I am seeing an issue in CAS version 5.2.4 and above. I was not seeing the
issue in version 5.0.5 which I upgraded from.
If a user is in bypass on the Duo website, CAS returns and error about
INVALID_AUTHENTICATION_CONTEXT, but if the it should just let the user
throgh.
CAS Info:
CAS Version: 5.2.4
CAS Commit Id: 67d7e128955437619534b5af4819f2379b934353
CAS Build Date/Time: 2018-04-13T21:46:16Z
Spring Boot Version: 1.5.12.RELEASE
------------------------------------------------------------
Java Home: /usr/lib/jvm/java-8-openjdk-amd64/jre
Java Vendor: Oracle Corporation
Java Version: 1.8.0_181
JVM Free Memory: 95 MB
JVM Maximum Memory: 990 MB
JVM Total Memory: 213 MB
JCE Installed: Yes
------------------------------------------------------------
OS Architecture: amd64
OS Name: Linux
OS Version: 4.4.0-130-generic
OS Date/Time: 2018-08-14T09:22:13.889
OS Temp Directory: /tmp/tomcat8-tomcat8-tmp
------------------------------------------------------------
Here are the logs of a login of a user that is in bypass on the Duo side:
2018-08-14 09:23:09,480 INFO [PolicyBasedAuthenticationManager] - <
Authenticated principal [klintduotest] with attributes [{displayName=[
klintduotest], GOBTPAC_EXTERNAL_USER=[klintduotest], memberOf=[CN=auth_duoOU
=groups,DC=example,DC=com], msDS-UserPasswordExpiryTimeComputed=[
132094270306397245], pwdLastSet=[131778046306397245], sAMAccountName=[
klintduotest]}] via credentials [[klintduotest]].>
2018-08-14 09:23:09,481 INFO [Slf4jLoggingAuditTrailManager] - <Audit trail
record BEGIN
=============================================================
WHO: klintduotest
WHAT: Supplied credentials: [klintduotest]
ACTION: AUTHENTICATION_SUCCESS
APPLICATION: CAS
WHEN: Tue Aug 14 09:23:09 MDT 2018
CLIENT IP ADDRESS: 192.168.1.176
SERVER IP ADDRESS: 192.168.1.25
=============================================================
>
2018-08-14 09:23:09,786 INFO [Slf4jLoggingAuditTrailManager] - <Audit trail
record BEGIN
=============================================================
WHO: klintduotest
WHAT: [event=mfa-duo,timestamp=Tue Aug 14 09:23:09 MDT 2018,source=
RegisteredServicePrincipalAttributeMultifactorAuthenticationPolicyEventResolver
]
ACTION: AUTHENTICATION_EVENT_TRIGGERED
APPLICATION: CAS
WHEN: Tue Aug 14 09:23:09 MDT 2018
CLIENT IP ADDRESS: 192.168.1.176
SERVER IP ADDRESS: 192.168.1.25
=============================================================
>
2018-08-14 09:23:10,198 INFO [Slf4jLoggingAuditTrailManager] - <Audit trail
record BEGIN
=============================================================
WHO: klintduotest
WHAT: TGT-1-*********************************************************H4tIURR
-L4-te-casdev1
ACTION: TICKET_GRANTING_TICKET_CREATED
APPLICATION: CAS
WHEN: Tue Aug 14 09:23:10 MDT 2018
CLIENT IP ADDRESS: 192.168.1.176
SERVER IP ADDRESS: 192.168.1.25
=============================================================
>
2018-08-14 09:23:10,255 INFO [DefaultCentralAuthenticationService] - <
Granted ticket [ST-1-Fetae-ngqx0SA86AFbVFmdkssFM-te-casdev1] for service [
https://hadoopdev1.weber.edu/casdev1/] and principal [klintduotest]>
2018-08-14 09:23:10,256 INFO [Slf4jLoggingAuditTrailManager] - <Audit trail
record BEGIN
=============================================================
WHO: klintduotest
WHAT: ST-1-Fetae-ngqx0SA86AFbVFmdkssFM-te-casdev1 for
https://hadoopdev1.weber.edu/casdev1/
ACTION: SERVICE_TICKET_CREATED
APPLICATION: CAS
WHEN: Tue Aug 14 09:23:10 MDT 2018
CLIENT IP ADDRESS: 192.168.1.176
SERVER IP ADDRESS: 192.168.1.25
=============================================================
>
2018-08-14 09:23:10,382 INFO [Slf4jLoggingAuditTrailManager] - <Audit trail
record BEGIN
=============================================================
WHO: klintduotest
WHAT: ST-1-Fetae-ngqx0SA86AFbVFmdkssFM-te-casdev1
ACTION: SERVICE_TICKET_VALIDATED
APPLICATION: CAS
WHEN: Tue Aug 14 09:23:10 MDT 2018
CLIENT IP ADDRESS: 192.168.1.35
SERVER IP ADDRESS: 192.168.1.25
=============================================================
>
2018-08-14 09:23:10,393 WARN [DefaultAuthenticationContextValidator] - <No
satisfied multifactor authentication providers are recorded in the current
authentication context.>
CAS Response:
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
<cas:authenticationFailure code="INVALID_AUTHENTICATION_CONTEXT">The
validation request for
['ST-1-Fetae-ngqx0SA86AFbVFmdkssFM-te-casdev1'] cannot be
satisfied. The request is either unrecognized or unfulfilled.
</cas:authenticationFailure>
</cas:serviceResponse>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/da892577-3208-4b97-b273-c4d986a11c90%40apereo.org.
