hi, We have now a working solution. For the browsers from AD domain computer all working fine when the configuration is done like says Odilo in the last post.
Our problem appears when we attempt to use our cas server from computer which is not part of the AD domain. In this case we want to "fallback" to the traditionnal LoginForm. The problem for us is : By default the cas server attempt to play spnego with browsers. But by default : * Firefox doesn't play spnego with unknown party. * InternetExplorer fallback to NTLM authentication when it detect an SPNEGO negotiation attempt from server out of the computer current AD domain. So for the clients out of our AD domain, which is the most important part, we got a 401 error. To resolve this issue we use the following : * We configure our cas server to only attempt SPNEGO negotiation with specific browsers (in fact browsers from computers in our AD domain) using the user-agent parameter. We manage the browsers configuration of our domain computers so we force an user-agent extra tag : Kerb-XXX on Firefox and IE. * If the cas server see this tag, it start an SPNEGO negotiation because it's an AD domain computer and it should have a kerberos ticket which can be validated. * If the cas server doesn't see the tag, which is the case of all clients outside the domain, the cas server present directly the login form. The use of the user-agent is not a good solution but we doesn't find a best way to resolve our problem. Hope it can help Regards 2012/6/14, Odilo Oehmichen <[email protected]>: > hi, > the authentication via spnego does it fail always? > if not, for those users with failing spnego authentication, is their > browser set up correctly? (see [1]) > > if the browser is not setup correctly (or these user are not part of the > domain), the browser does not know how to handle the NEGOTIATE-request > (401) sent by the cas-server (see step 2 in [2]) and hence displays the 401 > response. > > [1] https://wiki.jasig.org/display/CASUM/SPNEGO#SPNEGO-SetupBrowser > [2] https://wiki.jasig.org/display/CASUM/SPNEGO#SPNEGO-SPNEGOBasics > > On Mon, Jun 4, 2012 at 12:09 PM, lozair <[email protected]> wrote: > >> Hi all, >> Following the jasig documentation >> (https://wiki.jasig.org/display/CASUM/SPNEGO), i attempt to link my cas >> server to our Active Directory kerberos server. >> I have read some thread in list for the change since version 3.4.9 in >> webflow with the generateLoginTicket. >> >> After modifying the login-webflow.xml file to integrate spnego, i always >> get an unauthorized 401 tomcat page and never the casLoginView when >> spnego fails. >> >> The login-webflow.xml file is attached. >> >> Setting th webflow logging to TRACE i can see the following : >> >> >> 2012-06-04 11:44:37,742 TRACE >> [org.jasig.cas.web.flow.GenerateLoginTicketAction] - Entering method >> [generate with arguments [[[RequestControlContextImpl@1105276c >> externalContext = >> org.springframework.webflow.mvc.servlet.MvcExternalContext@695f2c2e, >> currentEvent = error, requestScope = map[[empty]], attributes = >> map[[empty]], messageContext = [DefaultMessageContext@674db60d >> sourceMessages = map[[null] -> list[[empty]]]], flowExecution = >> [FlowExecutionImpl@1eeb4477 flow = 'login', flowSessions = >> list[[FlowSessionImpl@67dbf07c flow = 'login', state = >> 'generateLoginTicket', scope = map['service' -> [null], 'credentials' -> >> [username: null], 'warnCookieValue' -> false, 'ticketGrantingTicketId' >> -> [null]]]]]]]] >> 2012-06-04 11:44:37,742 DEBUG >> [org.jasig.cas.web.flow.GenerateLoginTicketAction] - Generated login >> ticket LT-7-pz9CgCCUwvIAM72dsC2aFfL2zrexHd >> 2012-06-04 11:44:37,743 TRACE >> [org.jasig.cas.web.flow.GenerateLoginTicketAction] - Leaving method >> [generate] with return value [generated]. >> >> >> It seems the webflow is correct since the GenerateLoginTicketAction >> start and generate a ticket and return with the value "generated". >> >> But neither the login screen appears like it was described in the >> webflow... >> >> I always obtain a 401 unauthorized page >> >> Thanks for your help/advice >> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
