Hello,
I'm currently exprimenting with CAS 4.2.3 + SPNEGO setup, and run into
some problems. I followed the wiki instructions of setting up SPNEGO,
but it seems that I've missed something or didn't understand something
correctly.
Currently, I have working kerberos setup with AD (keytab is ok, and
kinit is working as it should), and login.conf located in /etc/cas/
(the location is specified inside the cas.properties file). Also
modifications to the login-webflow.xml are done (replaced
to=viewLoginForm actions with to=startSpnegoAuthenticate)
Now, when I try to authenticate, I get 500 internal server error. Logs
show following behaviour:
2016-07-11 10:06:54,755 DEBUG [org.springframework.webflow.engine.ActionState] - <Entering state 'ticketGrantingTicketCheck' of flow 'login'>
2016-07-11 10:06:54,755 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Executing [EvaluateAction@3bf69b2b expression = ticketGrantingTicketCheckAction, resultExpression = [null]]>
2016-07-11 10:06:54,755 DEBUG [org.springframework.webflow.execution.AnnotatedAction] - <Putting action execution attributes map[[empty]]>
2016-07-11 10:06:54,755 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Executing org.jasig.cas.web.flow.TicketGrantingTicketCheckAction@26573ce1>
2016-07-11 10:06:54,755 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Finished executing org.jasig.cas.web.flow.TicketGrantingTicketCheckAction@26573ce1; result = notExists>
2016-07-11 10:06:54,755 DEBUG [org.springframework.webflow.execution.AnnotatedAction] - <Clearing action execution attributes map[[empty]]>
2016-07-11 10:06:54,755 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Finished executing [EvaluateAction@3bf69b2b expression = ticketGrantingTicketCheckAction, resultExpression = [null]]; result = notExists>
2016-07-11 10:06:54,755 DEBUG [org.springframework.webflow.engine.Transition] - <Executing [Transition@7ae23c26 on = notExists, to = gatewayRequestCheck]>
2016-07-11 10:06:54,755 DEBUG [org.springframework.webflow.engine.Transition] - <Exiting state 'ticketGrantingTicketCheck'>
2016-07-11 10:06:54,755 DEBUG [org.springframework.webflow.engine.DecisionState] - <Entering state 'gatewayRequestCheck' of flow 'login'>
2016-07-11 10:06:54,755 DEBUG [org.springframework.webflow.engine.Transition] - <Executing [Transition@43fd721f on = *, to = serviceAuthorizationCheck]>
2016-07-11 10:06:54,755 DEBUG [org.springframework.webflow.engine.Transition] - <Exiting state 'gatewayRequestCheck'>
2016-07-11 10:06:54,755 DEBUG [org.springframework.webflow.engine.ActionState] - <Entering state 'serviceAuthorizationCheck' of flow 'login'>
2016-07-11 10:06:54,755 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Executing [EvaluateAction@20aff67 expression = serviceAuthorizationCheck, resultExpression = [null]]>
2016-07-11 10:06:54,755 DEBUG [org.springframework.webflow.execution.AnnotatedAction] - <Putting action execution attributes map[[empty]]>
2016-07-11 10:06:54,755 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Executing org.jasig.cas.web.flow.ServiceAuthorizationCheck@7b8ba682>
2016-07-11 10:06:54,755 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Finished executing org.jasig.cas.web.flow.ServiceAuthorizationCheck@7b8ba682; result = success>
2016-07-11 10:06:54,755 DEBUG [org.springframework.webflow.execution.AnnotatedAction] - <Clearing action execution attributes map[[empty]]>
2016-07-11 10:06:54,755 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Finished executing [EvaluateAction@20aff67 expression = serviceAuthorizationCheck, resultExpression = [null]]; result = success>
2016-07-11 10:06:54,755 DEBUG [org.springframework.webflow.engine.Transition] - <Executing [Transition@78e25983 on = *, to = generateLoginTicket]>
2016-07-11 10:06:54,755 DEBUG [org.springframework.webflow.engine.Transition] - <Exiting state 'serviceAuthorizationCheck'>
2016-07-11 10:06:54,755 DEBUG [org.springframework.webflow.engine.ActionState] - <Entering state 'generateLoginTicket' of flow 'login'>
2016-07-11 10:06:54,755 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Executing [EvaluateAction@a6fdfbc expression = generateLoginTicketAction.generate(flowRequestContext), resultExpression = [null]]>
2016-07-11 10:06:54,755 DEBUG [org.springframework.webflow.execution.AnnotatedAction] - <Putting action execution attributes map[[empty]]>
2016-07-11 10:06:54,755 DEBUG [org.jasig.cas.web.flow.GenerateLoginTicketAction] - <Generated login ticket LT-346-BXiKx6UYxpODpnR5Pcey-xxxxxxxxxxx>
2016-07-11 10:06:54,756 DEBUG [org.springframework.webflow.execution.AnnotatedAction] - <Clearing action execution attributes map[[empty]]>
2016-07-11 10:06:54,756 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Finished executing [EvaluateAction@a6fdfbc expression = generateLoginTicketAction.generate(flowRequestContext), resultExpression = [null]]; result = generated>
2016-07-11 10:06:54,756 DEBUG [org.springframework.webflow.engine.Transition] - <Executing [Transition@692cd498 on = generated, to = startSpnegoAuthenticate]>
2016-07-11 10:06:54,756 DEBUG [org.springframework.webflow.engine.Transition] - <Exiting state 'generateLoginTicket'>
2016-07-11 10:06:54,756 DEBUG [org.springframework.webflow.engine.ActionState] - <Entering state 'startSpnegoAuthenticate' of flow 'login'>
2016-07-11 10:06:54,756 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Executing [EvaluateAction@142933c8 expression = negociateSpnego, resultExpression = [null]]>
2016-07-11 10:06:54,756 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Executing org.jasig.cas.support.spnego.web.flow.SpnegoNegociateCredentialsAction@1abe21d0>
2016-07-11 10:06:54,756 DEBUG [org.jasig.cas.support.spnego.web.flow.SpnegoNegociateCredentialsAction] - <Authorization header [null], User Agent header [Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko]>
2016-07-11 10:06:54,757 DEBUG [org.jasig.cas.support.spnego.web.flow.SpnegoNegociateCredentialsAction] - <Authorization header not found or does not match the message prefix [Negotiate ]. Sending [WWW-Authenticate] header [Negotiate]>
2016-07-11 10:06:54,758 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Finished executing org.jasig.cas.support.spnego.web.flow.SpnegoNegociateCredentialsAction@1abe21d0; result = success>
2016-07-11 10:06:54,758 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Finished executing [EvaluateAction@142933c8 expression = negociateSpnego, resultExpression = [null]]; result = success>
2016-07-11 10:06:54,758 DEBUG [org.springframework.webflow.engine.Transition] - <Executing [Transition@1d6b7385 on = success, to = spnego]>
2016-07-11 10:06:54,758 DEBUG [org.springframework.webflow.engine.Transition] - <Exiting state 'startSpnegoAuthenticate'>
2016-07-11 10:06:54,758 DEBUG [org.springframework.webflow.engine.ActionState] - <Entering state 'spnego' of flow 'login'>
2016-07-11 10:06:54,758 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Executing [EvaluateAction@2c49b6e2 expression = spnego, resultExpression = [null]]>
2016-07-11 10:06:54,758 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Executing org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction@31c7f7c5>
2016-07-11 10:06:54,758 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Finished executing org.jasig.cas.support.spnego.web.flow.SpnegoCredentialsAction@31c7f7c5; result = error>
2016-07-11 10:06:54,758 DEBUG [org.springframework.webflow.execution.ActionExecutor] - <Finished executing [EvaluateAction@2c49b6e2 expression = spnego, resultExpression = [null]]; result = error>
2016-07-11 10:06:54,758 DEBUG [org.springframework.webflow.engine.Transition] - <Executing [Transition@53ba1570 on = error, to = ticketGrantingTicketCheck]>
2016-07-11 10:06:54,758 DEBUG [org.springframework.webflow.engine.Transition] - <Exiting state 'spnego'>
This is repeated about hundred times, and finally the client sees an
error message from the cas server. So does anyone have an idea what's
wrong with the configuration?
And one another question, how to configure ldap fallback for SPNEGO?
--
Antti Sirviö
--
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
cas-user+u...@apereo.org.
To post to this group, send email to
cas-...@apereo.org.
Visit this group at
https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1468221621.4288.58.camel%40lut.fi.
For more options, visit
https://groups.google.com/a/apereo.org/d/optout.