> When I try to authenticate into > my production environment and I have certificates in my IE 9 browser my CAC > reader asks for my certificate pin, I select "Cancel", hoping to be > redirected to the CAS login page. However, when I hit "Cancel" the browser > indicates "Internet Explorer cannot display the webpage". So, when I execute > my authentication in my development environment and my CAC reader asks for > my pin and I select cancel, I am redirected to the CAS Login Page requesting > User Name and Password.
This would happen if you have the servlet container configured for "require client SSL" in prod and "optional client SSL" in develop. Review your Tomcat connector configuration (or similar components in whatever container you use) for differences. The directive for the Tomcat BIO/NIO connectors is clientAuth="true|false|want". I would strongly recommend setting it to "want" (i.e. optional) to allow for graceful authentication failures. If you set it to "true" (i.e. require), then you will always see the browser-specific error messages since the connection to the server cannot be established due to SSL handshake failure. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
