I follow this guide to integrate my system with Windows AD. So when someone logon windows domain user, he can login to cas automaticly. If user don't use domain user, I want system return normal html login page.
Now I have a problem, when I use domain user, it works fine. But when I use non-domain user, chrome return ERR_UNEXPECTED error page to me. You can see the tcp dump, system already return 401 and login page html, but chrome show error.
Can anyone give me some sugguestions?
JVM: 1.8.0_111
cas-server-core: 3.3
cas-server-support-spnego: 3.3
Chrome: 55
TCP Dump stream by wireshark(non-domain user)
GET /cas/login?service=http%3A%2F%2Fserver.ictsm.com%3A8080%2Fapp%2F&_validateRequest_=7RBrB6AIqjijhw5c4LjTBvc1vjpHJHWafif1MXGmMr8ZyI22thbzCtqTYkCUfKOn HTTP/1.1
Host: server.ictsm.com:8080
Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
DNT: 1
Accept-Encoding: gzip, deflate, sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: JSESSIONID=3A632B243F57094E9468F972D2BE2E04A48835CCEE575DC9F8B2527FA81E23AD6D48BBF69A6D35623080096949F1FB8092F4
HTTP/1.1 401 Unauthorized
Server: nginx
Date: Mon, 16 Jan 2017 07:19:00 GMT
Content-Type: text/html;charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
WWW-Authenticate: NTLM
WWW-Authenticate: Negotiate
Content-Language: zh-CN
my login page html
GET /cas/login?service=http%3A%2F%2Fserver.ictsm.com%3A8080%2Fapp%2F&_validateRequest_=7RBrB6AIqjijhw5c4LjTBvc1vjpHJHWafif1MXGmMr8ZyI22thbzCtqTYkCUfKOn HTTP/1.1
Host: server.ictsm.com:8080
Connection: keep-alive
Cache-Control: max-age=0
Authorization: Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
DNT: 1
Accept-Encoding: gzip, deflate, sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: JSESSIONID=3A632B243F57094E9468F972D2BE2E04A48835CCEE575DC9F8B2527FA81E23AD6D48BBF69A6D35623080096949F1FB8092F4
HTTP/1.1 401 Unauthorized
Server: nginx
Date: Mon, 16 Jan 2017 07:19:00 GMT
Content-Type: text/html;charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
WWW-Authenticate: Negotiate TlRMTVNTUAACAAAAEgASADAAAAAFAoEAAAAAAAAAAAAAAAAAAAAAADoAOgBCAAAAaQBjAHQAcwBtAC4AYwBvAG0AAgASAGkAYwB0AHMAbQAuAGMAbwBtAAEAHABKAEMASQBGAFMAMQAzAF8AMQA3ADQAXwA2AEMAAAAAAA==
Content-Language: zh-CN
my login page html
Get rid of WWW-Authenticate: NTLM
and only use WWW-Authenticate: Negotiate
in the HTTP header. NTLM has been deprecated by Microsoft many years ago in favor of Kerberos. Really, nobody should be using NTLM anymore and doubtful that any of your clients are. This line in your network trace meant that the Chrome client was using NTLM:
Authorization: Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==