On Wed, Feb 11, 2009 at 4:57 PM, sol myr <[email protected]> wrote: > Thanks very-very much > (saved me hours of banging my head against the wall).
So does that mean you need CAS or no? ;-) > > > --- On *Wed, 2/11/09, Scott Battaglia <[email protected]>* wrote: > > From: Scott Battaglia <[email protected]> > Subject: Re: [cas-user] CAS + Kerberos integration ? > To: [email protected] > Date: Wednesday, February 11, 2009, 1:28 PM > > > On Wed, Feb 11, 2009 at 4:17 PM, sol myr <[email protected]> wrote: > >> Thanks very much for replying. >> >> Sorry for being vague - we'd like the client to obtain a Kerberos ticket, >> use it to log into the SSO server, which would validate the Kerberos ticket >> and then allow the client to access the business application. >> >> When the SSO server is specifically CAS, it feels like lots of indirection >> and round-trips (involving both Kerberos ticket *and* CAS TGC)... > > > Actually, you'll present your Kerberos ticket to CAS, which will validate > it and generate its own internal session identifier, which is the TGC. From > that point forward whenever a service uses CAS, it will be issued a one time > Service Ticket. No further Kerberos or Ticket Granting Tickets are created. > > >> >> So I wondered whether it's really what people do (assuming they want >> Kerberos)? > > I'm not sure I follow your question. You either need to configure all of > your applications to utilize Kerberos authentication, or to use CAS for > authentication. > >> >> Or is there some magical "trick" to issue only one ticket (kerberos) and >> skip the extra TGC? If nothing else, maybe configure CAS to work like >> ticket-less SOO servers (say, josso)...? > > > If you only want a Kerberos ticket, then why aren't you just using > Kerberos? The TGC isn't extra. Its the internal CAS identifier for your > session. > > > >> >> >> Thanks again. >> >> >> --- On *Wed, 2/11/09, Scott Battaglia <[email protected]>* wrote: >> >> From: Scott Battaglia <[email protected]> >> Subject: Re: [cas-user] CAS + Kerberos integration ? >> To: [email protected] >> Date: Wednesday, February 11, 2009, 6:59 AM >> >> You'll need clarification from your security people on what Kerberos >> authentication actually means. >> >> If you need each application to speak to Kerberos directly, then CAS won't >> help you. If you need CAS to speak to Kerberos, you can either use SPNEGO >> (if you use a Windows system) or the JAAS module to speak to Kerberos and >> then all of your applications would just speak to CAS. >> >> -Scott >> >> >> On Wed, Feb 11, 2009 at 8:30 AM, sol myr <[email protected]> wrote: >> >>> Hi, >>> >>> We are evaluation CAS. >>> Our security guys require Kerberos authentication (note: all our machines >>> are Windows, servers and clients alike). Now we were wondering: how does >>> CAS support Kerberos, exactly? In particular : >>> >>> Is it possible/customary to configure CAS to use Kerberos tickets >>> *instead* of CAS tickets? Or is it Kerberos tickets *in addition* to CAS >>> tickets (so that the client first obtains a kerberos ticket, which >>> CAS-server validates and then issues a CAS TGC )? >>> >>> Thanks very much. >>> >>> >>> >>> -- >>> You are currently subscribed to [email protected] as: >>> [email protected] >>> >>> >>> To unsubscribe, change settings or access archives, see >>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>> >>> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
