I have been viewing the posts associated with the X509 resolvers and have not been able to figure out why I am having issues trying to get the CAS to authenticate users via Client certs from a CAC. Should I be able to authenticate directly to CAS and getting the "Log In Successful" page. Apache Tomcat 7 has been modified to request client certs.. I think I have followed the url https://wiki.jasig.org/display/CASUM/X.509+Certificates fully except for using a different Credentials to Principal Resolver (X509CertificateCredentialsToSubjectPrinciplalResolver). Here are config files I have modified per the url: *login-webflow.xml*
<flow xmlns="http://www.springframework.org/schema/webflow"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="http://www.springframework.org/schema/webflow http://www.springframework.org/schema/webflow/spring-webflow-2.0.xsd";> <var name="credentials" class="org.jasig.cas.authentication.principal.UsernamePasswordCredentials" /> <on-start> <evaluate expression="initialFlowSetupAction" /> </on-start> <decision-state id="ticketGrantingTicketExistsCheck"> <if test="flowScope.ticketGrantingTicketId != null" then="hasServiceCheck" else="gatewayRequestCheck" /> </decision-state> <decision-state id="gatewayRequestCheck"> <if test="requestParameters.gateway != '' and requestParameters.gateway != null and flowScope.service != null" then="gatewayServicesManagementCheck" else="generateLoginTicket" /> </decision-state> <decision-state id="hasServiceCheck"> <if test="flowScope.service != null" then="renewRequestCheck" else="viewGenericLoginSuccess" /> </decision-state> <decision-state id="renewRequestCheck"> <if test="requestParameters.renew != '' and requestParameters.renew != null" then="startAuthenticate" else="generateServiceTicket" /> </decision-state> <decision-state id="warn"> <if test="flowScope.warnCookieValue" then="showWarningView" else="redirect" /> </decision-state> <action-state id="startAuthenticate"> <evaluate expression="x509Check" /> <transition on="success" to="sendTicketGrantingTicket" /> <transition on="warn" to="warn" /> <transition on="error" to="generateLoginTicket" /> </action-state> ...... </flow> *deployerConfigContext.xml* Credentials to Principal Resolver <bean class="org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver" > <property name="credentialsToPrincipalResolver"> <bean class="org.jasig.cas.adaptors.x509.authentication.principal.X509CertificateCredentialsToDistinguishedNamePrincipalResolver" /> </property> <property name="filter" value="distinguishedName=%u" /> <property name="principalAttributeName" value="sAMAccountName" /> <property name="searchBase" value="${cas.ldap.authenticationHandler.searchBase}" /> <property name="contextSource" ref="contextSource" /> </bean> Does the X509CertificateCredentialsToDistinguishedNamePrincipalResolver return the DN that is passed into the filter property setting the %u to the DN? *AuthenticationHandler* <bean class="org.jasig.cas.adaptors.x509.authentication.handler.support.X509CredentialsAuthenticationHandler"> <property name="trustedIssuerDnPattern" value="OU = something,OU = something,O = something,C =something.+" /> </bean> *cas-servlet.xml* *Added this: * <bean id="x509Check" p:centralAuthenticationService-ref="centralAuthenticationService" class="org.jasig.cas.adaptors.x509.web.flow.X509CertificateCredentialsNonInteractiveAction"> <property name="centralAuthenticationService" ref="centralAuthenticationService"/> </bean> I have made modifications to the cas-server-support-ldap code to see if I can get some print statements out of the resolver, however, it appears I am not even getting in the CredentialsToLDAPAttributePrincipalResolver. Just not sure where I am going wrong. Maybe I have something misconfigured. Can someone point me in the correct direction. Thanks -- View this message in context: http://jasig.275507.n4.nabble.com/CAS-3-5-X509CertificateCredentialsToSubjectPrinciplalResolver-not-resolving-Certificate-tp4657101.html Sent from the CAS Users mailing list archive at Nabble.com. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
