It looks like you're using a serviceValidate endpoint with SAML validation. Comment out the CASValidateSAML lines and try again.
Alternatively, keep the setting on and use a samlValidate endpoint. On Fri, Jan 26, 2018 at 6:19 AM, Ramakrishna G <[email protected]> wrote: > Hi , > > Now I think I resolved certificate issue. But I am getting this error > > [Fri Jan 26 16:22:24.270308 2018] [authz_core:debug] [pid 19878] > mod_authz_core.c(809): [client 192.168.111.118:62974] AH01626: authorization > result of Require valid-user : denied (no authenticated user yet) > > [Fri Jan 26 16:22:24.270359 2018] [authz_core:debug] [pid 19878] > mod_authz_core.c(809): [client 192.168.111.118:62974] AH01626: authorization > result of <RequireAny>: denied (no authenticated user yet) > > [Fri Jan 26 16:22:24.270390 2018] [auth_cas:debug] [pid 19878] > mod_auth_cas.c(2076): [client 192.168.111.118:62974] Entering > cas_authenticate() > > [Fri Jan 26 16:22:24.270415 2018] [auth_cas:debug] [pid 19878] > mod_auth_cas.c(656): [client 192.168.111.118:62974] Modified r->args (now > 'ticket=ST-61-Ax_G3kwIznjFqCiNkoMeUy4y1Gk-client&ticket=ST-62-Kf3DaPe_Vlv9cOH5VQYhiIz_tWg-client') > > [Fri Jan 26 16:22:24.270486 2018] [auth_cas:debug] [pid 19878] > mod_auth_cas.c(1779): [client 192.168.111.118:62974] entering > getResponseFromServer() > > [Fri Jan 26 16:22:24.270617 2018] [auth_cas:debug] [pid 19878] > mod_auth_cas.c(584): [client 192.168.111.118:62974] CAS Service > 'https%3a%2f%2f192.168.111.118%3a8443%2f%3fticket%3dST-61-Ax_G3kwIznjFqCiNkoMeUy4y1Gk-client%26ticket%3dST-62-Kf3DaPe_Vlv9cOH5VQYhiIz_tWg-client' > > [Fri Jan 26 16:22:24.479223 2018] [auth_cas:debug] [pid 19878] > mod_auth_cas.c(1856): [client 192.168.111.118:62974] Validation response: > <!doctype html><html lang="en"><head><title>HTTP Status 406 \xe2\x80\x93 Not > Acceptable</title><style type="text/css">h1 > {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} > h2 > {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} > h3 > {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} > body > {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} b > {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} > p > {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;} > a {color:black;} a.name {color:black;} .line > {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP > Status 406 \xe2\x80\x93 Not Acceptable</h1><hr class="line" /><p><b>Type</b> > Status Report</p><p><b>Description</b> The target resource does not have a > current representation that would be acceptable to the user agent, according > to the proactive negotiation header fields received in the request, and the > server is unwilling to supply a default representation.</p><hr class="line" > /><h3>Apache Tomcat/8.5.24</h3></body></html> > > [Fri Jan 26 16:22:24.479448 2018] [auth_cas:debug] [pid 19878] > mod_auth_cas.c(1440): [client 192.168.111.118:62974] entering > isValidCASTicket() > > [Fri Jan 26 16:22:24.479470 2018] [auth_cas:debug] [pid 19878] > mod_auth_cas.c(1446): [client 192.168.111.118:62974] MOD_AUTH_CAS: response > = <!doctype html><html lang="en"><head><title>HTTP Status 406 \xe2\x80\x93 > Not Acceptable</title><style type="text/css">h1 > {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} > h2 > {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} > h3 > {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} > body > {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} b > {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} > p > {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;} > a {color:black;} a.name {color:black;} .line > {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP > Status 406 \xe2\x80\x93 Not Acceptable</h1><hr class="line" /><p><b>Type</b> > Status Report</p><p><b>Description</b> The target resource does not have a > current representation that would be acceptable to the user agent, according > to the proactive negotiation header fields received in the request, and the > server is unwilling to supply a default representation.</p><hr class="line" > /><h3>Apache Tomcat/8.5.24</h3></body></html> > > [Fri Jan 26 16:22:24.479581 2018] [auth_cas:error] [pid 19878] [client > 192.168.111.118:62974] MOD_AUTH_CAS: error parsing CASv2 response: XML > parser error code: syntax error (2) > > [Fri Jan 26 16:22:24.523966 2018] [authz_core:debug] [pid 19205] > mod_authz_core.c(809): [client 192.168.111.118:62976] AH01626: authorization > result of Require valid-user : denied (no authenticated user yet), referer: > https://192.168.111.118:8443/?ticket=ST-61-Ax_G3kwIznjFqCiNkoMeUy4y1Gk-client&ticket=ST-62-Kf3DaPe_Vlv9cOH5VQYhiIz_tWg-client&ticket=ST-63-9XuUCVFW1N7KHvmkSzAf31rObMA-client > > [Fri Jan 26 16:22:24.524008 2018] [authz_core:debug] [pid 19205] > mod_authz_core.c(809): [client 192.168.111.118:62976] AH01626: authorization > result of <RequireAny>: denied (no authenticated user yet), referer: > https://192.168.111.118:8443/?ticket=ST-61-Ax_G3kwIznjFqCiNkoMeUy4y1Gk-client&ticket=ST-62-Kf3DaPe_Vlv9cOH5VQYhiIz_tWg-client&ticket=ST-63-9XuUCVFW1N7KHvmkSzAf31rObMA-client > > [Fri Jan 26 16:22:24.524022 2018] [auth_cas:debug] [pid 19205] > mod_auth_cas.c(2076): [client 192.168.111.118:62976] Entering > cas_authenticate(), referer: > https://192.168.111.118:8443/?ticket=ST-61-Ax_G3kwIznjFqCiNkoMeUy4y1Gk-client&ticket=ST-62-Kf3DaPe_Vlv9cOH5VQYhiIz_tWg-client&ticket=ST-63-9XuUCVFW1N7KHvmkSzAf31rObMA-client > > [Fri Jan 26 16:22:24.524042 2018] [auth_cas:debug] [pid 19205] > mod_auth_cas.c(584): [client 192.168.111.118:62976] CAS Service > 'https%3a%2f%2f192.168.111.118%3a8443%2ffavicon.ico', referer: > https://192.168.111.118:8443/?ticket=ST-61-Ax_G3kwIznjFqCiNkoMeUy4y1Gk-client&ticket=ST-62-Kf3DaPe_Vlv9cOH5VQYhiIz_tWg-client&ticket=ST-63-9XuUCVFW1N7KHvmkSzAf31rObMA-client > > [Fri Jan 26 16:22:24.524049 2018] [auth_cas:debug] [pid 19205] > mod_auth_cas.c(532): [client 192.168.111.118:62976] entering > getCASLoginURL(), referer: > https://192.168.111.118:8443/?ticket=ST-61-Ax_G3kwIznjFqCiNkoMeUy4y1Gk-client&ticket=ST-62-Kf3DaPe_Vlv9cOH5VQYhiIz_tWg-client&ticket=ST-63-9XuUCVFW1N7KHvmkSzAf31rObMA-client > > [Fri Jan 26 16:22:24.524058 2018] [auth_cas:debug] [pid 19205] > mod_auth_cas.c(509): [client 192.168.111.118:62976] entering > getCASGateway(), referer: > https://192.168.111.118:8443/?ticket=ST-61-Ax_G3kwIznjFqCiNkoMeUy4y1Gk-client&ticket=ST-62-Kf3DaPe_Vlv9cOH5VQYhiIz_tWg-client&ticket=ST-63-9XuUCVFW1N7KHvmkSzAf31rObMA-client > > [Fri Jan 26 16:22:24.524065 2018] [auth_cas:debug] [pid 19205] > mod_auth_cas.c(599): [client 192.168.111.118:62976] entering > redirectRequest(), referer: > https://192.168.111.118:8443/?ticket=ST-61-Ax_G3kwIznjFqCiNkoMeUy4y1Gk-client&ticket=ST-62-Kf3DaPe_Vlv9cOH5VQYhiIz_tWg-client&ticket=ST-63-9XuUCVFW1N7KHvmkSzAf31rObMA-client > > [Fri Jan 26 16:22:24.524072 2018] [auth_cas:debug] [pid 19205] > mod_auth_cas.c(611): [client 192.168.111.118:62976] Adding outgoing header: > Location: > https://192.168.111.118:8443/cas/login?service=https%3a%2f%2f192.168.111.118%3a8443%2ffavicon.ico, > referer: > https://192.168.111.118:8443/?ticket=ST-61-Ax_G3kwIznjFqCiNkoMeUy4y1Gk-client&ticket=ST-62-Kf3DaPe_Vlv9cOH5VQYhiIz_tWg-client&ticket=ST-63-9XuUCVFW1N7KHvmkSzAf31rObMA-client > > [Fri Jan 26 16:22:24.565945 2018] [authz_core:debug] [pid 19201] > mod_authz_core.c(809): [client 192.168.111.118:62978] AH01626: authorization > result of Require valid-user : denied (no authenticated user yet), referer: > https://192.168.111.118:8443/?ticket=ST-61-Ax_G3kwIznjFqCiNkoMeUy4y1Gk-client&ticket=ST-62-Kf3DaPe_Vlv9cOH5VQYhiIz_tWg-client&ticket=ST-63-9XuUCVFW1N7KHvmkSzAf31rObMA-client > > [Fri Jan 26 16:22:24.565996 2018] [authz_core:debug] [pid 19201] > mod_authz_core.c(809): [client 192.168.111.118:62978] AH01626: authorization > result of <RequireAny>: denied (no authenticated user yet), referer: > https://192.168.111.118:8443/?ticket=ST-61-Ax_G3kwIznjFqCiNkoMeUy4y1Gk-client&ticket=ST-62-Kf3DaPe_Vlv9cOH5VQYhiIz_tWg-client&ticket=ST-63-9XuUCVFW1N7KHvmkSzAf31rObMA-client > > [Fri Jan 26 16:22:24.566012 2018] [auth_cas:debug] [pid 19201] > mod_auth_cas.c(2076): [client 192.168.111.118:62978] Entering > cas_authenticate(), referer: > https://192.168.111.118:8443/?ticket=ST-61-Ax_G3kwIznjFqCiNkoMeUy4y1Gk-client&ticket=ST-62-Kf3DaPe_Vlv9cOH5VQYhiIz_tWg-client&ticket=ST-63-9XuUCVFW1N7KHvmkSzAf31rObMA-client > > [Fri Jan 26 16:22:24.566026 2018] [auth_cas:debug] [pid 19201] > mod_auth_cas.c(656): [client 192.168.111.118:62978] Modified r->args (now > ''), referer: > https://192.168.111.118:8443/?ticket=ST-61-Ax_G3kwIznjFqCiNkoMeUy4y1Gk-client&ticket=ST-62-Kf3DaPe_Vlv9cOH5VQYhiIz_tWg-client&ticket=ST-63-9XuUCVFW1N7KHvmkSzAf31rObMA-client > > [Fri Jan 26 16:22:24.566104 2018] [auth_cas:debug] [pid 19201] > mod_auth_cas.c(1779): [client 192.168.111.118:62978] entering > getResponseFromServer(), referer: > https://192.168.111.118:8443/?ticket=ST-61-Ax_G3kwIznjFqCiNkoMeUy4y1Gk-client&ticket=ST-62-Kf3DaPe_Vlv9cOH5VQYhiIz_tWg-client&ticket=ST-63-9XuUCVFW1N7KHvmkSzAf31rObMA-client > > [Fri Jan 26 16:22:24.566245 2018] [auth_cas:debug] [pid 19201] > mod_auth_cas.c(584): [client 192.168.111.118:62978] CAS Service > 'https%3a%2f%2f192.168.111.118%3a8443%2ffavicon.ico', referer: > https://192.168.111.118:8443/?ticket=ST-61-Ax_G3kwIznjFqCiNkoMeUy4y1Gk-client&ticket=ST-62-Kf3DaPe_Vlv9cOH5VQYhiIz_tWg-client&ticket=ST-63-9XuUCVFW1N7KHvmkSzAf31rObMA-client > > [Fri Jan 26 16:22:24.731155 2018] [auth_cas:debug] [pid 19201] > mod_auth_cas.c(1856): [client 192.168.111.118:62978] Validation response: > <!doctype html><html lang="en"><head><title>HTTP Status 406 \xe2\x80\x93 Not > Acceptable</title><style type="text/css">h1 > {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} > h2 > {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} > h3 > {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} > body > {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} b > {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} > p > {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;} > a {color:black;} a.name {color:black;} .line > {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP > Status 406 \xe2\x80\x93 Not Acceptable</h1><hr class="line" /><p><b>Type</b> > Status Report</p><p><b>Description</b> The target resource does not have a > current representation that would be acceptable to the user agent, according > to the proactive negotiation header fields received in the request, and the > server is unwilling to supply a default representation.</p><hr class="line" > /><h3>Apache Tomcat/8.5.24</h3></body></html>, referer: > https://192.168.111.118:8443/?ticket=ST-61-Ax_G3kwIznjFqCiNkoMeUy4y1Gk-client&ticket=ST-62-Kf3DaPe_Vlv9cOH5VQYhiIz_tWg-client&ticket=ST-63-9XuUCVFW1N7KHvmkSzAf31rObMA-client > > [Fri Jan 26 16:22:24.731389 2018] [auth_cas:debug] [pid 19201] > mod_auth_cas.c(1440): [client 192.168.111.118:62978] entering > isValidCASTicket(), referer: > https://192.168.111.118:8443/?ticket=ST-61-Ax_G3kwIznjFqCiNkoMeUy4y1Gk-client&ticket=ST-62-Kf3DaPe_Vlv9cOH5VQYhiIz_tWg-client&ticket=ST-63-9XuUCVFW1N7KHvmkSzAf31rObMA-client > > [Fri Jan 26 16:22:24.731411 2018] [auth_cas:debug] [pid 19201] > mod_auth_cas.c(1446): [client 192.168.111.118:62978] MOD_AUTH_CAS: response > = <!doctype html><html lang="en"><head><title>HTTP Status 406 \xe2\x80\x93 > Not Acceptable</title><style type="text/css">h1 > {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} > h2 > {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} > h3 > {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} > body > {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} b > {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} > p > {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;} > a {color:black;} a.name {color:black;} .line > {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP > Status 406 \xe2\x80\x93 Not Acceptable</h1><hr class="line" /><p><b>Type</b> > Status Report</p><p><b>Description</b> The target resource does not have a > current representation that would be acceptable to the user agent, according > to the proactive negotiation header fields received in the request, and the > server is unwilling to supply a default representation.</p><hr class="line" > /><h3>Apache Tomcat/8.5.24</h3></body></html>, referer: > https://192.168.111.118:8443/?ticket=ST-61-Ax_G3kwIznjFqCiNkoMeUy4y1Gk-client&ticket=ST-62-Kf3DaPe_Vlv9cOH5VQYhiIz_tWg-client&ticket=ST-63-9XuUCVFW1N7KHvmkSzAf31rObMA-client > > [Fri Jan 26 16:22:24.731538 2018] [auth_cas:error] [pid 19201] [client > 192.168.111.118:62978] MOD_AUTH_CAS: error parsing CASv2 response: XML > parser error code: syntax error (2), referer: > https://192.168.111.118:8443/?ticket=ST-61-Ax_G3kwIznjFqCiNkoMeUy4y1Gk-client&ticket=ST-62-Kf3DaPe_Vlv9cOH5VQYhiIz_tWg-client&ticket=ST-63-9XuUCVFW1N7KHvmkSzAf31rObMA-client > > > Can you pls help. > > > On Thu, Jan 25, 2018 at 11:04 PM, Ramakrishna G <[email protected]> wrote: >> >> Hi David, >> >> As suggested I enabled Debug Mode. Error what I got to.. >> >> >> [Thu Jan 25 17:53:01.512443 2018] [ssl:info] [pid 28180] SSL Library >> Error: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request -- >> speaking HTTP to HTTPS port!? >> >> [Thu Jan 25 17:53:01.940036 2018] [ssl:info] [pid 28181] [client >> 192.168.111.84:62057] AH01964: Connection to child 1 established (server >> 192.168.111.12:443) >> >> [Thu Jan 25 17:53:01.940406 2018] [ssl:info] [pid 28181] [client >> 192.168.111.84:62057] AH01996: SSL handshake failed: HTTP spoken on HTTPS >> port; trying to send HTML error page >> >> [Thu Jan 25 17:53:01.940458 2018] [ssl:info] [pid 28181] SSL Library >> Error: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request -- >> speaking HTTP to HTTPS port!? >> >> [Thu Jan 25 17:53:13.796431 2018] [ssl:info] [pid 28182] [client >> 192.168.111.84:62058] AH01964: Connection to child 2 established (server >> 192.168.111.12:443) >> >> [Thu Jan 25 17:53:13.796782 2018] [ssl:debug] [pid 28182] >> ssl_engine_io.c(1202): (70014)End of file found: [client >> 192.168.111.84:62058] AH02007: SSL handshake interrupted by system [Hint: >> Stop button pressed in browser?!] >> >> [Thu Jan 25 17:53:13.796815 2018] [ssl:info] [pid 28182] [client >> 192.168.111.84:62058] AH01998: Connection closed to child 2 with abortive >> shutdown (server 192.168.111.12:443) >> >> ~ >> >> >> LoadModule auth_cas_module modules/mod_auth_cas.so >> >> CASCookiePath /var/cache/mod_auth_cas/ >> >> CASCertificatePath /etc/ssl/certs/ >> >> CASLoginURL https://192.168.111.12:9443/cas/login >> >> CASRootProxiedAs https://192.168.111.12 >> >> CASValidateURL https://192.168.111.12:9443/cas/serviceValidate >> >> #CASProxyValidateURL https://192.168.111.12:9443/cas/proxyValidate >> >> CASDebug On >> >> LogLevel debug >> >> CASValidateSAML On >> >> CASVersion 2 >> >> #CASValidateServer off >> >> #CASAllowWildcardCert off >> >> CASTimeout 86400 >> >> CASIdleTimeout 7200 >> >> CASSSOEnabled On >> >> #LogLevel debug >> >> >> <VirtualHost *:80> >> >> DocumentRoot "/var/www/html/" >> >> ServerName 192.168.111.12 >> >> CASValidateSAML On >> >> LogLevel debug >> >> ErrorLog /var/log/cas_error_log >> >> CustomLog /var/log/cas_access_log combined >> >> # Other directives here >> >> #AuthType CAS >> >> #require valid-user >> >> </VirtualHost> >> >> >> <directory /var/www/html> >> >> AllowOverride >> >> Order allow,deny >> >> Allow from all >> >> Authtype CAS >> >> require valid-user >> >> Allow from env=no_cas_use >> >> #Satisfy Any >> >> # require cas-attribute edupersonaffiliation:staff >> >> </directory> >> >> >> What am I missing? >> >> >> Thankyou >> >> Ramakrishna >> >> >> >> On Thu, Jan 25, 2018 at 10:45 PM, David Hawes <[email protected]> wrote: >>> >>> On 23 January 2018 at 08:52, Ramakrishna G <[email protected]> >>> wrote: >>> > Unauthorized >>> > >>> > This server could not verify that you are authorized to access the >>> > document >>> > requested. Either you supplied the wrong credentials (e.g., bad >>> > password), >>> > or your browser doesn't understand how to supply the credentials >>> > required. >>> > >>> > >>> > Ticket is generated but says the above error. I am using mod_auth_cas >>> > in >>> > Apache server. >>> >>> Set: >>> >>> LogLevel debug >>> CASDebug On >>> >>> and check your error logs. You should have information as to why you >>> get this error. >>> >>> -- >>> - Website: https://apereo.github.io/cas >>> - Gitter Chatroom: https://gitter.im/apereo/cas >>> - List Guidelines: https://goo.gl/1VRrw7 >>> - Contributions: https://goo.gl/mh7qDG >>> --- >>> You received this message because you are subscribed to the Google Groups >>> "CAS Community" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wCcoYC-Sg4V3dE6hOxi-0QqiaJWm44xo9PuDhAt%2Br8wxA%40mail.gmail.com. >> >> > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAGST5P8RVBDrHjwNwMcTb2NaSt_xZL4HHWB%3D6upvDW21%3DrHTeg%40mail.gmail.com. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wDGW5_SksOTzA7DmoRV7JvGu%3DeP9pgVaWj_U_REU82EXw%40mail.gmail.com.
