Céline AUSSOURD wrote: >>>>>> What's your setting of principalWithDomainName (property of >>>>>> JCIFSSpnegoAuthenticationHandler)? >>>>> >>>> It's "true". That's why "MC\" appears in the user name. >>>>> What's your setting of NTLMallowed (property of >>>>> JCIFSSpnegoAuthenticationHandler)? >>>>> >>>> It's "true". If I set to "false", the authentication doesn't work. >>> Then you don't authenticate with Kerberos. NTLM is used. That leads to >>> the name form NETBIOSDOMAIN/sAMAccountName. >> >> How can I authenticate with Kerberos ? It seems that my client only send >> NTLM tokens. > >Did you follow all the Kerberos-related instructions on >http://www.ja-sig.org/wiki/display/CASUM/SPNEGO ?
Yep > >Are you using MS AD? Which version? Yes, I am. MS AD is running on Windows Server 2003 and the forest/domain functional level is : Windows Server 2003 interim. > >>>>> If you want to allow SPNEGO with NTLM you could try to map the principal >>>>> name to userPrincipalName like described here: >>>>> http://www.ja-sig.org/wiki/display/CASUM/Attributes >>>>> >>>> Thanks for the idea. I'm trying. >>> Maybe set principalWithDomainName to false and search via LDAP for >>> (sAMAccountName=%u). >>> [...] >>> You have to add the CredentialsToLDAPAttributePrincipalResolver. >>> [...] >>> Why do you want to change the login flow? >> >> I followed your advice (I modified /WEB-INF/deployerConfigContext.xml) but >> it seems that the >CredentialsToLDAPAttributePrincipalResolver isn't used. > >What does your configuration look like? (excerpts of >deployerConfigContext.xml without real passwords!) Did I already send any password ? Excerpts of deployerConfigContext.xml : <bean id="authenticationManager" class="org.jasig.cas.authentication.AuthenticationManagerImpl"> <property name="credentialsToPrincipalResolvers"> <list> <bean class="org.jasig.cas.support.spnego.authentication.principal.SpnegoCredentialsToPrincipalResolver" /> <bean class="org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver"> <property name="credentialsToPrincipalResolver"> <bean class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" /> </property> <!-- The query made to find the Principal ID. "%u" will be replaced by the resolved Principal --> <property name="filter" value="(sAMAccountName=%u)" /> <!-- The attribute used to define the new Principal ID --> <property name="principalAttributeName" value="sAMAccountName" /> <property name="searchBase" value="CN=Users,DC=ville-chateauroux,DC=fr" /> <property name="contextSource" ref="contextSource" /> <property name="attributeRepository"> <ref bean="attribRepository" /> </property> </bean> </list> </property> <property name="authenticationHandlers"> <list> <bean class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoAuthenticationHandler"> <property name="authentication"> <bean class="jcifs.spnego.Authentication" /> </property> <property name="principalWithDomainName" value="false" /> <property name="NTLMallowed" value="true"/> </bean> </list> </property> </bean> <bean name="jcifsConfig" class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig"> <property name="jcifsServicePrincipal" value="HTTP/[EMAIL PROTECTED]" /> <property name="jcifsServicePassword" value="XXXX" /> <property name="jcifsDomain" value="VILLE-CHATEAUROUX.FR"/> <property name="jcifsDomainController" value="CETYUNIX.VILLE-CHATEAUROUX.FR"/> <property name="kerberosDebug" value="true" /> <property name="kerberosRealm" value="VILLE-CHATEAUROUX.FR" /> <property name="kerberosKdc" value="172.16.11.0" /> <property name="loginConf" value="/usr/local/liferay/webapps/cas/WEB-INF/login.conf" /> </bean> <bean id="userDetailsService" class="org.acegisecurity.userdetails.memory.InMemoryDaoImpl"> <property name="userMap"> <value> </value> </property> </bean> <bean id="contextSource" class="org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource"> <property name="urls"> <list> <value>ldaps://cetyunix:389/</value> </list> </property> <property name="userName" value="CN=Administrateur,CN=Users,DC=ville-chateauroux,DC=fr" /> <property name="password" value="XXXX" /> </bean> <bean id="attribRepository" class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao"> <property name="baseDN" value="CN=Users,DC=ville-chateauroux,DC=fr" /> <property name="query" value="(sAMAccountName={0})" /> <property name="contextSource" ref="contextSource" /> <property name="ldapAttributesToPortalAttributes"> <map> <entry key="userPrincipalName" value="Name"/> </map> </property> </bean> <bean id="serviceRegistryDao" class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl" /> > >Ciao, Michael. Ciao ! Céline -- _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
