I turned on logging within the dotnetcasclient itself using a
system.diagnostics section in web.config as described in
https://wiki.jasig.org/display/CASC/.Net+Cas+Client and discovered that
the problem is the client didn't trust the self-signed certificate on
the server while validating. This was causing the validation to fail and
putting me into the infinite loop.
I'm still surprised that I'm not seeing the attempt to access
https://TestServer/cas-web/serviceValidate in the IIS logs since I am
seeing https://TestServer/cas-web/login, but I guess since the request
is getting cut off during the handshake IIS doesn't bother to log it?
Getting .NET to accept the certificate as valid required opening MMC on
the server, adding the Certificates snapin selecting "Computer Account"
and "Local Computer", then importing the server public certificate into
"Trusted People" (I hope that's the correct spot, it worked, but I'm not
an expert on Windows security issues) as described in
http://stackoverflow.com/a/5427149
After that it started working (including single-sign out!) and I didn't
even have to restart IIS.
Thanks,
Aaron
On 04/23/2013 12:15 PM, Aaron Chantrill wrote:
I'm trying to use CAS authentication to protect all the files in an
IIS 7.5 application, starting with a simple HTML file. When I attempt
to authenticate to this file, the browser goes into an infinite loop.
When I call the requested page (index.html), I get redirected to
/cas-web/login correctly, then redirected back to the index.html file
with a ticket in the query string. Then instead of checking the
validator with the ticket, I am simply redirected back to index.html
without the query string and without authenticating, which causes me
to be redirected to /cas-web/login again, which returns me to
index.html with a new ticket, which is not validated, instead
redirecting me to index.html and the loop continues.
I'm using the Coldfusion CAS client on this same server which is
working fine, so I don't think it's an issue of the CAS server not
trusting the IIS server (both on the same server in this case).
Besides, in that case I would expect to see something in the IIS log
where IIS attempted to contact the CAS validator, which doesn't
appear. Also, usually there is something in the CAS logs when
validation fails, and I'm not seeing anything that indicates the
ticket was ever returned for validation.
So it seems like the Cas20ServiceTicketValidator is not working, but
something is happening which is redirecting me from
index.html?ticket=<> to index.html.
I'm sure it's a simple misconfiguration issue. Does this ring a bell
with anyone off the top of your head?
Thanks,
Aaron
Snippet from IIS log:
GET /AuthorizationTest/index.html - 443 - 10.50.1.1
Mozilla/5.0+(X11;+Linux+x86_64;+rv:20.0)+Gecko/20100101+Firefox/20.0+Iceweasel/20.0
302 0 0 156
GET /cas-web/login
service=https%3a%2f%2fTestServer%2fAuthorizationTest%2findex.html 443
- 10.50.1.1
Mozilla/5.0+(X11;+Linux+x86_64;+rv:20.0)+Gecko/20100101+Firefox/20.0+Iceweasel/20.0
302 0 0 15
GET /AuthorizationTest/index.html
ticket=ST-125-TYY0wDyavZAySPAOStdN-cas 443 - 10.50.1.1
Mozilla/5.0+(X11;+Linux+x86_64;+rv:20.0)+Gecko/20100101+Firefox/20.0+Iceweasel/20.0
302 0 0 78
GET /AuthorizationTest/index.html - 443 - 10.50.1.1
Mozilla/5.0+(X11;+Linux+x86_64;+rv:20.0)+Gecko/20100101+Firefox/20.0+Iceweasel/20.0
302 0 0 0
GET /cas-web/login
service=https%3a%2f%2fTestServer%2fAuthorizationTest%2findex.html 443
- 10.50.1.1
Mozilla/5.0+(X11;+Linux+x86_64;+rv:20.0)+Gecko/20100101+Firefox/20.0+Iceweasel/20.0
302 0 0 15
2
I'm using a pretty simple config.web file:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<configSections>
<section name="casClientConfig"
type="DotNetCasClient.Configuration.CasClientConfiguration,DotNetCasClient"/>
</configSections>
<location path="~/NotAuthorized.html">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<location path="~/CookiesRequired.html">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<casClientConfig
casServerLoginUrl="https://TestServer/cas-web/login";
casServerUrlPrefix="https://TestServer/cas-web/";
serverName="https://TestServer";
notAuthorizedUrl="~/NotAuthorized.html"
cookiesRequiredUrl="~/CookiesRequired.html"
redirectAfterValidation="true"
ticketTimeTolerance="5000"
ticketValidatorName="Cas20"
serviceTicketManager="CacheServiceTicketManager"
/>
<system.web>
<authentication mode="Forms">
<forms
loginUrl="https://TestServer/cas-web/login";
timeout="30"
defaultUrl="~/index.html"
cookieless="UseCookies"
slidingExpiration="true"
path="/AuthorizationTest/"
/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
<httpModules>
<add
name="DotNetCasClient"
type="DotNetCasClient.CasAuthenticationModule,DotNetCasClient"
/>
</httpModules>
<customErrors mode="Off"/>
</system.web>
<system.webServer>
<validation validateIntegratedModeConfiguration="false"/>
<modules>
<remove name="UrlAuthorization" />
<remove name="FormsAuthentication" />
<remove name="DotNetCasClient" />
<add name="DotNetCasClient"
type="DotNetCasClient.CasAuthenticationModule,DotNetCasClient"/>
<add name="FormsAuthentication"
type="System.Web.Security.FormsAuthenticationModule" preCondition="" />
<add name="UrlAuthorization"
type="System.Web.Security.UrlAuthorizationModule" preCondition="" />
</modules>
<defaultDocument>
<files>
<add value="index.html"/>
</files>
</defaultDocument>
</system.webServer>
</configuration>
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
