[cas-dev] SPNEGO authentication and NTLM

Thu, 27 May 2010 02:11:44 -0700 

Hi,
I'm using CAS for two years and now I'm trying to make automatic login working. So I configured Spnego module. CAS is running on tomcat on a windows server. I follow the instruction from this page : http://www.ja-sig.org/wiki/display/CASUM/SPNEGO 

Kerberos authentication is working.


So, when a user is logged on a PC with a domain account, when using 
Internet Explorer, kerberos authentication is working if Internet 
Explorer is configured as it must be configured (automatic login must be 
configured for the zone where CAS is, for me intranet zone) - tools > 
options > security > intranet > params > user authentication > connexion 
(my IE is french, maybe my translation of button is not good).



Now, the problem : when a user is logged on a PC without a domain 
account, when using Internet Explorer, kerberos is not working. It is 
normal. But Internet Explorer show a basic authentication popup which is 
the NTLM authentication popup. I'm not sure we can disable it, 
otherwise, even it is possible, it will be hard to change it on all 
personnal computer of user. So if user enter login and password in this 
popup, authentication failed and redirection to login form based page do 
not work (if you hit escape when this popup appears, you will be able to 
see the login form based page).



My problem is I am not able to make NTLM working in CAS. The 
documentation explain Kerberos configuration, but not NTLM.


I try to add the following parameters :

<property name="JcifsDomainController" 
value="an_active_directory_ip_address"

<property name="JcifsDomain" value="DOMAIN" />
<property name="jcifsUsername" value="a_user" />
<property name="jcifsPassword" value="the_password" />
<property name="jcifsNetbiosWins" value="a_wins_server_ip_address" />

The user is entering identifier like : DOMAIN\user in Internet Explorer.

With wireshark, I see that the client is sending NTLMSSP_NEGOTIATE state 
1 and a NTLMSSP_CHALLENGE (state 2) is returned, but not state 3 from 
client is sending, connection is stopped by the client.



Can someone help me to make NTML working in order to have Internet 
Explorer working when user is not using a domain account on his computer 
(home computer for example).


Thanks

Matthieu MARC


--
Matthieu MARC
matthieu.m...@ensam.eu


--
You are currently subscribed to cas-dev@lists.jasig.org as: 
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-dev






















					Reply via email to