I am seeing an issue in CAS version 5.2.4 and above. I was not seeing the
issue in version 5.0.5 which I upgraded from.
If a user is in bypass on the Duo website, CAS returns and error about
INVALID_AUTHENTICATION_CONTEXT, but if the it should just let the user
throgh.
CAS Info:
CAS Version: 5.2.4
CAS Commit Id: 67d7e128955437619534b5af4819f2379b934353
CAS Build Date/Time: 2018-04-13T21:46:16Z
Spring Boot Version: 1.5.12.RELEASE
------------------------------------------------------------
Java Home: /usr/lib/jvm/java-8-openjdk-amd64/jre
Java Vendor: Oracle Corporation
Java Version: 1.8.0_181
JVM Free Memory: 95 MB
JVM Maximum Memory: 990 MB
JVM Total Memory: 213 MB
JCE Installed: Yes
------------------------------------------------------------
OS Architecture: amd64
OS Name: Linux
OS Version: 4.4.0-130-generic
OS Date/Time: 2018-08-14T09:22:13.889
OS Temp Directory: /tmp/tomcat8-tomcat8-tmp
------------------------------------------------------------
Here are the logs of a login of a user that is in bypass on the Duo side:
2018-08-14 09:23:09,480 INFO [PolicyBasedAuthenticationManager] - <
Authenticated principal [klintduotest] with attributes [{displayName=[
klintduotest], GOBTPAC_EXTERNAL_USER=[klintduotest], memberOf=[CN=auth_duoOU
=groups,DC=example,DC=com], msDS-UserPasswordExpiryTimeComputed=[
132094270306397245], pwdLastSet=[131778046306397245], sAMAccountName=[
klintduotest]}] via credentials [[klintduotest]].>
2018-08-14 09:23:09,481 INFO [Slf4jLoggingAuditTrailManager] - <Audit trail
record BEGIN
=============================================================
WHO: klintduotest
WHAT: Supplied credentials: [klintduotest]
ACTION: AUTHENTICATION_SUCCESS
APPLICATION: CAS
WHEN: Tue Aug 14 09:23:09 MDT 2018
CLIENT IP ADDRESS: 192.168.1.176
SERVER IP ADDRESS: 192.168.1.25
=============================================================
>
2018-08-14 09:23:09,786 INFO [Slf4jLoggingAuditTrailManager] - <Audit trail
record BEGIN
=============================================================
WHO: klintduotest
WHAT: [event=mfa-duo,timestamp=Tue Aug 14 09:23:09 MDT 2018,source=
RegisteredServicePrincipalAttributeMultifactorAuthenticationPolicyEventResolver
]
ACTION: AUTHENTICATION_EVENT_TRIGGERED
APPLICATION: CAS
WHEN: Tue Aug 14 09:23:09 MDT 2018
CLIENT IP ADDRESS: 192.168.1.176
SERVER IP ADDRESS: 192.168.1.25
=============================================================
>
2018-08-14 09:23:10,198 INFO [Slf4jLoggingAuditTrailManager] - <Audit trail
record BEGIN
=============================================================
WHO: klintduotest
WHAT: TGT-1-*********************************************************H4tIURR
-L4-te-casdev1
ACTION: TICKET_GRANTING_TICKET_CREATED
APPLICATION: CAS
WHEN: Tue Aug 14 09:23:10 MDT 2018
CLIENT IP ADDRESS: 192.168.1.176
SERVER IP ADDRESS: 192.168.1.25
=============================================================
>
2018-08-14 09:23:10,255 INFO [DefaultCentralAuthenticationService] - <
Granted ticket [ST-1-Fetae-ngqx0SA86AFbVFmdkssFM-te-casdev1] for service [
https://hadoopdev1.weber.edu/casdev1/] and principal [klintduotest]>
2018-08-14 09:23:10,256 INFO [Slf4jLoggingAuditTrailManager] - <Audit trail
record BEGIN
=============================================================
WHO: klintduotest
WHAT: ST-1-Fetae-ngqx0SA86AFbVFmdkssFM-te-casdev1 for
https://hadoopdev1.weber.edu/casdev1/
ACTION: SERVICE_TICKET_CREATED
APPLICATION: CAS
WHEN: Tue Aug 14 09:23:10 MDT 2018
CLIENT IP ADDRESS: 192.168.1.176
SERVER IP ADDRESS: 192.168.1.25
=============================================================
>
2018-08-14 09:23:10,382 INFO [Slf4jLoggingAuditTrailManager] - <Audit trail
record BEGIN
=============================================================
WHO: klintduotest
WHAT: ST-1-Fetae-ngqx0SA86AFbVFmdkssFM-te-casdev1
ACTION: SERVICE_TICKET_VALIDATED
APPLICATION: CAS
WHEN: Tue Aug 14 09:23:10 MDT 2018
CLIENT IP ADDRESS: 192.168.1.35
SERVER IP ADDRESS: 192.168.1.25
=============================================================
>
2018-08-14 09:23:10,393 WARN [DefaultAuthenticationContextValidator] - <No
satisfied multifactor authentication providers are recorded in the current
authentication context.>
CAS Response:
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
<cas:authenticationFailure code="INVALID_AUTHENTICATION_CONTEXT">The
validation request for
['ST-1-Fetae-ngqx0SA86AFbVFmdkssFM-te-casdev1'] cannot be
satisfied. The request is either unrecognized or unfulfilled.
</cas:authenticationFailure>
</cas:serviceResponse>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/da892577-3208-4b97-b273-c4d986a11c90%40apereo.org.
