Good afternoon all:
We are having difficulty getting CAS to proxy successfully.
Details for the CAS server and the client application:
CAS server:
Red Hat Enterprise Linux Server 6.8 (Santiago)
JRE 1.8.0_25
Tomcat 7.0.56
CAS 3.5.2.1
CAS client application server:
Red Hat Enterprise Linux Server 7.2 (Maipo)
Apache HTTPD 2.4
Application coded in PHP
User clicks to login to the application, is redirected to the CAS login page,
submits user ID + password.
Authentication succeeds.
The CAS audit log shows:
AUTHENTICATION_SUCCESS
TICKET_GRANTING_TICKET_CREATED
SERVICE_TICKET_CREATED
We then get AUTHENTICATION_FAILED on the proxy callbackUrl:
error.authentication.credentials.bad
PROXY_GRANTING_TICKET_NOT_CREATED
The cas.log shows a couple Java exception traces at the point of failure.
Not certain if the first one is associated with the problem because there is no
information in the exception trace that ties it to this particular client,
other than the timestamp:
2016-09-26 13:39:36,518 ERROR [org.jasig.cas.util.HttpClient] - connection
refused
Java.net.ConnectException: Connection refused
At java.net.PlainSocketImpl.socketConnect(Native method)
However: an openssl s_client connection from the CAS server to the application
server on port 443 succeeds and displays the contents of the certificate.
The second exception trace is associated with the client application:
2016-09-26 13:39:36,519 ERROR [org.jasig.cas.web.ServiceValidateController] -
TicketException generating ticket for: [callbackUrl: https:/XXXXX]
Org.jasig.cas.ticket.TicketCreationException:
error.authentication.credentials.bad
At
org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket_aroundBody6(CentralAuthenticationServiceImpl.java:325)
>From what we can see CAS wants to validate the application and server
>requesting the proxy ticket before it will proceed. It is not getting the
>expected response, but we don't know what is causing the failure.
The SSL certificate on the application server is valid and contains the
hostname of that server.
Because both servers are hosted locally the intermediate and CA certificate
bundle on both the CAS server and application server are identical, and the CA
bundle is available to CAS.
As noted above, we can connect on port 443 from the CAS server to the
application server and view its SSL certificate.
What are we missing?
Other than validating the SSL certificate on the application server, exactly
what other criteria must be satisfied when CAS validates the proxy callbackUrl?
Thanks in advance for any help.
David
--
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/BN6PR05MB302791EED56653220DE3CDA1C7CD0%40BN6PR05MB3027.namprd05.prod.outlook.com.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.
