[cas-user] DotNetCasClient not validating

Tue, 23 Apr 2013 09:16:44 -0700

I'm trying to use CAS authentication to protect all the files in an IIS 7.5 application, starting with a simple HTML file. When I attempt to authenticate to this file, the browser goes into an infinite loop.
When I call the requested page (index.html), I get redirected to /cas-web/login correctly, then redirected back to the index.html file with a ticket in the query string. Then instead of checking the validator with the ticket, I am simply redirected back to index.html without the query string and without authenticating, which causes me to be redirected to /cas-web/login again, which returns me to index.html with a new ticket, which is not validated, instead redirecting me to index.html and the loop continues. 


I'm using the Coldfusion CAS client on this same server which is working 
fine, so I don't think it's an issue of the CAS server not trusting the 
IIS server (both on the same server in this case). Besides, in that case 
I would expect to see something in the IIS log where IIS attempted to 
contact the CAS validator, which doesn't appear. Also, usually there is 
something in the CAS logs when validation fails, and I'm not seeing 
anything that indicates the ticket was ever returned for validation.



So it seems like the Cas20ServiceTicketValidator is not working, but 
something is happening which is redirecting me from index.html?ticket=<> 
to index.html.



I'm sure it's a simple misconfiguration issue. Does this ring a bell 
with anyone off the top of your head?


Thanks,
Aaron

Snippet from IIS log:

GET /AuthorizationTest/index.html - 443 - 10.50.1.1 
Mozilla/5.0+(X11;+Linux+x86_64;+rv:20.0)+Gecko/20100101+Firefox/20.0+Iceweasel/20.0 
302 0 0 156
GET /cas-web/login 
service=https%3a%2f%2fTestServer%2fAuthorizationTest%2findex.html 443 - 
10.50.1.1 
Mozilla/5.0+(X11;+Linux+x86_64;+rv:20.0)+Gecko/20100101+Firefox/20.0+Iceweasel/20.0 
302 0 0 15
GET /AuthorizationTest/index.html ticket=ST-125-TYY0wDyavZAySPAOStdN-cas 
443 - 10.50.1.1 
Mozilla/5.0+(X11;+Linux+x86_64;+rv:20.0)+Gecko/20100101+Firefox/20.0+Iceweasel/20.0 
302 0 0 78
GET /AuthorizationTest/index.html - 443 - 10.50.1.1 
Mozilla/5.0+(X11;+Linux+x86_64;+rv:20.0)+Gecko/20100101+Firefox/20.0+Iceweasel/20.0 
302 0 0 0
GET /cas-web/login 
service=https%3a%2f%2fTestServer%2fAuthorizationTest%2findex.html 443 - 
10.50.1.1 
Mozilla/5.0+(X11;+Linux+x86_64;+rv:20.0)+Gecko/20100101+Firefox/20.0+Iceweasel/20.0 
302 0 0 15

2

I'm using a pretty simple config.web file:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<configSections>

<section name="casClientConfig" 
type="DotNetCasClient.Configuration.CasClientConfiguration,DotNetCasClient"/>

</configSections>
<location path="~/NotAuthorized.html">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<location path="~/CookiesRequired.html">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<casClientConfig
        casServerLoginUrl="https://TestServer/cas-web/login";
        casServerUrlPrefix="https://TestServer/cas-web/";
        serverName="https://TestServer";
        notAuthorizedUrl="~/NotAuthorized.html"
        cookiesRequiredUrl="~/CookiesRequired.html"
        redirectAfterValidation="true"
        ticketTimeTolerance="5000"
        ticketValidatorName="Cas20"
        serviceTicketManager="CacheServiceTicketManager"
    />
<system.web>
<authentication mode="Forms">
<forms
                loginUrl="https://TestServer/cas-web/login";
                timeout="30"
                defaultUrl="~/index.html"
                cookieless="UseCookies"
                slidingExpiration="true"
                path="/AuthorizationTest/"
            />
</authentication>
<authorization>
<deny users="?"/>
</authorization>
<httpModules>
<add
                name="DotNetCasClient"

                
type="DotNetCasClient.CasAuthenticationModule,DotNetCasClient"

            />
</httpModules>
<customErrors mode="Off"/>
</system.web>
<system.webServer>
<validation validateIntegratedModeConfiguration="false"/>
<modules>
<remove name="UrlAuthorization" />
<remove name="FormsAuthentication" />
<remove name="DotNetCasClient" />

<add name="DotNetCasClient" 
type="DotNetCasClient.CasAuthenticationModule,DotNetCasClient"/>
<add name="FormsAuthentication" 
type="System.Web.Security.FormsAuthenticationModule" preCondition="" />
<add name="UrlAuthorization" 
type="System.Web.Security.UrlAuthorizationModule" preCondition="" />

</modules>
<defaultDocument>
<files>
<add value="index.html"/>
</files>
</defaultDocument>
</system.webServer>
</configuration>



--
You are currently subscribed to [email protected] as: 
[email protected]
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user






















					Reply via email to