CAS, Spnego and the "pre Windows 2000 logon name"
Michael Ströder
michael at stroeder.com
Thu Jun 5 07:21:19 EDT 2008
Céline AUSSOURD wrote:
>>>>> What's your setting of principalWithDomainName (property of
>>>>> JCIFSSpnegoAuthenticationHandler)?
>>>>
>>> It's "true". That's why "MC\" appears in the user name.
>>>> What's your setting of NTLMallowed (property of
>>>> JCIFSSpnegoAuthenticationHandler)?
>>>>
>>> It's "true". If I set to "false", the authentication doesn't work.
>> Then you don't authenticate with Kerberos. NTLM is used. That leads to
>> the name form NETBIOSDOMAIN/sAMAccountName.
>
> How can I authenticate with Kerberos ? It seems that my client only send NTLM tokens.
Did you follow all the Kerberos-related instructions on
http://www.ja-sig.org/wiki/display/CASUM/SPNEGO ?
Are you using MS AD? Which version?
>>>> If you want to allow SPNEGO with NTLM you could try to map the principal
>>>> name to userPrincipalName like described here:
>>>> http://www.ja-sig.org/wiki/display/CASUM/Attributes
>>>>
>>> Thanks for the idea. I'm trying.
>> Maybe set principalWithDomainName to false and search via LDAP for
>> (sAMAccountName=%u).
>> [...]
>> You have to add the CredentialsToLDAPAttributePrincipalResolver.
>> [...]
>> Why do you want to change the login flow?
>
> I followed your advice (I modified /WEB-INF/deployerConfigContext.xml) but it seems that the CredentialsToLDAPAttributePrincipalResolver isn't used.
What does your configuration look like? (excerpts of
deployerConfigContext.xml without real passwords!)
Ciao, Michael.
More information about the cas
mailing list