On Jun 14, 2006, at 1:38 PM, Scott Battaglia wrote: > Thanks for those detailed instructions! Just a note that as of CAS > 3.0.5 RC1, the jar file for the adaptor-trusted should be included in > the Maven repository. > > CAS 3.0.6 will also include SPNEGO support (it was contributed by > someone who modified the code I had). As soon as 3.0.5 is out the > door, > I'll start working on supporting SPNEGO natively.
During some further testing, there at least one major problem with the setup I described. The mod_auth_kerb module won't allow a browser without a kerberos ticket to proceed to CAS to use PKi or the web form. WIthout going into all the details, the problem is that apache (and browsers) don't support any kind of optional authentication method. So when apache tells the browser it supports Negotiate, if the browser doesn't have a kerberos ticket, it won't try and connect again so the server cant' do anything else. Tomorrow I'm going to try and see if I can make a hack a separate URL for kerberos auth and redirects assuming the REMOTE_USER var will move with the redirect. By using a special error page reference I can also pass failed browsers to the direct cas/login page. Looks like the the spnego code inside CAS is going to be the only way to go for right now. Steve Cochran Dartmouth College PS. Thinking about it some more, we might run into the same problem with using SPNEGO inside CAS. The only auth method that supports an "optional" quality is certs using an SSL connection, but the optional works only because there is a connection negotiation process where it can figure that out. With the rejection/try again model of spnego, how would CAS recognize a new browser from one that is attempting again but doesn't support spnego. And for that matter how would the browser know to try again when the server asks for Negotiate and it knows it can't provide a kerberos ticket? _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
