1) This doesn't seem to be the issue because I went to the server using IE and Chrome and I didn't receive a certificate error.
2) Removing the path didn't stop the loop when using credentials without the attributes but login in with credentials with the attributes worked fine. 3) As soon as I removed the serviceTicketManager and singleSignout="true" .NET thru up an error saying that was a required attribute for single signout. So instead I set singleSignout="false" and removed serviceTicketManager and the redirect still occurs when using credentials that don't have the attribute assigned but works fine for credentials that do have the attribute. Anything else I should try? Thanks for the help. From: Scott [mailto:scottt...@gmail.com] Sent: Monday, November 04, 2013 11:44 AM To: cas-dev@lists.jasig.org Subject: Re: [cas-dev] CAS .NET Client Redirect Loop and Attributes Here are a few things to change to see if it eliminates the problem. All three of them can cause redirect loops. If you end up having to turn off a feature that you want to use in order to resolve the problem, post back to the list and I'll be happy to help you configure it properly. 1) Verify that the SSL certificate installed on your CAS server is trusted by Windows. If IE or Chrome shows a security warning when you browse to your CAS server, the HTTP client connection that happens as part of the service ticket validation will also fail. Similarly, if the CAS server doesn't trust the SSL certificate on your web server, proxy ticket support won't be possible. 2) Try removing the following from authentication/forms in web.config: path="/iUSF/". Restricting the cookie path is a good idea when your web server is hosting more than 1 application and you want them to be isolated wrt. authentication, but if configured incorrectly, it will result in a redirect loop as well. 3) Try removing the following from casAuthentication in web.config: singleSignout="true", serviceTicketManager="CacheServiceTicketManager". This is particularly important if you have more than one web server in your application. CacheServiceTicketManager isn't suitable for multiple web servers. When it's enabled, it stores information about the outstanding valid tickets in memory on the web server. If the ticket was validated on one server but a subsequent request was handled by another, the validation would fail (the cookie details won't be in memory on that server and the cookie will be ignored). You could end up in a redirect loop there as well. To get around this, you could implement your own IServiceTicketManager with a sql/memcached/redis back-end that all your servers share access to. -Scott On Mon, Nov 4, 2013 at 10:38 AM, Lehman, Jason <jleh...@usf.edu<mailto:jleh...@usf.edu>> wrote: I have attached the requested files. -----Original Message----- From: Marvin Addison [mailto:marvin.addi...@gmail.com<mailto:marvin.addi...@gmail.com>] Sent: Monday, November 04, 2013 9:34 AM To: cas-dev@lists.jasig.org<mailto:cas-dev@lists.jasig.org> Subject: Re: [cas-dev] CAS .NET Client Redirect Loop and Attributes > If I login with a user that doesn't have an attribute I'm expecting > using the CAS .NET client I get into a redirect loop. Please post your config and an HTTP header trace from an authentication attempt. That should help clarify whether it's a bug, configuration matter, or a mix of bad behavior in the face of configuration for which we might want to file an improvement issue. M -- You are currently subscribed to cas-dev@lists.jasig.org<mailto:cas-dev@lists.jasig.org> as: jleh...@usf.edu<mailto:jleh...@usf.edu> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev -- You are currently subscribed to cas-dev@lists.jasig.org<mailto:cas-dev@lists.jasig.org> as: scottt...@gmail.com<mailto:scottt...@gmail.com> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev -- You are currently subscribed to cas-dev@lists.jasig.org<mailto:cas-dev@lists.jasig.org> as: jleh...@usf.edu<mailto:jleh...@usf.edu> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev -- You are currently subscribed to cas-dev@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
