And it looks like the updated TGC encryption algorithm and incompatible key (length) were the root cause after all. The indicators in the logs that point to this were not obvious, imo.
Thank you nui loa and mahalo very much! On Thu, Feb 12, 2026 at 11:15 AM Baron Fujimoto <[email protected]> wrote: > FWIW, setting the XFrame-Options to "SAMEORIGIN" didn't resolve the issue > – it denied loading for that instead, and ALLOW-FROM was interpreted as > invalid. From what I can tell, XFrame-Options is generally deprecated in > favor of Content Security Policy these days anyway? > > However were able to get past the XFrame-Option browser errors by > disabling them completely in the application's service registration with > the inclusion of the following: > > "properties" : { > "@class" : "java.util.HashMap", > "httpHeaderEnableXFrameOptions" : { > "@class" : > "org.apereo.cas.services.DefaultRegisteredServiceProperty", > "values" : [ "java.util.HashSet", [ "false" ] ] > } > }, > > Unfortunately, there's still some unresolved issue with the Banner > applications since the upgrade so we are continuing to troubleshoot that. > The application itself only unhelpfully reports to the user "Problem in > external authentication service." when it is presumably trying to leverage > the SSO session. > > On Tue, Feb 10, 2026 at 10:38 AM Erik Mallory <[email protected]> > wrote: > >> >> https://apereo.github.io/cas/7.3.x/authentication/Configuring-SSO-Cookie.html >> <https://urldefense.com/v3/__https://apereo.github.io/cas/7.3.x/authentication/Configuring-SSO-Cookie.html__;!!PvDODwlR4mBZyAb0!WhXEeJ5FX2yVqaCc16SUCmVxT5iuaGQpFf80_44kaKzxS4XPRbB0V8_JKrbxINJswaV8O3hh-DKw-1D02HLPsw$> >> >> https://apereo.github.io/cas/7.2.x/authentication/Configuring-SSO-Cookie.html >> <https://urldefense.com/v3/__https://apereo.github.io/cas/7.2.x/authentication/Configuring-SSO-Cookie.html__;!!PvDODwlR4mBZyAb0!WhXEeJ5FX2yVqaCc16SUCmVxT5iuaGQpFf80_44kaKzxS4XPRbB0V8_JKrbxINJswaV8O3hh-DKw-1CAKumSkg$> >> >> On Tue, Feb 10, 2026 at 1:56 PM Baron Fujimoto <[email protected]> wrote: >> >>> Mahalo! We'll look into these. >>> >>> I think I found CAS documentation for the the X-Frame stuff at < >>> https://apereo.github.io/cas/7.3.x/services/Configuring-Service-Http-Security-Headers.html#cashttpwebrequestheaderxframePropertyConfig >>> <https://urldefense.com/v3/__https://apereo.github.io/cas/7.3.x/services/Configuring-Service-Http-Security-Headers.html*cashttpwebrequestheaderxframePropertyConfig__;Iw!!PvDODwlR4mBZyAb0!WhXEeJ5FX2yVqaCc16SUCmVxT5iuaGQpFf80_44kaKzxS4XPRbB0V8_JKrbxINJswaV8O3hh-DKw-1CQ4hqZQw$> >>> >. >>> >>> However I couldn't find docs for the cas.tgc.crypto properties. The >>> search function at < >>> https://apereo.github.io/cas/7.3.x/configuration/Configuration-Properties.html >>> <https://urldefense.com/v3/__https://apereo.github.io/cas/7.3.x/configuration/Configuration-Properties.html__;!!PvDODwlR4mBZyAb0!WhXEeJ5FX2yVqaCc16SUCmVxT5iuaGQpFf80_44kaKzxS4XPRbB0V8_JKrbxINJswaV8O3hh-DKw-1DCoLybkQ$>> >>> can find the properties, but does not provide any links to documentation >>> that elaborates on them in terms of possible values, etc. Do you know where >>> they may be found? >>> >>> >>> On Tue, Feb 10, 2026 at 8:14 AM Erik Mallory <[email protected]> >>> wrote: >>> >>>> >>>> the TGT crypto algorithm configuration has changed. We ran into >>>> similar but different issues with our banner environment (currently on >>>> 7.2.7 in prod and 7.3 in dev) >>>> cas.tgc.crypto.alg=A256CBC-HS512 #the new algorithm >>>> cas.tgc.crypto.encryption.key= <can be found in the cas logs on startup> >>>> cas.tgc.crypto.encryption.key-size=512 >>>> cas.tgc.crypto.signing.key=512 >>>> cas.tgc.crypto.signing.key=<can be found in the cas logs on startup> >>>> >>>> We also tried cas.http-web-request.header.xframe-options config, it >>>> didn't have any effect for us, updating the tgc crypto did. >>>> >>>> On Tue, Feb 10, 2026 at 11:20 AM Baron Fujimoto <[email protected]> >>>> wrote: >>>> >>>>> When we attempted to upgrade from CAS 7.0.x to CAS 7.2.x, we ran into >>>>> a problem with some Banner apps we integrate with. This problem is still >>>>> present with CAS 7.3.x, but we are now obligated to upgrade to 7.3 to >>>>> handle the Duo expiring certificate issue. >>>>> >>>>> This is what the Banner side reports when they encounter the problem >>>>> that prevents their authentication: >>>>> ===== >>>>> Cookie "" has been rejected as third-party. >>>>> Request to access cookie or storage on "‹URL›" was blocked because we >>>>> are blocking all third-party storage access requests and Enhanced Tracking >>>>> Protection is enabled. >>>>> Cookie "session=e30=; path=/; expires=Mon, 09 Feb 2026 22:28:30 GMT; >>>>> samesite=none; secure; httponly" has been rejected as third-party. >>>>> Cookie "session.sig=9XPs7W8M7hQi-oN3HwGabFRUD5A; path=/; expires=Mon, >>>>> 09 Feb 2026 22:28:30 GMT; samesite=none; secure; httponly" has been >>>>> rejected as third-party. >>>>> Cookie "session=e30=; path=/; expires-Mon, 09 Feb 2026 22:28:30 GMT; >>>>> samesite=none; secure; httponly" has been rejected as third-party. >>>>> Cookie "session.sig=9XPs7W8M7hQi-oN3HwGabFRUD5A; path=/; expires=Mon, >>>>> 09 Feb 2026 22:28:30 GNT; samesite=none; secure; httponly" has been >>>>> rejected as third-party. >>>>> The loading of " >>>>> https://cas.example.edu/cas/login?service=https%3%2F%2Fbanner.example.edu%3A9000%2FBannerAdmin.ws&2Fi >>>>> <https://urldefense.com/v3/__https://cas.example.edu/cas/login?service=https*3*2F*2Fbanner.example.edu*3A9000*2FBannerAdmin.ws&2Fi__;JSUlJSU!!PvDODwlR4mBZyAb0!TMSKmFB85R_nHqOgTHJu4Xv50SGW9RXXuVHRFNcF8kfD4k_6zkyB9DrwVlg5fhcm6OgzDn3_Jd97ifck6DYILw$> >>>>> spring cas security check" in a frame is denied by "X-Frame-Options" >>>>> directive set to "deny". >>>>> ===== >>>>> >>>>> They want us to try setting "X-Frame-Options" SAMEORIGIN to ALWAYS. >>>>> >>>>> Is this even a CAS thing? From what I gather, it's applicable to the >>>>> web server? But we were using the same web server (Tomcat 10.1.x for CAS >>>>> 7.2, and now Tomcat 11.0.x for CAS 7.3), and we don't encounter these >>>>> issues for other apps. >>>>> >>>>> If this is something controlled by CAS after all? If so, can we tweak >>>>> it as requested – preferably just for their service registrations? >>>>> >>>>> Because only these Banner apps suffer from this as far as we know, we >>>>> were inclined to think that the problem is on the application side. But >>>>> ultimately because these apps are so important to the institution, we need >>>>> to find a workaround one way or another. >>>>> >>>>> Any ideas or suggestions would be appreciated. >>>>> >>>>> -- >>>>> Baron Fujimoto <[email protected]> ::: UH Information Technology >>>>> Services >>>>> minutas cantorum, minutas balorum, minutas carboratum descendus >>>>> pantorum >>>>> >>>>> -- >>>>> - Website: https://apereo.github.io/cas >>>>> <https://urldefense.com/v3/__https://apereo.github.io/cas__;!!PvDODwlR4mBZyAb0!TMSKmFB85R_nHqOgTHJu4Xv50SGW9RXXuVHRFNcF8kfD4k_6zkyB9DrwVlg5fhcm6OgzDn3_Jd97iffKJpYl9w$> >>>>> - List Guidelines: https://goo.gl/1VRrw7 >>>>> <https://urldefense.com/v3/__https://goo.gl/1VRrw7__;!!PvDODwlR4mBZyAb0!TMSKmFB85R_nHqOgTHJu4Xv50SGW9RXXuVHRFNcF8kfD4k_6zkyB9DrwVlg5fhcm6OgzDn3_Jd97ifeb4nvK5Q$> >>>>> - Contributions: https://goo.gl/mh7qDG >>>>> <https://urldefense.com/v3/__https://goo.gl/mh7qDG__;!!PvDODwlR4mBZyAb0!TMSKmFB85R_nHqOgTHJu4Xv50SGW9RXXuVHRFNcF8kfD4k_6zkyB9DrwVlg5fhcm6OgzDn3_Jd97ifdhrfeLRg$> >>>>> --- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "CAS Community" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> To view this discussion visit >>>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL1xoLy6jxkayrK8%2B7fyz259OV7W4WUcFYFax2zHZZwgVQ%40mail.gmail.com >>>>> <https://urldefense.com/v3/__https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL1xoLy6jxkayrK8*2B7fyz259OV7W4WUcFYFax2zHZZwgVQ*40mail.gmail.com?utm_medium=email&utm_source=footer__;JSU!!PvDODwlR4mBZyAb0!TMSKmFB85R_nHqOgTHJu4Xv50SGW9RXXuVHRFNcF8kfD4k_6zkyB9DrwVlg5fhcm6OgzDn3_Jd97ifcnOyghXg$> >>>>> . >>>>> >>>> >>>> >>>> -- >>>> Erik Mallory >>>> >>>> ------------------------ >>>> "A happy man's paradise is his own good nature." - Edward Abbey >>>> >>>> >>>> -- >>>> - Website: https://apereo.github.io/cas >>>> <https://urldefense.com/v3/__https://apereo.github.io/cas__;!!PvDODwlR4mBZyAb0!TMSKmFB85R_nHqOgTHJu4Xv50SGW9RXXuVHRFNcF8kfD4k_6zkyB9DrwVlg5fhcm6OgzDn3_Jd97iffKJpYl9w$> >>>> - List Guidelines: https://goo.gl/1VRrw7 >>>> <https://urldefense.com/v3/__https://goo.gl/1VRrw7__;!!PvDODwlR4mBZyAb0!TMSKmFB85R_nHqOgTHJu4Xv50SGW9RXXuVHRFNcF8kfD4k_6zkyB9DrwVlg5fhcm6OgzDn3_Jd97ifeb4nvK5Q$> >>>> - Contributions: https://goo.gl/mh7qDG >>>> <https://urldefense.com/v3/__https://goo.gl/mh7qDG__;!!PvDODwlR4mBZyAb0!TMSKmFB85R_nHqOgTHJu4Xv50SGW9RXXuVHRFNcF8kfD4k_6zkyB9DrwVlg5fhcm6OgzDn3_Jd97ifdhrfeLRg$> >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "CAS Community" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To view this discussion visit >>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CANgg2%2Bz0LsAwmMoA6AuO4URFX7q0P%2B79H2xdaDiRnnc8ym7b-Q%40mail.gmail.com >>>> <https://urldefense.com/v3/__https://groups.google.com/a/apereo.org/d/msgid/cas-user/CANgg2*2Bz0LsAwmMoA6AuO4URFX7q0P*2B79H2xdaDiRnnc8ym7b-Q*40mail.gmail.com?utm_medium=email&utm_source=footer__;JSUl!!PvDODwlR4mBZyAb0!TMSKmFB85R_nHqOgTHJu4Xv50SGW9RXXuVHRFNcF8kfD4k_6zkyB9DrwVlg5fhcm6OgzDn3_Jd97ifc3ckeUhA$> >>>> . >>>> >>> -- >>> - Website: https://apereo.github.io/cas >>> <https://urldefense.com/v3/__https://apereo.github.io/cas__;!!PvDODwlR4mBZyAb0!WhXEeJ5FX2yVqaCc16SUCmVxT5iuaGQpFf80_44kaKzxS4XPRbB0V8_JKrbxINJswaV8O3hh-DKw-1Dup9-nFg$> >>> - List Guidelines: https://goo.gl/1VRrw7 >>> <https://urldefense.com/v3/__https://goo.gl/1VRrw7__;!!PvDODwlR4mBZyAb0!WhXEeJ5FX2yVqaCc16SUCmVxT5iuaGQpFf80_44kaKzxS4XPRbB0V8_JKrbxINJswaV8O3hh-DKw-1B_tQNaIA$> >>> - Contributions: https://goo.gl/mh7qDG >>> <https://urldefense.com/v3/__https://goo.gl/mh7qDG__;!!PvDODwlR4mBZyAb0!WhXEeJ5FX2yVqaCc16SUCmVxT5iuaGQpFf80_44kaKzxS4XPRbB0V8_JKrbxINJswaV8O3hh-DKw-1AG37WWow$> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "CAS Community" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion visit >>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL0B%2BsTF_P5_cK%2BfYvm4rPeZt%2Bq_6MBLFo_EDpzXu8JurQ%40mail.gmail.com >>> <https://urldefense.com/v3/__https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL0B*2BsTF_P5_cK*2BfYvm4rPeZt*2Bq_6MBLFo_EDpzXu8JurQ*40mail.gmail.com?utm_medium=email&utm_source=footer__;JSUlJQ!!PvDODwlR4mBZyAb0!WhXEeJ5FX2yVqaCc16SUCmVxT5iuaGQpFf80_44kaKzxS4XPRbB0V8_JKrbxINJswaV8O3hh-DKw-1Bt6_V8hg$> >>> . >>> >> >> >> -- >> Erik Mallory >> >> ------------------------ >> "A happy man's paradise is his own good nature." - Edward Abbey >> >> >> -- >> - Website: https://apereo.github.io/cas >> <https://urldefense.com/v3/__https://apereo.github.io/cas__;!!PvDODwlR4mBZyAb0!WhXEeJ5FX2yVqaCc16SUCmVxT5iuaGQpFf80_44kaKzxS4XPRbB0V8_JKrbxINJswaV8O3hh-DKw-1Dup9-nFg$> >> - List Guidelines: https://goo.gl/1VRrw7 >> <https://urldefense.com/v3/__https://goo.gl/1VRrw7__;!!PvDODwlR4mBZyAb0!WhXEeJ5FX2yVqaCc16SUCmVxT5iuaGQpFf80_44kaKzxS4XPRbB0V8_JKrbxINJswaV8O3hh-DKw-1B_tQNaIA$> >> - Contributions: https://goo.gl/mh7qDG >> <https://urldefense.com/v3/__https://goo.gl/mh7qDG__;!!PvDODwlR4mBZyAb0!WhXEeJ5FX2yVqaCc16SUCmVxT5iuaGQpFf80_44kaKzxS4XPRbB0V8_JKrbxINJswaV8O3hh-DKw-1AG37WWow$> >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CANgg2%2BzcjXo9NEmefb0WQhF_j_uKxbmy4NytpFO0NwsEhYiQxg%40mail.gmail.com >> <https://urldefense.com/v3/__https://groups.google.com/a/apereo.org/d/msgid/cas-user/CANgg2*2BzcjXo9NEmefb0WQhF_j_uKxbmy4NytpFO0NwsEhYiQxg*40mail.gmail.com?utm_medium=email&utm_source=footer__;JSU!!PvDODwlR4mBZyAb0!WhXEeJ5FX2yVqaCc16SUCmVxT5iuaGQpFf80_44kaKzxS4XPRbB0V8_JKrbxINJswaV8O3hh-DKw-1B6KcvPZg$> >> . >> > -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL0TA_NFPEVrc0vQG1MF05FUHjyc2LZHzfm2UbgnxMWzMg%40mail.gmail.com.
