applications to utilize Kerberos authentication, or to use CAS for authentication. Or is there some magical "trick" to issue only one ticket (kerberos) and skip the extra TGC? If nothing else, maybe configure CAS to work like ticket-less SOO servers (say, josso)...? If you only want a Kerberos ticket, then why aren't you just using Kerberos? The TGC isn't extra. Its the internal CAS identifier for your session. Thanks again. --- On Wed, 2/11/09, Scott Battaglia <[email protected]> wrote: From: Scott Battaglia <[email protected]> Subject: Re: [cas-user] CAS + Kerberos integration ? To: [email protected] Date: Wednesday, February 11, 2009, 6:59 AM You'll need clarification from your security people on what Kerberos authentication actually means. If you need each application to speak to Kerberos directly, then CAS won't help you. If you need CAS to speak to Kerberos, you can either use SPNEGO (if you use a Windows system) or the JAAS module to speak to Kerberos and then all of your applications would just speak to CAS. -Scott On Wed, Feb 11, 2009 at 8:30 AM, sol myr <[email protected]> wrote: Hi, We are evaluation CAS. Our security guys require Kerberos authentication (note: all our machines are Windows, servers and clients alike). Now we were wondering: how does CAS support Kerberos, exactly? In particular : Is it possible/customary to configure CAS to use Kerberos tickets *instead* of CAS tickets? Or is it Kerberos tickets *in addition* to CAS tickets (so that the client first obtains a kerberos ticket, which CAS-server validates and then issues a CAS TGC )? Thanks very much. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
