Arnaud,
You could try this addition your login-webflow.xml. So users who are in
offshore offices to use the URL.
https://<yourcasserver>/login?bypassSPNEGO=true&service=<your service name>
Also you can ask them to put the casserver (https://<yourcasserver>) in their
INTERNET zone as a trusted server as at least one of our users has done with
some success.
Hope this helps.
Tom
<decision-state id="ticketGrantingTicketExistsCheck">
<if test="${flowScope.ticketGrantingTicketId != null}"
then="hasServiceCheck" else="bypassSPNEGO" />
</decision-state>
<decision-state id="bypassSPNEGO">
<if test="${externalContext.requestParameterMap['bypassSPNEGO']
!= '' && externalContext.requestParameterMap['bypassSSO'] != null}"
then="viewLoginForm" else="gatewayRequestCheck" />
</decision-state>
<decision-state id="gatewayRequestCheck">
<if test="${externalContext.requestParameterMap['gateway'] !=
'' && externalContext.requestParameterMap['gateway'] != null &&
flowScope.service != null}" then="redirect" else="startAuthenticate" />
</decision-state>
<decision-state id="renewRequestCheck">
<if test="${externalContext.requestParameterMap['renew'] != ''
&& externalContext.requestParameterMap['renew'] != null}"
then="startAuthenticate" else="generateServiceTicket" />
</decision-state>
> -----Original Message-----
> From: Arnaud Claden [mailto:[email protected]]
> Sent: Thursday, July 30, 2009 2:17 AM
> To: [email protected]
> Subject: RE : [cas-user] Multi-mode CAS
>
> Hello Heinz,
>
> Unforntunately, this is not possible as the URL of the casified web
> applications is the same for everyone, either from our internal network
> or from foreign offices, and we can't change it as it would mean
> changing all links on all workstations worldwide.
>
> @Michael:
> We can't do that either, as we don't have access to browsers'
> configuration.
>
> ________________________________________
> De : Heinz Drews [[email protected]]
> Date d'envoi : mercredi 29 juillet 2009 13:13
> À : [email protected]
> Objet : Re: [cas-user] Multi-mode CAS
>
> Hello Arnaud,
>
> IE only uses the SPNEGO/NTLM handshake to servers which are in the
> intranet zone.
>
> You could specify a DNS name which are seen as "foreign".
>
> Regards,
> Heinz
>
> On Wed, Jul 29, 2009 at 11:51, Arnaud Claden<[email protected]>
> wrote:
> > Hello everyone,
> >
> > I have a little problem with my implementation of CAS.
> >
> > I have tested the Active Directory SSO with SPNEGO : it works like a
> charm.
> > I have tested the fallback to LDAP : it works like a charm.
> >
> > The problem I have is the following :
> >
> > Some workstations are in offshore offices, which means they are not
> connected to the Active Directory. For them, the LDAP fallback is the
> solution. However, when Internet Explorer browses to a site with SSO,
> it displays a domain logon window.
> > This is natural as these workstations have no security option
> configured (and they are not intended to have these modifications).
> >
> > Is there a way to prevent this from happening ?
> >
> > If there is none, we are implementing another CAS server for these
> cases (a server only validating on LDAP), but how can I have it work
> right, as the web applications are only configured for one CAS server,
> and not two. Is there a way to check the browser's IP address and,
> depending on it, sending auth to SPNEGO or to LDAP ?
> >
> > Thanks in advance for your answers.
> >
> > A. Claden
> > --
> > You are currently subscribed to [email protected] as:
> [email protected]
> > To unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/display/JSG/cas-user
> >
>
> --
> You are currently subscribed to [email protected] as:
> [email protected]
> To unsubscribe, change settings or access archives, see http://www.ja-
> sig.org/wiki/display/JSG/cas-user
>
>
> --
> You are currently subscribed to [email protected] as:
> [email protected]
> To unsubscribe, change settings or access archives, see http://www.ja-
> sig.org/wiki/display/JSG/cas-user
>
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
