Re: [cas-user] x509 Authentication redirect to Cas Login Page

Tue, 29 Jan 2013 10:38:46 -0800 

Hi Marvin
 
We have our tomcat server.xml configured the same way on dev and prod.. 
Below is the server.xml file connector for port 8443 (ssl port):
 
 <Connector port="8443"
               maxHttpHeaderSize="8192"
               minSpareThreads="25"
               MaxSpareThreads="75"
               enableLookups="false"
               disableUploadTimeout="true"
               acceptCount="100"
               protocol="HTTP/1.1"
               SSLEnabled="true"
               maxThreads="150"
               scheme="https"
               secure="true"
               keystoreFile="keystore file"
               keystorePass="pwd"
               keyAlias="alias name"
               truststoreFile="truststore file"
               truststorePass="pwd"
               clientAuth="want"
               sslProtocol="TLS" />
 
I compared both the prod and dev server.xml files and they are duplicates 
of eachother with clientAuth set to "want", except for the keystore and 
truststore information. Any ideas base on what is in the 8443 connector?
 
Thanks for your help.

On Tuesday, January 29, 2013 9:31:07 AM UTC-5, Marvin Addison wrote:

> > When I try to authenticate into 
> > my production environment and I have certificates in my IE 9 browser my 
> CAC 
> > reader asks for my certificate pin, I select "Cancel", hoping to be 
> > redirected to the CAS login page. However, when I hit "Cancel" the 
> browser 
> > indicates "Internet Explorer cannot display the webpage". So, when I 
> execute 
> > my authentication in my development environment and my CAC reader asks 
> for 
> > my pin and I select cancel, I am redirected to the CAS Login Page 
> requesting 
> > User Name and Password. 
>
> This would happen if you have the servlet container configured for 
> "require client SSL" in prod and "optional client SSL" in develop. 
> Review your Tomcat connector configuration (or similar components in 
> whatever container you use) for differences. The directive for the 
> Tomcat BIO/NIO connectors is clientAuth="true|false|want". 
>
> I would strongly recommend setting it to "want" (i.e. optional) to 
> allow for graceful authentication failures. If you set it to "true" 
> (i.e. require), then you will always see the browser-specific error 
> messages since the connection to the server cannot be established due 
> to SSL handshake failure. 
>
> M 
>
> -- 
> You are currently subscribed to [email protected] <javascript:> as: 
> [email protected] <javascript:> 
> To unsubscribe, change settings or access archives, see 
> http://www.ja-sig.org/wiki/display/JSG/cas-user 
>

-- 
You are currently subscribed to [email protected] as: 
[email protected]
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Reply via email to