Le 09/09/2013 19:27, Tom Mendenhall a écrit :
I am not able utilize SPNEGO with CAS (3.4.n/3.5.n). Computers/mobile devices not configured for SPNEGO or outside AD are not redirected to the fallback login form page. I get a 401 error page instead.I have been able to make it work in a dev cluster by creating a custom user-agent string and adding the string to SpnegoNegociateCredentialsAction.java. public void afterPropertiesSet() throws Exception { if (this.supportedBrowser == null) { this.supportedBrowser = new ArrayList<String>(); this.supportedBrowser.add("my-custom-string"); } Desktop support does not want to modify user-agent string in GPO because of the multiple browsers on each computer. Also every browser update resets the user-agent string. List of related SPNEGO problems. https://issues.jasig.org/browse/CAS/component/10340 Questions. Is there anyone using SPNEGO in a production environment?
Yes for a year now, two nodes clustered behind apache + mod_jk
yes, as stated in my comment on https://issues.jasig.org/browse/CAS-1166 : I've modified SpnegoNegociateCredentialsAction.java to return a new transition "negotiate" when 401 status is sent back to the browser.Did you make any modifications to the CAS source code?
But our use case is different : SPNEGO is only used inside our hospital, access from outside is done via standard login page. I've identified three use cases of spnego :
Kerberized computer with properly configured browser : - works out of the box with directions from CASUM page. Non-kerberized computer with properly configured browser :- triggers spnego each time although the first "blank ticket" has been sent by browser, a little annoyance that can be easily mitigated with modification of login-webflow.
any computer with misconfigured browser :- Show a customized error page, not the login/password page. achieved with modification of SpnegoNegociateCredentialsAction class and modification of login-webflow.
If so could you share your documentation? I am wondering if adding a cas entry to the local /etc/hosts file on AD computers that would redirect the browsers to a SPNEGO only host(s) in a cluster would work using maybe a LB rewrite rule? Thanks, Tom
Rgds. -- Philippe MARASSE Pôle Infrastructures - Direction du Systèmes d'Informations et de l'Organisation Centre Hospitalier Henri Laborit CS 10587 - 370 avenue Jacques Coeur 86021 Poitiers Cedex Tel : 05.49.44.57.19
smime.p7s
Description: Signature cryptographique S/MIME