Likely...if the certs aren't trusted CasOwa won't be able to get PGT and a subsequent PT/ST for clearPass.
Bill On Fri, Nov 12, 2010 at 10:33 AM, James Winter <[email protected]> wrote: > What does it mean that the ticket parameter is blank in that error message? > I understand that var proxyTicket = user.GetProxyTicketFor(ClearPassUri); is > returning nothing, but is that also caused by the SSL cert? > > James > > > On Fri, Nov 12, 2010 at 10:13 AM, James Winter <[email protected]> wrote: >> >> Progress! >> >> I now get this response: >> Received response from >> https://mycampus.arcadia.edu/cas/clearPass?ticket=&service=https://mycampus.arcadia.edu/cas/clearPass, >> but cas:credientials IsNullOrEmpty. Check CAS server logs for errors. Make >> sure SSL certs are trusted. >> We don't have direct access to our CAS server, so we'll have to contact >> our host to add the certificate to their end. I got the cert from a free >> site, but I'm guessing that's the problem. >> James >> >> >> >> On Fri, Nov 12, 2010 at 9:34 AM, William G. Thompson, Jr. >> <[email protected]> wrote: >>> >>> On Fri, Nov 12, 2010 at 9:30 AM, James Winter <[email protected]> >>> wrote: >>> > We have some additional problems (the test server is unable to access >>> > the >>> > CAS server at all) so I'm going to have to wait until that's resolved. >>> >>> That would help. :) >>> >>> > >>> > Both servers are using commericial certs, and I'm pretty sure Clearpass >>> > is >>> > working. When I go to /cas/clearPass I don't get a login prompt, I just >>> > get >>> > the "No authentication information provided." response. >>> >>> Login first, and then try the clearPass URL you should get the following: >>> <cas:clearPassResponse xmlns:cas='http://www.yale.edu/tp/cas'> >>> <cas:clearPassFailure>invalid sevice >>> specified</cas:clearPassFailure> >>> </cas:clearPassResponse> >>> >>> Bill >>> >>> >>> >>> > James >>> > >>> > >>> > >>> > On Fri, Nov 12, 2010 at 9:13 AM, William G. Thompson, Jr. >>> > <[email protected]> >>> > wrote: >>> >> >>> >> If you're using self-signed certs, both IIS and the CAS JVM must be >>> >> configured to trust them. >>> >> >>> >> If you're using commercial certs there shouldn't be an issue. >>> >> >>> >> Have you verified Clearpass extension is working? >>> >> >>> >> 7. Verify ClearPass install >>> >> Authenticate normally by visiting https://{host}/cas/clearPass. You >>> >> should get this message back. >>> >> >>> >> <cas:clearPassResponse xmlns:cas='http://www.yale.edu/tp/cas'> >>> >> <cas:clearPassFailure>invalid sevice >>> >> specified</cas:clearPassFailure> >>> >> </cas:clearPassResponse> >>> >> >>> >> >>> >> Bill >>> >> >>> >> >>> >> >>> >> On Fri, Nov 12, 2010 at 9:04 AM, James Winter <[email protected]> >>> >> wrote: >>> >> > Sorry to be clueless, I was kind of thrown into the deep end here >>> >> > with >>> >> > the >>> >> > CAS/OWA implentation. What do you mean by "cert is known to the cas >>> >> > jvm >>> >> > and >>> >> > vice versa"? >>> >> > I did get a valid SSL certificate for our test server with no >>> >> > change. I >>> >> > still get the HttpContext.Current.User is null error. >>> >> > Thanks for the help. >>> >> > >>> >> > James >>> >> > >>> >> > >>> >> > >>> >> > On Thu, Nov 11, 2010 at 9:40 PM, William G. Thompson, Jr. >>> >> > <[email protected]> >>> >> > wrote: >>> >> >> >>> >> >> You need to make sure that the exchange server cert is known to the >>> >> >> cas jvm and visa versa. >>> >> >> >>> >> >> Bill >>> >> >> >>> >> >> >>> >> >> On Thu, Nov 11, 2010 at 9:30 PM, James Winter <[email protected]> >>> >> >> wrote: >>> >> >> > I'm a little farther, I'm now at the point where I get the >>> >> >> > "HttpContext.Current.User is null" error but I read that they be >>> >> >> > due >>> >> >> > to >>> >> >> > an >>> >> >> > incorrect SSL certificate which our Exchange server has. I set >>> >> >> > the >>> >> >> > skip >>> >> >> > OWA >>> >> >> > cert parameter to false, but I don't know if that effects the CAS >>> >> >> > side >>> >> >> > of >>> >> >> > things. >>> >> >> > Is there something I need to do on the CAS side of the setup to >>> >> >> > allow >>> >> >> > the >>> >> >> > process, or should a correct SSL cert do the trick? >>> >> >> > I'll find out tomorrow. >>> >> >> > >>> >> >> > -James >>> >> >> > On Nov 11, 2010, at 7:39 PM, "William G. Thompson, Jr." >>> >> >> > <[email protected]> >>> >> >> > wrote: >>> >> >> > >>> >> >> > Did you follow these instructions? >>> >> >> > https://wiki.jasig.org/pages/viewpage.action?pageId=29133913 >>> >> >> > >>> >> >> > Bill >>> >> >> > >>> >> >> > >>> >> >> > On Thu, Nov 11, 2010 at 4:29 PM, James Winter >>> >> >> > <[email protected]> >>> >> >> > wrote: >>> >> >> > >>> >> >> > Some background: >>> >> >> > >>> >> >> > I setup the CAS Client for OWA on a test Exchange 2003 server in >>> >> >> > IIS >>> >> >> > 6 >>> >> >> > and I >>> >> >> > >>> >> >> > can successfully get to server.domain.local/coa/auth. I get >>> >> >> > redirected >>> >> >> > to >>> >> >> > >>> >> >> > the CAS login, which then redirects me back to >>> >> >> > >>> >> >> > server.domain.local/coa/auth?ticket=ST-XXX-xxxxetc which gives me >>> >> >> > a >>> >> >> > 404 >>> >> >> > >>> >> >> > error. >>> >> >> > >>> >> >> > Am I missing a configuration piece somewhere? Or does anyone know >>> >> >> > what >>> >> >> > the >>> >> >> > >>> >> >> > CasOwa.OwaUrl should be for Exchange 2003? I've tried /exchange, >>> >> >> > /exchweb, >>> >> >> > >>> >> >> > /exchweb/bin/auth, and a few others with no change. >>> >> >> > >>> >> >> > Thanks. >>> >> >> > >>> >> >> > -James >>> >> >> > >>> >> >> > -- >>> >> >> > >>> >> >> > You are currently subscribed to [email protected] as: >>> >> >> > >>> >> >> > [email protected] >>> >> >> > >>> >> >> > To unsubscribe, change settings or access archives, see >>> >> >> > >>> >> >> > http://www.ja-sig.org/wiki/display/JSG/cas-user >>> >> >> > >>> >> >> > -- >>> >> >> > You are currently subscribed to [email protected] as: >>> >> >> > [email protected] >>> >> >> > To unsubscribe, change settings or access archives, see >>> >> >> > http://www.ja-sig.org/wiki/display/JSG/cas-user >>> >> >> > >>> >> >> > -- >>> >> >> > You are currently subscribed to [email protected] as: >>> >> >> > [email protected] >>> >> >> > To unsubscribe, change settings or access archives, see >>> >> >> > http://www.ja-sig.org/wiki/display/JSG/cas-user >>> >> >> >>> >> >> -- >>> >> >> You are currently subscribed to [email protected] as: >>> >> >> [email protected] >>> >> >> To unsubscribe, change settings or access archives, see >>> >> >> http://www.ja-sig.org/wiki/display/JSG/cas-user >>> >> > >>> >> > -- >>> >> > You are currently subscribed to [email protected] as: >>> >> > [email protected] >>> >> > To unsubscribe, change settings or access archives, see >>> >> > http://www.ja-sig.org/wiki/display/JSG/cas-user >>> >> >>> >> -- >>> >> You are currently subscribed to [email protected] as: >>> >> [email protected] >>> >> To unsubscribe, change settings or access archives, see >>> >> http://www.ja-sig.org/wiki/display/JSG/cas-user >>> > >>> > -- >>> > You are currently subscribed to [email protected] as: >>> > [email protected] >>> > To unsubscribe, change settings or access archives, see >>> > http://www.ja-sig.org/wiki/display/JSG/cas-user >>> >>> -- >>> You are currently subscribed to [email protected] as: >>> [email protected] >>> To unsubscribe, change settings or access archives, see >>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>> >> > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
