[CAS5.3.10] How to use SPNEGO authentication with login form as fallback
114 views
Skip to first unread message
Kevin Imbrechts
Oct 8, 2019, 10:49:53 AM10/8/19
to CAS Community
Hello,
With my CAS 5.3.10, I want to authenticate with SPNEGO when it's possible. But it can happen that some users can't use SPNEGO. I want to use login form as a fallback when SPNEGO failed authentication.
I see the login form, but when I submit the form, I have an error "bad login/password".
Any idea ? What I've misconfigured ?
Thanks.
With my CAS 5.3.10, I want to authenticate with SPNEGO when it's possible. But it can happen that some users can't use SPNEGO. I want to use login form as a fallback when SPNEGO failed authentication.
I see the login form, but when I submit the form, I have an error "bad login/password".
Any idea ? What I've misconfigured ?
Thanks.
Kevin Imbrechts
Oct 9, 2019, 5:11:19 AM10/9/19
to CAS Community
I have a JAAS config file using Kerberos and I changed my cas.properties file like this :
cas.authn.jaas[0].realm=MY.DOMAIN
cas.authn.jaas[0].kerberosKdcSystemProperty=ad.MY.DOMAIN
cas.authn.jaas[0].kerberosRealmSystemProperty=MY.DOMAIN
cas.authn.jaas[0].loginConfigurationFile=/etc/cas/config/login.conf
cas.authn.jaas[0].principal.principalAttribute="uid=usr-docker,dc=my,dc=domain"
Still doesn't work.
cas.authn.jaas[0].realm=MY.DOMAIN
cas.authn.jaas[0].kerberosKdcSystemProperty=ad.MY.DOMAIN
cas.authn.jaas[0].kerberosRealmSystemProperty=MY.DOMAIN
cas.authn.jaas[0].loginConfigurationFile=/etc/cas/config/login.conf
cas.authn.jaas[0].principal.principalAttribute="uid=usr-docker,dc=my,dc=domain"
Still doesn't work.
vallee.romain
Oct 9, 2019, 7:22:21 AM10/9/19
to CAS Community
What is JAAS ?
Ray Bon
Oct 9, 2019, 12:33:22 PM10/9/19
to cas-...@apereo.org
java authentication authorization service
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca
I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations.
Kevin Imbrechts
Oct 9, 2019, 1:10:43 PM10/9/19
to CAS Community
JAAS is a Java standard authentication and authorization API. JAAS is configured via externalized plain text configuration file.
https://apereo.github.io/cas/5.3.x/installation/JAAS-Authentication.html
I think CAS attempts to use another authentication support but I don't know why...
Kevin Imbrechts
Oct 10, 2019, 9:37:25 AM10/10/19
to CAS Community
I tried, but I can't do it. Nobody can help me ? :(
Kevin Imbrechts
Oct 10, 2019, 10:03:51 AM10/10/19
to CAS Community
Ok I think I found the error :
2019-10-10 15:56:38,737 DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <[JaasAuthenticationHandler] exception details: [No LoginModules configured for MY.REALM].>
2019-10-10 15:56:38,737 DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <[JaasAuthenticationHandler] exception details: [No LoginModules configured for MY.REALM].>
2019-10-10 15:56:38,738 DEBUG [org.apereo.cas.authentication.DefaultAuthenticationBuilder] - <Recording authentication handler failure under key [JaasAuthenticationHandler]>
How to configure a LoginModule ?
2019-10-10 15:56:38,737 DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <[JaasAuthenticationHandler] exception details: [No LoginModules configured for MY.REALM].>
2019-10-10 15:56:38,737 DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <[JaasAuthenticationHandler] exception details: [No LoginModules configured for MY.REALM].>
2019-10-10 15:56:38,738 DEBUG [org.apereo.cas.authentication.DefaultAuthenticationBuilder] - <Recording authentication handler failure under key [JaasAuthenticationHandler]>
How to configure a LoginModule ?
Message has been deleted
Kevin Imbrechts
Oct 10, 2019, 10:12:36 AM10/10/19
to CAS Community
In my /etc/cas/config/jaas.config file, I've this config :
MY.DOMAIN {
com.sun.security.auth.module.Krb5LoginModule sufficient
refreshKrb5Config=TRUE
useTicketCache=TRUE
renewTGT=TRUE
useKeyTab=TRUE
doNotPrompt=FALSE
keyTab=/etc/cas/config/cas.HTTP.keytab
storeKey=FALSE
principal="uid=usr-docker,dc=my,dc=domain"
debug=TRUE;
};
My run-cas.sh script execute cas.war like this :
exec java -Djava.security.auth.login.config=/etc/cas/config/jaas.config -jar /cas-overlay/target/cas.war
And my JAAS config from /etc/cas/config/cas.properties :
# JAAS Config
cas.authn.jaas[0].realm=MY.REALM
cas.authn.jaas[0].kerberosKdcSystemProperty=ad1.my.domain
cas.authn.jaas[0].kerberosRealmSystemProperty=MY.REALM
cas.authn.jaas[0].loginConfigurationFile=/etc/cas/config/jaas.config
Thanks
MY.DOMAIN {
com.sun.security.auth.module.Krb5LoginModule sufficient
refreshKrb5Config=TRUE
useTicketCache=TRUE
renewTGT=TRUE
useKeyTab=TRUE
doNotPrompt=FALSE
keyTab=/etc/cas/config/cas.HTTP.keytab
storeKey=FALSE
principal="uid=usr-docker,dc=my,dc=domain"
debug=TRUE;
};
My run-cas.sh script execute cas.war like this :
exec java -Djava.security.auth.login.config=/etc/cas/config/jaas.config -jar /cas-overlay/target/cas.war
And my JAAS config from /etc/cas/config/cas.properties :
# JAAS Config
cas.authn.jaas[0].realm=MY.REALM
cas.authn.jaas[0].kerberosKdcSystemProperty=ad1.my.domain
cas.authn.jaas[0].kerberosRealmSystemProperty=MY.REALM
cas.authn.jaas[0].loginConfigurationFile=/etc/cas/config/jaas.config
Thanks
Kevin Imbrechts
Oct 11, 2019, 10:38:53 AM10/11/19
to CAS Community
I have delete JAAS config and I put LDAP config.
My pom.xml
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-ldap</artifactId>
<version>${cas.version}</version>
</dependency>
My cas.properties
cas.authn.ldap[0].name=LDAP
cas.authn.ldap[0].order=0
cas.authn.ldap[0].ldapUrl=ldap://ad1.my.domain ldap://ad2.my.domain
cas.authn.ldap[0].bindDn="cn=user-apereo-cas"
cas.authn.ldap[0].baseDn="ou=application,dc=my,dc=domain"
cas.authn.ldap[0].searchFilter="sAMAccountName={user}"
cas.authn.ldap[0].type=AD
cas.authn.ldap[0].dnFormat="%s...@MY.DOMAIN"
cas.authn.ldap[0].principalAttributeList="sAMAccountName"
cas.authn.ldap[0].useSsl=false
I have this error :
2019-10-11 16:22:04,823 DEBUG [org.apereo.cas.authentication.support.DefaultLdapAccountStateHandler] - <Attempting to handle LDAP account state for [[org.ldaptive.auth.AuthenticationResponse@690116111::authenticationResultCode=AUTHENTICATION_HANDLER_FAILURE, resolvedDn="kevinim...@MY.DOMAIN", ldapEntry=[dn="kevinim...@MY.DOMAIN"[]], accountState=null, result=false, resultCode=INVALID_CREDENTIALS, message=javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580], controls=null]]>
Very strange...
Message has been deleted
Kevin Imbrechts
Oct 14, 2019, 10:19:16 AM10/14/19
to CAS Community
It's ok, it works with this cas.properties config :
cas.authn.ldap[0].name=LDAP
cas.authn.ldap[0].order=0
cas.authn.ldap[0].ldapUrl=ldap://ad1.my.domain ldap://ad2.my.domain
cas.authn.ldap[0].bindDn=cn=users,ou=application,dc=my,dc=domain
cas.authn.ldap[0].baseDn="ou=application,dc=my,dc=domain"
cas.authn.ldap[0].searchFilter="sAMAccountName={user}"
cas.authn.ldap[0].type=AD
cas.authn.ldap[0].dnFormat="%s...@MY.DOMAIN"
cas.authn.ldap[0].principalAttributeList="sAMAccountName"
cas.authn.ldap[0].useSsl=false
cas.authn.ldap[0].subtreeSearch=true
Le vendredi 11 octobre 2019 16:38:53 UTC+2, Kevin Imbrechts a écrit :
I have delete JAAS config and I put LDAP config.My pom.xml
<dependency><groupId>org.apereo.cas</groupId><artifactId>cas-server-support-ldap</artifactId><version>${cas.version}</version></dependency>My cas.properties
cas.authn.ldap[0].name=LDAPcas.authn.ldap[0].order=0cas.authn.ldap[0].ldapUrl=ldap://ad1.my.domain ldap://ad2.my.domaincas.authn.ldap[0].bindDn="cn=user-apereo-cas"cas.authn.ldap[0].baseDn="ou=application,dc=my,dc=domain"cas.authn.ldap[0].searchFilter="sAMAccountName={user}"cas.authn.ldap[0].type=ADcas.authn.ldap[0].dnFormat="%s...@MY.DOMAIN"cas.authn.ldap[0].principalAttributeList="sAMAccountName"cas.authn.ldap[0].useSsl=falseI have this error :
2019-10-11 16:22:04,823 DEBUG [org.apereo.cas.authentication.support.DefaultLdapAccountStateHandler] - <Attempting to handle LDAP account state for [[org.ldaptive.auth.AuthenticationResponse@690116111::authenticationResultCode=AUTHENTICATION_HANDLER_FAILURE, resolvedDn="kevinimbrechts@MY.DOMAIN", ldapEntry=[dn="kevinimbrechts@MY.DOMAIN"[]], accountState=null, result=false, resultCode=INVALID_CREDENTIALS, message=javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580], controls=null]]>Very strange...
Reply all
Reply to author
Forward
0 new messages