Is non mixed environment setup still working by using Challenge in PAS?

[fredvd]

Last year @datakurre started development and added support for mixed environment where the SSO challenge is controlled by a javascript file sent to the client (& controlled from the js resource registry). This was included in version 2.1.

But does the 'old' style challenge by using the Challenge Plugin in PAS still work? I got a request on a setup to turn on authentication on all urls because there is no mixed mode, but I cannot really retrace how this should work/be set up.

My theory is that I should not run the setup profile which add the javascript for login_form/require_login urls, but adding the SPNEO challenge plugin and moving it to the top in PAS should be enough, right? Is anybody else using this setup?

[datakurre]

@fredvd I recall trying that, and after reading my own comments from #1, it might be that you have to also remove CookieAuthPlugin challenge. (It might be that challenge does not stop after the first fired plugin and later CookieAuthPlugin challenge messes up the response.)

[fredvd]

@datakurre In the meantime I thought I had the negotiation running using the javascript file. However i'm running there into another issue where the netsight-windowsauthplugin-SPNEGO-challenge.js is only meant to be attached to a require_login/login form to which is a user is redirected after hitting a private page with a came_from. This requires setting the whole site on private so that SSO is triggered.

I thought to be clever and add the SPNEGO-challenge.js to normal pages with a condition to only do this for anonymous users and this seems to work until people have deeplinks to subpages in the site. The challenge is done, the user is logged in, but the came_from is empty because there never was a private page from which the user was redirected away to the page with the plugin.

So I'll either have to adapt the javavscript or try again to get the PAS Challenge working again.

[datakurre]

@fredvd I believe that you are correct. Login form was enough for us, because for us it was better to keep users anonymous as long as they need permissions brought with login.