Hi, I've managed to find the solution for the AD 2008 related issue. After all the checks this came down to the solution described here: http://www.mail-archive.com/[email protected]/msg04376.html So, Dean, thanks a lot again :)
In the case, this can help to someone, I'll mention here other workarounds we've found: - Setting up the MTU value on the cas server machine (in our case it was linux redhat 5, we've set it to be 1500). - Alternatively we've forced the user created by ktpass to respond with a "big enough" packet, so that the AD switches to TCP during the preauthentication. In order to do that we've just made the user to be a member of a fairly large amount of groups. Regardless the MTU this also can solve the problem, although it seems to be an ugly solution :) Also if someone faces this problem I suggest to use some sniffer to analyze the traffic over the network. In general the issue looks like this: - The CAS server wants to contact AD. - AD replies with "Preauthentication required" message - The CAS sends the corresponding message (via udp) - The AD responds but the CAS somehow didn't get the UDP packet (all the communication has been done via the UDP) I hope someone will find this information helpful. Now the last question I have is regarding the parameter udp_preference_limit = 1. I would like to test this configuration as well and force the CAS to communicate via TCP instead of UDP. I've put this parameter into my /etc/krb5.conf. however it didn't work. And then I've tried to remove the krb5.conf altogether (after all, all the relevant information is inside the CAS configuration files). I've restarted the CAS server and this still worked! This makes me a little bit confused. I come to conclusion that the CAS doens't need the krb5.conf, but in this case how can I configure the dp_preference_limit = 1 parameter? Thanks a lot in advance, Mark Bramnik -- View this message in context: http://jasig.275507.n4.nabble.com/SPNEGO-and-Windows-AD-2008-server-tp2274241p2279937.html Sent from the CAS Users mailing list archive at Nabble.com. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
