Some more detail on this problem: If I go to my site, I can successfully login to CAS, but then I get the error message: Error getting response from clearPass at URL: https://cas.domain.local/cas/clearPass?ticket=ST-999-xxxxxxxxx-cas&service=https://cas.domain.local/cas/clearPass. The remote server returned an error: (500) Internal Server Error.
If I take that URL and paste it into a new browser, and if I change the first clearPass to anything else, like clearPass/ or clearpass, I'll get my password returned back to me. I also notice that the ticket changes. If the original is ST-687, for example, the one in the URL when my password is displayed is ST-688. Should clearPass be giving a new ticket? Or is the ticket that it's attempting to pass to clearPass a bad ticket? I can't get access to the CAS server logs, so I'm in a little bit of a bind here. Thanks for any help. James On Fri, Nov 12, 2010 at 3:40 PM, James Winter <[email protected]> wrote: > Ok, more progress. The SSL certificate problem is no more, but now I get > the following: > > Error getting response from clearPass at URL: > https://cas.domain.local/cas/clearPass?ticket=ST-999-xxxxxxxxx-cas&service=https://cas.domain.local/cas/clearPass. > The remote server returned an error: (500) Internal Server Error. > > Is this a configuration problem in clearPass? Or CAS? If I change the first > clearPass in the URL to clearpass, I get my password returned to me. But if > I change the web.config to use clearpass instead of clearPass, I get the > same 500 error as above. > > Any ideas? > > James > > > On Fri, Nov 12, 2010 at 10:45 AM, William G. Thompson, Jr. < > [email protected]> wrote: > >> Likely...if the certs aren't trusted CasOwa won't be able to get PGT >> and a subsequent PT/ST for clearPass. >> >> Bill >> >> On Fri, Nov 12, 2010 at 10:33 AM, James Winter <[email protected]> >> wrote: >> > What does it mean that the ticket parameter is blank in that error >> message? >> > I understand that var proxyTicket = >> user.GetProxyTicketFor(ClearPassUri); is >> > returning nothing, but is that also caused by the SSL cert? >> > >> > James >> > >> > >> > On Fri, Nov 12, 2010 at 10:13 AM, James Winter <[email protected]> >> wrote: >> >> >> >> Progress! >> >> >> >> I now get this response: >> >> Received response from >> >> >> https://mycampus.arcadia.edu/cas/clearPass?ticket=&service=https://mycampus.arcadia.edu/cas/clearPass >> , >> >> but cas:credientials IsNullOrEmpty. Check CAS server logs for errors. >> Make >> >> sure SSL certs are trusted. >> >> We don't have direct access to our CAS server, so we'll have to contact >> >> our host to add the certificate to their end. I got the cert from a >> free >> >> site, but I'm guessing that's the problem. >> >> James >> >> >> >> >> >> >> >> On Fri, Nov 12, 2010 at 9:34 AM, William G. Thompson, Jr. >> >> <[email protected]> wrote: >> >>> >> >>> On Fri, Nov 12, 2010 at 9:30 AM, James Winter <[email protected]> >> >>> wrote: >> >>> > We have some additional problems (the test server is unable to >> access >> >>> > the >> >>> > CAS server at all) so I'm going to have to wait until that's >> resolved. >> >>> >> >>> That would help. :) >> >>> >> >>> > >> >>> > Both servers are using commericial certs, and I'm pretty sure >> Clearpass >> >>> > is >> >>> > working. When I go to /cas/clearPass I don't get a login prompt, I >> just >> >>> > get >> >>> > the "No authentication information provided." response. >> >>> >> >>> Login first, and then try the clearPass URL you should get the >> following: >> >>> <cas:clearPassResponse xmlns:cas='http://www.yale.edu/tp/cas'> >> >>> <cas:clearPassFailure>invalid sevice >> >>> specified</cas:clearPassFailure> >> >>> </cas:clearPassResponse> >> >>> >> >>> Bill >> >>> >> >>> >> >>> >> >>> > James >> >>> > >> >>> > >> >>> > >> >>> > On Fri, Nov 12, 2010 at 9:13 AM, William G. Thompson, Jr. >> >>> > <[email protected]> >> >>> > wrote: >> >>> >> >> >>> >> If you're using self-signed certs, both IIS and the CAS JVM must be >> >>> >> configured to trust them. >> >>> >> >> >>> >> If you're using commercial certs there shouldn't be an issue. >> >>> >> >> >>> >> Have you verified Clearpass extension is working? >> >>> >> >> >>> >> 7. Verify ClearPass install >> >>> >> Authenticate normally by visiting https://{host}/cas/clearPass. >> You >> >>> >> should get this message back. >> >>> >> >> >>> >> <cas:clearPassResponse xmlns:cas='http://www.yale.edu/tp/cas'> >> >>> >> <cas:clearPassFailure>invalid sevice >> >>> >> specified</cas:clearPassFailure> >> >>> >> </cas:clearPassResponse> >> >>> >> >> >>> >> >> >>> >> Bill >> >>> >> >> >>> >> >> >>> >> >> >>> >> On Fri, Nov 12, 2010 at 9:04 AM, James Winter <[email protected] >> > >> >>> >> wrote: >> >>> >> > Sorry to be clueless, I was kind of thrown into the deep end here >> >>> >> > with >> >>> >> > the >> >>> >> > CAS/OWA implentation. What do you mean by "cert is known to the >> cas >> >>> >> > jvm >> >>> >> > and >> >>> >> > vice versa"? >> >>> >> > I did get a valid SSL certificate for our test server with no >> >>> >> > change. I >> >>> >> > still get the HttpContext.Current.User is null error. >> >>> >> > Thanks for the help. >> >>> >> > >> >>> >> > James >> >>> >> > >> >>> >> > >> >>> >> > >> >>> >> > On Thu, Nov 11, 2010 at 9:40 PM, William G. Thompson, Jr. >> >>> >> > <[email protected]> >> >>> >> > wrote: >> >>> >> >> >> >>> >> >> You need to make sure that the exchange server cert is known to >> the >> >>> >> >> cas jvm and visa versa. >> >>> >> >> >> >>> >> >> Bill >> >>> >> >> >> >>> >> >> >> >>> >> >> On Thu, Nov 11, 2010 at 9:30 PM, James Winter < >> [email protected]> >> >>> >> >> wrote: >> >>> >> >> > I'm a little farther, I'm now at the point where I get the >> >>> >> >> > "HttpContext.Current.User is null" error but I read that they >> be >> >>> >> >> > due >> >>> >> >> > to >> >>> >> >> > an >> >>> >> >> > incorrect SSL certificate which our Exchange server has. I set >> >>> >> >> > the >> >>> >> >> > skip >> >>> >> >> > OWA >> >>> >> >> > cert parameter to false, but I don't know if that effects the >> CAS >> >>> >> >> > side >> >>> >> >> > of >> >>> >> >> > things. >> >>> >> >> > Is there something I need to do on the CAS side of the setup >> to >> >>> >> >> > allow >> >>> >> >> > the >> >>> >> >> > process, or should a correct SSL cert do the trick? >> >>> >> >> > I'll find out tomorrow. >> >>> >> >> > >> >>> >> >> > -James >> >>> >> >> > On Nov 11, 2010, at 7:39 PM, "William G. Thompson, Jr." >> >>> >> >> > <[email protected]> >> >>> >> >> > wrote: >> >>> >> >> > >> >>> >> >> > Did you follow these instructions? >> >>> >> >> > https://wiki.jasig.org/pages/viewpage.action?pageId=29133913 >> >>> >> >> > >> >>> >> >> > Bill >> >>> >> >> > >> >>> >> >> > >> >>> >> >> > On Thu, Nov 11, 2010 at 4:29 PM, James Winter >> >>> >> >> > <[email protected]> >> >>> >> >> > wrote: >> >>> >> >> > >> >>> >> >> > Some background: >> >>> >> >> > >> >>> >> >> > I setup the CAS Client for OWA on a test Exchange 2003 server >> in >> >>> >> >> > IIS >> >>> >> >> > 6 >> >>> >> >> > and I >> >>> >> >> > >> >>> >> >> > can successfully get to server.domain.local/coa/auth. I get >> >>> >> >> > redirected >> >>> >> >> > to >> >>> >> >> > >> >>> >> >> > the CAS login, which then redirects me back to >> >>> >> >> > >> >>> >> >> > server.domain.local/coa/auth?ticket=ST-XXX-xxxxetc which gives >> me >> >>> >> >> > a >> >>> >> >> > 404 >> >>> >> >> > >> >>> >> >> > error. >> >>> >> >> > >> >>> >> >> > Am I missing a configuration piece somewhere? Or does anyone >> know >> >>> >> >> > what >> >>> >> >> > the >> >>> >> >> > >> >>> >> >> > CasOwa.OwaUrl should be for Exchange 2003? I've tried >> /exchange, >> >>> >> >> > /exchweb, >> >>> >> >> > >> >>> >> >> > /exchweb/bin/auth, and a few others with no change. >> >>> >> >> > >> >>> >> >> > Thanks. >> >>> >> >> > >> >>> >> >> > -James >> >>> >> >> > >> >>> >> >> > -- >> >>> >> >> > >> >>> >> >> > You are currently subscribed to [email protected] as: >> >>> >> >> > >> >>> >> >> > [email protected] >> >>> >> >> > >> >>> >> >> > To unsubscribe, change settings or access archives, see >> >>> >> >> > >> >>> >> >> > http://www.ja-sig.org/wiki/display/JSG/cas-user >> >>> >> >> > >> >>> >> >> > -- >> >>> >> >> > You are currently subscribed to [email protected] as: >> >>> >> >> > [email protected] >> >>> >> >> > To unsubscribe, change settings or access archives, see >> >>> >> >> > http://www.ja-sig.org/wiki/display/JSG/cas-user >> >>> >> >> > >> >>> >> >> > -- >> >>> >> >> > You are currently subscribed to [email protected] as: >> >>> >> >> > [email protected] >> >>> >> >> > To unsubscribe, change settings or access archives, see >> >>> >> >> > http://www.ja-sig.org/wiki/display/JSG/cas-user >> >>> >> >> >> >>> >> >> -- >> >>> >> >> You are currently subscribed to [email protected] as: >> >>> >> >> [email protected] >> >>> >> >> To unsubscribe, change settings or access archives, see >> >>> >> >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >>> >> > >> >>> >> > -- >> >>> >> > You are currently subscribed to [email protected] as: >> >>> >> > [email protected] >> >>> >> > To unsubscribe, change settings or access archives, see >> >>> >> > http://www.ja-sig.org/wiki/display/JSG/cas-user >> >>> >> >> >>> >> -- >> >>> >> You are currently subscribed to [email protected] as: >> >>> >> [email protected] >> >>> >> To unsubscribe, change settings or access archives, see >> >>> >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >>> > >> >>> > -- >> >>> > You are currently subscribed to [email protected] as: >> >>> > [email protected] >> >>> > To unsubscribe, change settings or access archives, see >> >>> > http://www.ja-sig.org/wiki/display/JSG/cas-user >> >>> >> >>> -- >> >>> You are currently subscribed to [email protected] as: >> >>> [email protected] >> >>> To unsubscribe, change settings or access archives, see >> >>> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >>> >> >> >> > >> > -- >> > You are currently subscribed to [email protected] as: >> > [email protected] >> > To unsubscribe, change settings or access archives, see >> > http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> -- >> You are currently subscribed to [email protected] as: >> [email protected] >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
