CAS 5 - SNPEGO with LDAP fallback
399 views
Skip to first unread message
Petr Gašparík - AMI Praha a.s.
Apr 6, 2017, 4:46:04 AM4/6/17
to CAS Community
Hi,
we integrated Apereo CAS with AD via SPNEGO, with fallback to LDAP.
It works like this:
- Try SPNEGO auth
- If it fails, show browser dialog for Kerberos login (L/P from AD)
- If it fails, show login page for LDAP auth
Now, how to get rid of step 2?
Use case:
- Try SPNEGO auth
- If it fails, show login page for LDAP auth
Thanks!
Petr Gašparík
Philippe MARASSE
Apr 6, 2017, 5:49:56 AM4/6/17
to cas-...@apereo.org
Hello,
How does look like step 2 dialog box ? I suspect it could be NTLM dialog box shown by the browser. Have you disabled NTLM ?
If you need login/passwd fallback, enable MixedMode Authentication.
Regards.
How does look like step 2 dialog box ? I suspect it could be NTLM dialog box shown by the browser. Have you disabled NTLM ?
If you need login/passwd fallback, enable MixedMode Authentication.
Regards.
--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/c9b1459f-54ca-48a5-9b0f-868dadaf0b17%40apereo.org.
-- Philippe MARASSE Responsable pôle Infrastructures - DSIO Centre Hospitalier Henri Laborit CS 10587 - 370 avenue Jacques Cœur 86021 Poitiers Cedex Tel : 05.49.44.57.19
Petr Gašparík - AMI Praha a.s.
Apr 6, 2017, 5:57:18 AM4/6/17
to CAS Community
Hi, it is browser dialog:
We try to turn off ntlm, so I think it is in cas.properties:
cas.spnego.ntlm.allowed=false--
s pozdravem
Petr Gašparík | AMI Praha a.s. |
| ||||
 | ||||||
Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za společnost AMI Praha a.s. jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně písemnou formu. | ||||||
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/c9b1459f-54ca-48a5-9b0f-868dadaf0b17%40apereo.org.
-- Philippe MARASSE Responsable pôle Infrastructures - DSIO Centre Hospitalier Henri Laborit CS 10587 - 370 avenue Jacques Cœur 86021 Poitiers Cedex Tel : 05.49.44.57.19
--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/2b1f9be3-22ba-9947-ec39-ab2a2ac8a2cd%40ch-poitiers.fr.
Pascal Rigaux
Apr 6, 2017, 6:07:23 AM4/6/17
to cas-...@apereo.org
On 06/04/2017 10:46, Petr Gašparík - AMI Praha a.s. wrote:
> 1. Try SPNEGO auth
> 2. If it fails, show browser dialog for Kerberos login (L/P from AD)
> 3. If it fails, show login page for LDAP auth
That's why we only allow SPNEGO on Firefox!
If you can modify the user-agent when you are sure SPNEGO will work,
for example by adding "Kerberos", you can add it the "supportedBrowser" whitelist.
cu
> 1. Try SPNEGO auth
> 2. If it fails, show browser dialog for Kerberos login (L/P from AD)
> 3. If it fails, show login page for LDAP auth
>
> Now, how to get rid of step 2?
You can't do it for Internet Explorer or Chrome on Windows.
> Now, how to get rid of step 2?
That's why we only allow SPNEGO on Firefox!
If you can modify the user-agent when you are sure SPNEGO will work,
for example by adding "Kerberos", you can add it the "supportedBrowser" whitelist.
cu
Petr Gašparík - AMI Praha a.s.
Jun 2, 2017, 8:35:34 AM6/2/17
to CAS Community
Hi, 
I have still that annoying login dialog, that I dont want to see.
How to get rid of it? SPNEGO is working in domain ok, I see dialog only OUTSIDE of AD domain.
I mean: if SPNEGO fails, show LoginView
My configuration (details obfruscated):
cas.properties:
## SPNEGO kerberos
cas.authn.spnego.kerberosConf=/etc/krb5.conf
cas.authn.spnego.jcifsServicePrincipal=HTTP/kdcserver.example.com@VAD1
cas.authn.spnego.kerberosRealm=VAD1
cas.authn.spnego.kerberosKdc=10.123.45.67
cas.authn.spnego.kerberosDebug=true
cas.authn.spnego.mixedModeAuthentication=true
cas.authn.spnego.ntlmAllowed=false
cas.authn.spnego.ntlm=false
cas.authn.spnego.send401OnAuthenticationFailure=false
krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = VAD1
default_keytab_name = /etc/krb5.keytab
dns_lookup_realm = false
dns_lookup_kdc = false
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = bc4-hmac
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
[realms]
VAD1 = {
kdc = ad1v.vad1.example.com
kdc = ad2v.vad1.example.com
kdc = ad4v.vad1.example.com
admin_server = ad2v.vad1.example.com
}
[domain_realm]
.vad1.example.com = VAD1
vad1.example.com = VAD1
[login]
krb4_convert = false
krb4_get_tickets = false
[am1v-as1@am1v-as1 etc]
--
s pozdravem
Petr Gašparík | AMI Praha a.s. |
| ||||
| ||||||
Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za společnost AMI Praha a.s. jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně písemnou formu. | ||||||
--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
--- You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/31dbb5c4-f8b2-7fc9-35a4-efe35c096da2%40univ-paris1.fr.
Pascal Rigaux
Jun 3, 2017, 12:51:11 PM6/3/17
to cas-...@apereo.org
Hi,
If you enable SPNEGO on MSIE, if outside AD, it will always prompt.
It may be the same on Chrome, i can't remember exactly.
The solution we used here is to enable SPNEGO on Firefox only, and we
advise users to use firefox.
cu
"Petr Gašparík - AMI Praha a.s." <petr.g...@ami.cz> a écrit :
> Hi,
> I have still that *annoying login dialog, *that I dont want to see.
>
> *cas.properties:*
> <http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/audit-roli-a-opravneni-sap>
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABAspd3Md_mahDY2PnDi_8WxvwLp8582TFjW%3D74cykw5eKBJUw%40mail.gmail.com.
--
Pascal Rigaux
If you enable SPNEGO on MSIE, if outside AD, it will always prompt.
It may be the same on Chrome, i can't remember exactly.
The solution we used here is to enable SPNEGO on Firefox only, and we
advise users to use firefox.
cu
"Petr Gašparík - AMI Praha a.s." <petr.g...@ami.cz> a écrit :
> Hi,
> I have still that *annoying login dialog, *that I dont want to see.
> [image: Vložený obrázek 1]
> How to get rid of it? SPNEGO is working in domain ok, I see dialog only
> OUTSIDE of AD domain.
>
> I mean: if SPNEGO fails, show LoginView
>
> *My configuration (details obfruscated):*
> How to get rid of it? SPNEGO is working in domain ok, I see dialog only
> OUTSIDE of AD domain.
>
> I mean: if SPNEGO fails, show LoginView
>
>
> *cas.properties:*
--
Pascal Rigaux
Colin Wilkinson
Jun 3, 2017, 9:32:51 PM6/3/17
to CAS Community
What we found is that chrome does not have it own settings it relies on the Internet Explorer settings.
Internet explorer unlike Firefox has three settings.
Internet Explorer settings.
1. On and CAS server allowed.
2. On and CAS server not allowed. Note this default setting.
3. Turned off.
The issue is with 2 rather going to the login page it brings up that box. If configured properly to be on or off Internet Explorer works fine and so does chrome.
The only way we were able to over come this problem was to have the main button go to the login page and have a link below the button that enables SPENGO.
Petr Gašparík - AMI Praha a.s.
Jun 20, 2017, 6:32:25 AM6/20/17
to CAS Community
Solved. It was on client side.
So, if you want to skip login dialog, do this in every related zone (or all, internet, intranet, trusted)
Custom level: User Authentication -> Logon -> Automatic logon with current user name and password
--
s pozdravem
Petr Gašparík | AMI Praha a.s. |
| ||||
| ||||||
| Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za společnost AMI Praha a.s. jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně písemnou formu. |
--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/22039670-73b4-4bb3-b1fe-98b853e138ab%40apereo.org.
Reply all
Reply to author
Forward
0 new messages