Thanks Andy for the information. We spent some more time this morning troubleshooting the behavior and have discovered the reason for this behavior. It seems that the ticket granting cookie is encoded and is not just the TGT, it is TGT+Client IP+Browser Agent. When a call comes into login?service= the validation checks the cookie and validates that the TGT is still valid and now also checks that the Browser Agent matches what it was when the cookie was created.
In this case when we login to SSO using IE 11 the browser agent is Mozilla 5.0, when we access the old legacy application (which has it's domain set under compatibility view) and the app redirects to SSO for authentication the user agent is changed to Mozilla 4.0. Since the user agent of the request no longer matches the user agent when the cookie was created, the cookie is considered invalid. Based on the code it doesn't look like there is any way to override this behavior (not that one should). Based on the fact that this legacy app must be run in capability view our only work around is to also have those users add our portal URL to compatibility view as well so that the user agents will match during validation. On Thursday, January 23, 2020 at 8:55:15 PM UTC-5, Andy Ng wrote: > > Hi Justin, > > CAS 5 have said that at least the UI will have problem with IE 9 or below, > so I doubt they build CAS 5 with IE 7 support in mind > > https://apereo.github.io/cas/5.3.x/installation/User-Interface-Customization.html#browser-support > > I don't have IE 7 setup on my system so can't really test on this... > > However, I have look into this properties here: > > https://apereo.github.io/cas/5.2.x/installation/Configuration-Properties.html#adaptive-authentication > > Seems like it is possible to reject agent like so: > *cas.authn.adaptive.rejectBrowsers=Gecko.+* > > But by default there are no reject agent for this, so I doubt the issue is > related to adaptive authentication. > > Can you enabled your CAS debug log and post any anomaly here (with > sensitive info censored of course), so the community can look at your CAS > log and see if there are any other problem with that. > > Cheers! > - Andy > > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/dd537760-1a3c-48cd-addd-f68b707fc130%40apereo.org.
