Greetings:
A couple weeks ago I posted a question about problems we are having using
CAS in an AD environment. Our system works fine most of the time but
randomly fails with an AD error message that means bad credentials ('52e
vece'). Once it fails the only way to get it working is to recycle CAS on
tomcat6. Some folks responded with ideas but none panned out.
I've since been able to turn on some debug on the client's production
system and from looking at the logs, it appears that CAS fails when it
starts using a user's credentials to connect to AD instead of the AD
service account. So instead of seeing 'Principal:
'cn=svcacct,cn=Users,...' in the log we start to see 'cn=Doe, John
N,cn=Users,...' in the log, which corresponds to the time that CAS errors
out. So it would appear that the contextSource credentials being used to
connect to AD is somehow being overwritten by a user's credentials? I
haven't figured out the pattern of when it happens yet. I'm hoping someone
else has seen this? Thanks so much for any ideas!
John S.
ps. I'm unable to include my spring context to the e-mail, our system is
airgapped so it's not available.
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
