SPNEGO / login prompt / fallback to classic login

[Louis Chanouha]

Hello,

Actually CAS displays a login prompt (Chrome, Edge, not Firefox) when SPNEGO fails (even with ntlm=false & ntlm-allowed=false). I thought this was a browser limitation but the Microsoft Azure ADlogin service handles very well the SPNEGO to password authentification fallback, with an integrated picture.

When i debug auth in CAS, I see a failed http request with corresponding logs

2022-02-15 10:14:24,605 INFO [org.apereo.cas.web.flow.client.BaseSpnegoKnownClientSystemsFilterAction] - <Spnego should be activated for [10.29.20.2]>
2022-02-15 10:14:24,605 DEBUG [org.apereo.cas.web.flow.SpnegoNegotiateCredentialsAction] - <Authorization header [null], User Agent header [Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36]>
2022-02-15 10:14:24,605 DEBUG [org.apereo.cas.web.flow.SpnegoNegotiateCredentialsAction] - <Authorization header not found or does not match the message prefix [Negotiate ]. Sending [WWW-Authenticate] header [Negotiate]>
2022-02-15 10:14:24,605 DEBUG [org.apereo.cas.web.flow.SpnegoNegotiateCredentialsAction] - <Mixed-mode authentication is enabled>
2022-02-15 10:14:24,605 DEBUG [org.apereo.cas.web.flow.SpnegoCredentialsAction] - <Available request headers are [[host, cache-control, sec-ch-ua, sec-ch-ua-mobile, sec-ch-ua-platform, upgrade-insecure-requests, user-agent, accept, sec-fetch-site, sec-fetch-mode, sec-fetch-user, sec-fetch-dest, accept-encoding, accept-language, cookie]]>
2022-02-15 10:14:24,605 DEBUG [org.apereo.cas.web.flow.SpnegoCredentialsAction] - <SPNEGO Authorization header located as [null]>
2022-02-15 10:14:24,605 WARN [org.apereo.cas.web.flow.SpnegoCredentialsAction] - <SPNEGO Authorization header is not found under [Authorization]>
2022-02-15 10:14:24,605 INFO [org.apereo.cas.web.flow.actions.AbstractNonInteractiveCredentialsAction] - <No credentials could be extracted/detected from the current request>
2022-02-15 10:14:24,605 INFO [org.apereo.cas.web.flow.SpnegoCredentialsAction] - <Action execution disallowed; pre-execution result is 'error'>

Behavior on https://login.microsoftonline.com/ is not the same, but they seems to have a workaround by calling SPNEGO via an image, and no failed request.

[Request]

GET /insa-toulouse.fr/winauth/ssoprobe?client-request-id=xxx&_=yyy HTTP/1.1 Host: autologon.microsoftazuread-sso.com Connection: keep-alive sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="98", "Google Chrome";v="98" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://login.microsoftonline.com/

[Response]

HTTP/1.1 401 Unauthorized Cache-Control: no-store, no-cache Pragma: no-cache Content-Type: image/png; charset=utf-8 Expires: -1 Vary: Origin X-Content-Type-Options: nosniff Access-Control-Allow-Origin: https://login.microsoftonline.com Access-Control-Allow-Credentials: true Access-Control-Allow-Methods: GET, OPTIONS P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" x-ms-request-id: xxx x-ms-ests-server: 2.1.12470.11 - WEULR1 ProdSlices Referrer-Policy: strict-origin-when-cross-origin WWW-Authenticate: Negotiate Set-Cookie: fpc=eee; expires=Thu, 17-Mar-2022 10:16:10 GMT; path=/; secure; HttpOnly; SameSite=None Set-Cookie: x-ms-gateway-slice=estsfd; path=/; secure; samesite=none; httponly Set-Cookie: stsservicecookie=estsfd; path=/; secure; samesite=none; httponly Date: Tue, 15 Feb 2022 10:16:09 GMT Content-Length: 12

Maybe SPNEGO failure is not handled properly in CAS ?

Did anyone successfully got a working seamless SPNEGO probe ? 

I already extended my CAS to add opt-in SPNEGO, but I'm not fluent with workflow and how to add an public SPNEGO endpoint for the picture.

Louis