Question on SpNego
Arnaud Lesueur
arnaud.lesueur at gmail.com
Sat Feb 9 03:53:40 EST 2008
Thomas,
Finally are you using the NTLM Handler or the SPNEGO Handler with the NTLM
feature active ?
While there is no documentation on NTLM handler in the wiki, you will have
to dig in mailling lists and in the source code to get more informations.
For spnego handler, here are a few clues :
In IE, if your getting a prompt this means that provided credentials has not
been validate (this also correspond to the error state on the spnego
action). You will have more information with a debug level on org.jasig.cas.
support.spnego. This will let you know if your browser is sending a NTLM
token or a Kerberos token as a response to the HTTP 401 with the
www-authenticate header.
You might also need to turn out debug mode on the jcifsconfig bean
(kerberosDebug parameter).
I will also recommand you not to use the same box for the cas server and the
user client browser.
Regards,
-Arnaud
On Feb 5, 2008 5:32 PM, Healey, Thomas <HealeyT at darden.virginia.edu> wrote:
> All,
> I changed my config to use NTLM and got a little farther I think.
> I am succeeding in the following state:
> 2008-02-05 11:17:03,709 DEBUG
> [org.springframework.webflow.engine.impl.RequestControlContextImpl] -
> <Signaling event 'success' in state 'startAuthenticate' of flow
> 'login-webflow'>
>
> <action-state id="startAuthenticate">
> <action bean="negociateSpnego" />
> <transition on="success" to="spnego" />
> </action-state>
>
> But failing in this state:
> 2008-02-05 11:17:03,709 DEBUG
> [org.springframework.webflow.engine.Transition] - <Executing
> [Transition at 5a8a7e on = [eventId = 'error'], to = viewLoginForm] out of
> state 'spnego'>
> <action-state id="spnego">
> <action bean="spnego" />
> <transition on="success" to="sendTicketGrantingTicket" />
> <transition on="error" to="viewLoginForm" />
> </action-state>
>
> Does anyone have any clue what could be happening?
> Thanks in advance,
> Tom
>
> >From previous post:
> ************************************************************************
> ****
> Date: Fri, 1 Feb 2008 14:27:29 -0500
> From: "Healey, Thomas" <HealeyT at darden.virginia.edu>
> Subject: Questions on Spnego
> To: <cas at tp.its.yale.edu>
> Message-ID:
>
> <36E21C9E1EA9D844A3369632BE0EDDD2014800FB at MAIL02.darden.virginia.edu>
> Content-Type: text/plain; charset="us-ascii"
>
> All,
>
> I followed the instructions @
> http://www.ja-sig.org/wiki/display/CASUM/SPNEGO for the config of
> Spnego.
>
> My test CAS server is a windows xp box and the box that runs the AD is
> obviously a windows (2003 in the case) box. My question is where do I
> put the keytab and krb5.conf files created in the instructions. On my
> local XP box (the CAS Server) If so where on that box would I put them?
> On the KDC? (Which is the AD Server) If so where on that box would I put
> them?
>
> Right now my current behavior for the CAS client is that they are seeing
> the CAS login page. Since I am logged into the domain this is not the
> expected behavior. Also as another data point I can successfully be
> authed against this very same AD server when using the LDAP
> authentication handler. So I believe I am able to talk to the AD server
> successfully. I am getting no errors when I boot CAS but I am getting to
> the login screen which as I said is unexpected.
>
> Tom
> ************************************************************************
> ****
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
--
Arnaud Lesueur
LinkedIn: http://www.linkedin.com/in/lesueur
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20080209/3d6e3e14/attachment.html
More information about the cas
mailing list