CAS flow configuration

334 views
Skip to first unread message

Luis Antonio Garcia

unread,
Feb 5, 2021, 2:30:49 PM2/5/21
to CAS Community

Hi everyone

 

My scenario ideal is the next:

  • The user try the page with CAS security
  • CAS uses spnego por autehtication
  • If there is an error of authentication, try by LDAP with user/password

 

But Now, I get the next:

  • The user try the page with CAS security
  • CAS uses spnego por autehtication
  • If there is an error (By example, an external user without windows user), Fails.

 

 

Could you help me?

 

CAS. Properties

 

cas.webflow.autoconfigure=true

 

cas.authn.spnego.order=0

# cas.authn.spnego.mixed-mode-authentication=false

# cas.authn.spnego.supported-browsers=MSIE,Trident,Firefox,AppleWebKit

# cas.authn.spnego.send401-on-authentication-failure=true

# cas.authn.spnego.ntlm-allowed=true

# cas.authn.spnego.principal-with-domain-name=false

# cas.authn.spnego.name=

# cas.authn.spnego.ntlm=false

 

cas.authn.spnego.mixed-mode-authentication=false

cas.authn.spnego.ntlm-allowed=true

cas.authn.spnego.ntlm=false

cas.authn.spnego.send401-on-authentication-failure=true

 

 

 

 

cas.authn.spnego.system.login-conf=./etc/cas/config/login.conf

cas.authn.spnego.system.kerberos-conf=./etc/cas/config/krb5.conf

cas.authn.spnego.system.kerberos-realm=estepario-win.net

cas.authn.spnego.system.kerberos-debug=true

cas.authn.spnego.system.use-subject-creds-only=false

cas.authn.spnego.system.kerberos-kdc=xxx.xx.xx.xx

 

 

# cas.authn.spnego.properties[0].cache-policy=600

cas.authn.spnego.properties[0].jcifs-domain-controller=ESTEPARIO-WIN.NET

cas.authn.spnego.properties[0].jcifs-domain=estepario-win.net

cas.authn.spnego.properties[0].jcifs-password=xxxxxxxxxx

cas.authn.spnego.properties[0].jcifs-username=administrator

cas.authn.spnego.properties[0].jcifs-service-password=Pass001.

cas.authn.spnego.properties[0].timeout=300000

cas.authn.spnego.properties[0].jcifs-service-principal=HTTP/cas.estepar...@ESTEPARIO-WIN.NET

# cas.authn.spnego.properties[0].jcifs-netbios-wins=

 

cas.authn.spnego.host-name-client-action-strategy=hostnameSpnegoClientAction

 

#cas.authn.spnego.mixed-mode-authentication=true

# cas.authn.spnego.alternative-remote-host-attribute=alternateRemoteHeader

# cas.authn.spnego.ips-to-check-pattern=127.+

# cas.authn.spnego.dns-timeout=2000

# cas.authn.spnego.host-name-pattern-string=.+

 

cas.authn.spnego.spnego-attribute-name=sAMAccountName

 

 

cas.authn.spnego.ldap.ldapUrl=ldap://estepario-win01.estepario-win.net

cas.authn.spnego.ldap.baseDn=DC=estepario-win,DC=net

cas.authn.spnego.ldap.bindDn=CN=Administrator,CN=Users,DC=estepario-win,DC=net

cas.authn.spnego.ldap.bindCredential=xxxxxxxxxxxxxxxxxx

cas.authn.spnego.ldap.providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider

cas.authn.spnego.ldap.userFilter= sAMAccountName={user}

 

 

cas.authn.ldap[0].enabled=false

cas.authn.ldap[0].order=1

cas.authn.ldap[0].name= Active Directory

cas.authn.ldap[0].type= AD

cas.authn.ldap[0].ldapUrl= ldap://estepario-win01.estepario-win.net

cas.authn.ldap[0].validatePeriod= 270

cas.authn.ldap[0].poolPassivator= NONE

cas.authn.ldap[0].userFilter= sAMAccountName={user}

cas.authn.ldap[0].baseDn= DC=estepario-win,DC=net

cas.authn.ldap[0].dnFormat= cn=%s,CN=Users,DC=estepario-win,DC=net

cas.authn.ldap[0].principalAttributeList=memberOf,cn,givenName,mail,sAMAccountName

cas.authn.ldap[0].bindDn=CN=Administrator,CN=Users,DC=estepario-win,DC=net

cas.authn.ldap[0].bindCredential=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

 

 

Log

 

 

 

2021-02-05 20:01:32.686  WARN 128780 --- [nio-8080-exec-1] o.a.c.w.f.SpnegoCredentialsAction        : SPNEGO Authorization header is not found under [Authorization]

2021-02-05 20:01:32.688  INFO 128780 --- [nio-8080-exec-1] .AbstractNonInteractiveCredentialsAction : No credentials could be extracted/detected from the current request

2021-02-05 20:01:32.689  INFO 128780 --- [nio-8080-exec-1] o.a.c.w.f.SpnegoCredentialsAction        : Action execution disallowed; pre-execution result is 'error'

2021-02-05 20:01:46.510  INFO 128780 --- [nio-8080-exec-2] o.a.i.a.s.Slf4jLoggingAuditTrailManager  : Audit trail record BEGIN

 

 

 

Thanks in advance

 

If you help me, I will send you Beer, wine or Milk, as you preferred

Misagh Moayyed

unread,
Feb 5, 2021, 3:03:15 PM2/5/21
to CAS Community
On Friday, February 5, 2021 at 11:30:49 PM UTC+4 Luis Antonio Garcia wrote:

My scenario ideal is the next:

  • The user try the page with CAS security
  • CAS uses spnego por autehtication
  • If there is an error of authentication, try by LDAP with user/password 

But Now, I get the next:

  • The user try the page with CAS security
  • CAS uses spnego por autehtication
  • If there is an error (By example, an external user without windows user), Fails.

Have you tried:
cas.authn.spnego.mixed-mode-authentication=true

> "If true, does not terminate authentication and allows CAS to resume and fallback to normal authentication means such as uid/psw via the login page. If disallowed, considers spnego authentication to be final in the event of failures."
   

If you help me, I will send you Beer, wine or Milk, as you preferred

Not necessary, but I do appreciate the offer :) 

luis

unread,
Feb 5, 2021, 5:22:25 PM2/5/21
to cas-...@apereo.org
Hi. I try it, but I get the next:
- windows forma basic authentication
If ok, cas web form, same credenciales.

Is there a way for to get only web form?

Thanks in advance



Enviado desde mi Galaxy


-------- Mensaje original --------
De: Misagh Moayyed <misagh....@gmail.com>
Fecha: 5/2/21 21:03 (GMT+01:00)
Para: CAS Community <cas-...@apereo.org>
Asunto: [cas-user] Re: CAS flow configuration

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to a topic in the Google Groups "CAS Community" group.
To unsubscribe from this topic, visit https://groups.google.com/a/apereo.org/d/topic/cas-user/p-0R390nJek/unsubscribe.
To unsubscribe from this group and all its topics, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/32c6e9a5-3f81-4eac-bd0e-a766b0dae580n%40apereo.org.

Ritesh Tripathi

unread,
Apr 18, 2021, 8:21:07 AM4/18/21
to CAS Community, Luis Antonio Garcia
Hi Luis

Please advise me if you were able to successfully configure the SPNEGO authentication in CAS. I am also stuck at a weird problem - where the negotiate token is being sent by the browser however the CAS server is not identifying the same.
I need guidance from people who have done this earlier.
Best Regards
Ritesh

Tomislav Obad

unread,
Apr 28, 2023, 9:42:34 AM4/28/23
to CAS Community, lu...@estepario.net
Dear Luis,

I'm having a similar issue with SPNEGO authentication with mixed-mode-authentication not set (defaults to false):
1. when I'm not on the domain i get 2 login windows: one from Windows/browser and the other from CAS after the login in the first window. If I enter my credentials in both login windows, application that is integrated with CAS successfully opens.
2. when I'm on the domain everything works as it should, i.e. I'm automatically logged-in in the system

When I enable an option mixed-model-authentication: true, I don't get Windows/browser login, only CAS login, but then SPNEGO stopped working, i.e. I always have to enter username and password whether I'm on the domain or not.

Were you able to solve your issue?

Best regards,
Tomislav

Reply all
Reply to author
Forward
0 new messages