Hi Nicholas, It's seems to me that Kerberos / SPNEGO client selection strategy is broken since Alfresco 5.0.x.
Indeed, there are several other messages in this discussion list referring to this problem : here <https://groups.google.com/a/apereo.org/d/topic/cas-user/4V8fiuPARI0/discussion>, here <https://groups.google.com/a/apereo.org/d/topic/cas-user/HZCbd9ghOM4/discussion> and here <https://groups.google.com/a/apereo.org/d/topic/cas-user/PPIe-SPPCtg/discussion>, and I didn't achieved to make it work (IP based) in CAS 5.1.7 release. SPNEGO Client Selection strategy setup is done in the SpengoWebflowConfigurer <https://github.com/apereo/cas/blob/2606c6908a6740cdf91dfd950ea3a6e2d95731c5/support/cas-server-support-spnego-webflow/src/main/java/org/apereo/cas/web/flow/SpengoWebflowConfigurer.java#L71> class, using the "cas.authn.spnego.hostNameClientActionStrategy" parameter value to set the strategy (default to "hostnameSpnegoClientAction"). You can use the "ldapSpnegoClientAction" value to use a LDAP Client Selection Strategy. The problem is the Spring MVC Web Flow is configured for using the "START_SPNEGO_AUTHENTICATE" action state by default <https://github.com/apereo/cas/blob/2606c6908a6740cdf91dfd950ea3a6e2d95731c5/support/cas-server-support-spnego-webflow/src/main/java/org/apereo/cas/web/flow/SpengoWebflowConfigurer.java#L51>, instead of the "EVALUATE_SPNEGO_CLIENT" action state (evaluateClientRequest) <https://github.com/apereo/cas/blob/2606c6908a6740cdf91dfd950ea3a6e2d95731c5/support/cas-server-support-spnego-webflow/src/main/java/org/apereo/cas/web/flow/SpengoWebflowConfigurer.java#L71> . Therefore, the Client Selection Strategy is never applied. I didn't found any way to use CAS configuration properties to add the *evaluateClientRequest* action state before the *startSpnegoAuthenticate* state. The only way to do this may be to overidde the CasWebflowConstants.STATE_ID_INIT_LOGIN_FORM state (as done here <https://github.com/apereo/cas/blob/2606c6908a6740cdf91dfd950ea3a6e2d95731c5/support/cas-server-support-spnego-webflow/src/main/java/org/apereo/cas/web/flow/SpengoWebflowConfigurer.java#L51>) in a custom bean and configure it to transition to the evaluateClientRequest state. I may have missed something, and I hope a CAS Developer can clarify it. Regards, Charles Le jeudi 17 mai 2018 07:47:54 UTC+2, Nicholas Wylie a écrit : > > Hi CAS Community, > > I've successfully configured CAS 5.2 with LDAP/SPNEGO authentication > against our Active Directory. > > What we have noticed though is that non-domain joined computers see a > pop-up prompt for credentials when they visit the CAS login page. From my > reading, I believe we can fix this by configuring the LDAP Client Selection > Strategy for SPNEGO, but the documentation for which properties need to be > configured seems to be a bit scarce. > > Can someone offer any guidance (or a link to some documentation) as to > which properties I need to configure to use the LDAP Client Selection > Strategy? > > Thanks, > Nicholas > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/9f3f6c1a-5510-498d-afe6-ea478a2de75c%40apereo.org.
