Today, it works a little better : I get 401, my browser send its ticket... but no authentication :
Caused by: KrbException: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC I have to declare my keytab as default keytab in /etc/krb5.conf to get authenticated (keytab is read *before* login.conf) ! It was not necessary with CASv3.5. If my keytab is not declared in /etc/krb5.conf, login.conf is not read either, why ?? Last test, with only a few parameters : cas.authn.spnego.kerberosConf=/etc/krb5.conf cas.authn.spnego.mixedModeAuthentication=false cas.authn.spnego.jcifsServicePrincipal=HTTP/php-dev.mydomain....@mydomain.com cas.authn.spnego.ntlmAllowed=false cas.authn.spnego.hostNamePatternString=.+ cas.authn.spnego.supportedBrowsers=MSIE,Firefox,AppleWebKit cas.authn.spnego.hostNameClientActionStrategy=hostnameSpnegoClientAction cas.authn.spnego.ipsToCheckPattern=172.+ cas.authn.spnego.send401OnAuthenticationFailure=false cas.authn.spnego.principalWithDomainName=false it works... Is the documentation needing update ? Regards. Le 10/08/2016 à 17:42, Philippe MARASSE a écrit : > Folks, > > I'm testing my freshly installed cas 5.0.0RC1-SNAPSHOT with SPNEGO, > following instructions at > https://apereo.github.io/cas/development/installation/SPNEGO-Authentication.html > > Everything looks right at tomcat startup (krb5 princpal (fixed @, kdc, > etc.), My browser get a 401 with WWW-Authenticate: Negotiate as > expected. So it sends its Authorization: Negotiate header, but CAS does > not seem to catch the header (see attached catalina.out log file) and > throws a NullPointerException. > > Tomcat is behind Apache + mod_jk, packetSize has been increased to 16k. > > Am I missing something ? > > Regards. > -- Philippe MARASSE Responsable pôle Infrastructures - DSIO Centre Hospitalier Henri Laborit CS 10587 - 370 avenue Jacques Cœur 86021 Poitiers Cedex Tel : 05.49.44.57.19 -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To post to this group, send email to cas-user@apereo.org. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/e1b3772b-8210-abf7-5151-3b85dd10e5ef%40ch-poitiers.fr. For more options, visit https://groups.google.com/a/apereo.org/d/optout.