Hi Andy, From what you described of your problem, you have multiple KDCs tha correspond to your Domains and you want to be able to do SPNEGO however, if user A is in Domain A and the application you want access to is deployed in Domain B, user A will not be able to automatically log in?
And what you want is to be able to have CAS attempt to negotiate SPNEGO with all specified domains until a match for the user is found? I spent some time looking through the CAS 3.3.5 codebase and unfortunately, I did not see any container that would take a list or array of domains to attempt SPNEGO. Can you guarantee that there are not duplicate users across domains? How would you choose which one is correct if there were duplicates. I would suggest that you attempt to spnego with your most complete AD Domain and then use multiple LDAP Bind authentication handlers as a fallback. Yes, some users might have to enter their credentials again but once they do, they are authenticated for the duration of the TGT. We have two Directory Trees, one AD and one Novell, most users are in the AD tree but many of our subsidiaries are not. So we attempt SPNEGO with AD, if that fails the user is presented with a login screen and we step through our Bind LDAP auth handlers. Hope this helps Dean -- View this message in context: http://jasig.275507.n4.nabble.com/CAS-with-SPNEGO-supporting-multiple-realms-tp2263888p2264091.html Sent from the CAS Users mailing list archive at Nabble.com. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
