Ok, more progress. The SSL certificate problem is no more, but now I get the following:
Error getting response from clearPass at URL: https://cas.domain.local/cas/clearPass?ticket=ST-999-xxxxxxxxx-cas&service=https://cas.domain.local/cas/clearPass. The remote server returned an error: (500) Internal Server Error. Is this a configuration problem in clearPass? Or CAS? If I change the first clearPass in the URL to clearpass, I get my password returned to me. But if I change the web.config to use clearpass instead of clearPass, I get the same 500 error as above. Any ideas? James On Fri, Nov 12, 2010 at 10:45 AM, William G. Thompson, Jr. <[email protected] > wrote: > Likely...if the certs aren't trusted CasOwa won't be able to get PGT > and a subsequent PT/ST for clearPass. > > Bill > > On Fri, Nov 12, 2010 at 10:33 AM, James Winter <[email protected]> > wrote: > > What does it mean that the ticket parameter is blank in that error > message? > > I understand that var proxyTicket = user.GetProxyTicketFor(ClearPassUri); > is > > returning nothing, but is that also caused by the SSL cert? > > > > James > > > > > > On Fri, Nov 12, 2010 at 10:13 AM, James Winter <[email protected]> > wrote: > >> > >> Progress! > >> > >> I now get this response: > >> Received response from > >> > https://mycampus.arcadia.edu/cas/clearPass?ticket=&service=https://mycampus.arcadia.edu/cas/clearPass > , > >> but cas:credientials IsNullOrEmpty. Check CAS server logs for errors. > Make > >> sure SSL certs are trusted. > >> We don't have direct access to our CAS server, so we'll have to contact > >> our host to add the certificate to their end. I got the cert from a free > >> site, but I'm guessing that's the problem. > >> James > >> > >> > >> > >> On Fri, Nov 12, 2010 at 9:34 AM, William G. Thompson, Jr. > >> <[email protected]> wrote: > >>> > >>> On Fri, Nov 12, 2010 at 9:30 AM, James Winter <[email protected]> > >>> wrote: > >>> > We have some additional problems (the test server is unable to access > >>> > the > >>> > CAS server at all) so I'm going to have to wait until that's > resolved. > >>> > >>> That would help. :) > >>> > >>> > > >>> > Both servers are using commericial certs, and I'm pretty sure > Clearpass > >>> > is > >>> > working. When I go to /cas/clearPass I don't get a login prompt, I > just > >>> > get > >>> > the "No authentication information provided." response. > >>> > >>> Login first, and then try the clearPass URL you should get the > following: > >>> <cas:clearPassResponse xmlns:cas='http://www.yale.edu/tp/cas'> > >>> <cas:clearPassFailure>invalid sevice > >>> specified</cas:clearPassFailure> > >>> </cas:clearPassResponse> > >>> > >>> Bill > >>> > >>> > >>> > >>> > James > >>> > > >>> > > >>> > > >>> > On Fri, Nov 12, 2010 at 9:13 AM, William G. Thompson, Jr. > >>> > <[email protected]> > >>> > wrote: > >>> >> > >>> >> If you're using self-signed certs, both IIS and the CAS JVM must be > >>> >> configured to trust them. > >>> >> > >>> >> If you're using commercial certs there shouldn't be an issue. > >>> >> > >>> >> Have you verified Clearpass extension is working? > >>> >> > >>> >> 7. Verify ClearPass install > >>> >> Authenticate normally by visiting https://{host}/cas/clearPass. > You > >>> >> should get this message back. > >>> >> > >>> >> <cas:clearPassResponse xmlns:cas='http://www.yale.edu/tp/cas'> > >>> >> <cas:clearPassFailure>invalid sevice > >>> >> specified</cas:clearPassFailure> > >>> >> </cas:clearPassResponse> > >>> >> > >>> >> > >>> >> Bill > >>> >> > >>> >> > >>> >> > >>> >> On Fri, Nov 12, 2010 at 9:04 AM, James Winter <[email protected]> > >>> >> wrote: > >>> >> > Sorry to be clueless, I was kind of thrown into the deep end here > >>> >> > with > >>> >> > the > >>> >> > CAS/OWA implentation. What do you mean by "cert is known to the > cas > >>> >> > jvm > >>> >> > and > >>> >> > vice versa"? > >>> >> > I did get a valid SSL certificate for our test server with no > >>> >> > change. I > >>> >> > still get the HttpContext.Current.User is null error. > >>> >> > Thanks for the help. > >>> >> > > >>> >> > James > >>> >> > > >>> >> > > >>> >> > > >>> >> > On Thu, Nov 11, 2010 at 9:40 PM, William G. Thompson, Jr. > >>> >> > <[email protected]> > >>> >> > wrote: > >>> >> >> > >>> >> >> You need to make sure that the exchange server cert is known to > the > >>> >> >> cas jvm and visa versa. > >>> >> >> > >>> >> >> Bill > >>> >> >> > >>> >> >> > >>> >> >> On Thu, Nov 11, 2010 at 9:30 PM, James Winter < > [email protected]> > >>> >> >> wrote: > >>> >> >> > I'm a little farther, I'm now at the point where I get the > >>> >> >> > "HttpContext.Current.User is null" error but I read that they > be > >>> >> >> > due > >>> >> >> > to > >>> >> >> > an > >>> >> >> > incorrect SSL certificate which our Exchange server has. I set > >>> >> >> > the > >>> >> >> > skip > >>> >> >> > OWA > >>> >> >> > cert parameter to false, but I don't know if that effects the > CAS > >>> >> >> > side > >>> >> >> > of > >>> >> >> > things. > >>> >> >> > Is there something I need to do on the CAS side of the setup to > >>> >> >> > allow > >>> >> >> > the > >>> >> >> > process, or should a correct SSL cert do the trick? > >>> >> >> > I'll find out tomorrow. > >>> >> >> > > >>> >> >> > -James > >>> >> >> > On Nov 11, 2010, at 7:39 PM, "William G. Thompson, Jr." > >>> >> >> > <[email protected]> > >>> >> >> > wrote: > >>> >> >> > > >>> >> >> > Did you follow these instructions? > >>> >> >> > https://wiki.jasig.org/pages/viewpage.action?pageId=29133913 > >>> >> >> > > >>> >> >> > Bill > >>> >> >> > > >>> >> >> > > >>> >> >> > On Thu, Nov 11, 2010 at 4:29 PM, James Winter > >>> >> >> > <[email protected]> > >>> >> >> > wrote: > >>> >> >> > > >>> >> >> > Some background: > >>> >> >> > > >>> >> >> > I setup the CAS Client for OWA on a test Exchange 2003 server > in > >>> >> >> > IIS > >>> >> >> > 6 > >>> >> >> > and I > >>> >> >> > > >>> >> >> > can successfully get to server.domain.local/coa/auth. I get > >>> >> >> > redirected > >>> >> >> > to > >>> >> >> > > >>> >> >> > the CAS login, which then redirects me back to > >>> >> >> > > >>> >> >> > server.domain.local/coa/auth?ticket=ST-XXX-xxxxetc which gives > me > >>> >> >> > a > >>> >> >> > 404 > >>> >> >> > > >>> >> >> > error. > >>> >> >> > > >>> >> >> > Am I missing a configuration piece somewhere? Or does anyone > know > >>> >> >> > what > >>> >> >> > the > >>> >> >> > > >>> >> >> > CasOwa.OwaUrl should be for Exchange 2003? I've tried > /exchange, > >>> >> >> > /exchweb, > >>> >> >> > > >>> >> >> > /exchweb/bin/auth, and a few others with no change. > >>> >> >> > > >>> >> >> > Thanks. > >>> >> >> > > >>> >> >> > -James > >>> >> >> > > >>> >> >> > -- > >>> >> >> > > >>> >> >> > You are currently subscribed to [email protected] as: > >>> >> >> > > >>> >> >> > [email protected] > >>> >> >> > > >>> >> >> > To unsubscribe, change settings or access archives, see > >>> >> >> > > >>> >> >> > http://www.ja-sig.org/wiki/display/JSG/cas-user > >>> >> >> > > >>> >> >> > -- > >>> >> >> > You are currently subscribed to [email protected] as: > >>> >> >> > [email protected] > >>> >> >> > To unsubscribe, change settings or access archives, see > >>> >> >> > http://www.ja-sig.org/wiki/display/JSG/cas-user > >>> >> >> > > >>> >> >> > -- > >>> >> >> > You are currently subscribed to [email protected] as: > >>> >> >> > [email protected] > >>> >> >> > To unsubscribe, change settings or access archives, see > >>> >> >> > http://www.ja-sig.org/wiki/display/JSG/cas-user > >>> >> >> > >>> >> >> -- > >>> >> >> You are currently subscribed to [email protected] as: > >>> >> >> [email protected] > >>> >> >> To unsubscribe, change settings or access archives, see > >>> >> >> http://www.ja-sig.org/wiki/display/JSG/cas-user > >>> >> > > >>> >> > -- > >>> >> > You are currently subscribed to [email protected] as: > >>> >> > [email protected] > >>> >> > To unsubscribe, change settings or access archives, see > >>> >> > http://www.ja-sig.org/wiki/display/JSG/cas-user > >>> >> > >>> >> -- > >>> >> You are currently subscribed to [email protected] as: > >>> >> [email protected] > >>> >> To unsubscribe, change settings or access archives, see > >>> >> http://www.ja-sig.org/wiki/display/JSG/cas-user > >>> > > >>> > -- > >>> > You are currently subscribed to [email protected] as: > >>> > [email protected] > >>> > To unsubscribe, change settings or access archives, see > >>> > http://www.ja-sig.org/wiki/display/JSG/cas-user > >>> > >>> -- > >>> You are currently subscribed to [email protected] as: > >>> [email protected] > >>> To unsubscribe, change settings or access archives, see > >>> http://www.ja-sig.org/wiki/display/JSG/cas-user > >>> > >> > > > > -- > > You are currently subscribed to [email protected] as: > > [email protected] > > To unsubscribe, change settings or access archives, see > > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
