Hi Stephen, First question is what is shown in the cas.log file? There will probably be a few clearPass errors.
Usually, 403s with ClearPass mean that the url isn't authorized on the ClearPass Proxy url list. Check out the value in the allowedProxyChains bean and see that it matches the proxy call back url being generated by the .NET CAS Client (you should see it in the cas.log file). Hopefully that helps. On 10/1/14 9:32 AM, Stephen Tyson wrote: > I am trying to CASify OWA 2010 in a development environment. I had this > working for a week then something went wrong and now I am receiving a 403 > forbidden error. > > Our environment is as follows. > > CAS + ClearPass for Authentication > F5 using passthrough to exchange > 3 Exchange 2010 server loadbalanced with F5 - for testing I have shut down 2 > of the OWA members on the F5. > Exchange. > > The following are logs and references to the code that is throwing the errors. > > > > The exchange dev site is bombing out and giving me the 403 forbidden with > error referencing line 185 and 261 in the CasOwaAuthHandler.cs file > > ------------------------------------------------------- > WEB SITE ERROR > > [WebException: The remote server returned an error: (403) Forbidden.] > System.Net.WebClient.OpenRead(Uri address) +641 > CasOwa.CasOwaAuthHandler.ProcessRequest(HttpContext context) in > ..\Documents\Visual Studio > 2010\Projects\cas-owa-2010-master\cas-owa-2010-master\CasOwaAuthHandler.cs:185 > > ------------------------------------------------------- > > CasOwaAuthHandler.cs > > Line 185 = using (StreamReader reader = new StreamReader(new > WebClient().OpenRead(clearPassRequest))) > clearPassResponse = reader.ReadToEnd(); > > > It appears the authentication handler is not able to read the > ClearPassRequest. > > > [HttpException (0x80004005): Error getting response from clearPass at URL: > https://Server/cas/clearPass?ticket=ST-71-uALy9fOGCUeV0VeE7ogD-CASServer&service=https://Server/cas/clearPass. > The remote server returned an error: (403) Forbidden.] > CasOwa.CasOwaAuthHandler.ProcessRequest(HttpContext context) in > ..\Documents\Visual Studio > 2010\Projects\cas-owa-2010-master\cas-owa-2010-master\CasOwaAuthHandler.cs:261 > > System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() > +599 > System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& > completedSynchronously) +171 > > Line 261 = throw new HttpException(500, "Error getting Response from " + > OwaUrl + OwaAuthPath + ". " + ex.Message, ex); > > -------------------------------------------------------------------- > > IIS Logs > > 2014-09-30 19:27:11 10.146.58.132 GET /coa/auth > proxyResponse=true&pgtIou=PGTIOU-17-IGfg5LMvzcCsapiN5Qd3-casdev3&pgtId=TGT-49-VbVvIUuLyfWipCcrFh0AlG3TldphRpGrNOlFZAKCWE7JolYCnH-casdev3 > 443 - 10.146.58.129 Java/1.6.0_31 200 0 0 0 > 2014-09-30 19:27:11 10.146.58.132 GET /coa/auth > ticket=ST-70-gaZvkQ5P51DlMIYWS25s-casdev3 443 UserName/ClientIP > Mozilla/5.0+(Windows+NT+6.2;+WOW64;+rv:32.0)+Gecko/20100101+Firefox/32.0 302 > 0 0 93 > > 2014-09-30 19:27:11 10.146.58.132 GET /coa/auth - 443 UserName/ClientIP > Mozilla/5.0+(Windows+NT+6.2;+WOW64;+rv:32.0)+Gecko/20100101+Firefox/32.0 500 > 0 0 78 <This error is Module or ISAPI error occurred > This could be > because the authentication handler could not read the clearpass response. > > 2014-09-30 19:27:11 10.146.58.132 GET /favicon.ico - 443 - 146.201.4.108 > Mozilla/5.0+(Windows+NT+6.2;+WOW64;+rv:32.0)+Gecko/20100101+Firefox/32.0 302 > 0 0 0 > 2014-09-30 19:27:11 10.146.58.132 GET /owa/favicon.ico - 443 - 146.201.4.108 > Mozilla/5.0+(Windows+NT+6.2;+WOW64;+rv:32.0)+Gecko/20100101+Firefox/32.0 401 > 2 5 0 > 2014-09-30 19:27:11 10.146.58.132 GET /owa/auth/logon.aspx > url=https://Server/owa/favicon.ico&reason=0 443 - ClientIP > Mozilla/5.0+(Windows+NT+6.2;+WOW64;+rv:32.0)+Gecko/20100101+Firefox/32.0 200 > 0 0 0 > 2014-09-30 19:27:11 10.146.58.132 GET /favicon.ico - 443 - ClientIP > Mozilla/5.0+(Windows+NT+6.2;+WOW64;+rv:32.0)+Gecko/20100101+Firefox/32.0 302 > 0 0 0 > 2014-09-30 19:27:11 10.146.58.132 GET /owa/favicon.ico - 443 - 146.201.4.108 > Mozilla/5.0+(Windows+NT+6.2;+WOW64;+rv:32.0)+Gecko/20100101+Firefox/32.0 401 > 2 5 0 > 2014-09-30 19:27:11 10.146.58.132 GET /owa/auth/logon.aspx > url=https://Server/owa/favicon.ico&reason=0 443 - ClientIP > Mozilla/5.0+(Windows+NT+6.2;+WOW64;+rv:32.0)+Gecko/20100101+Firefox/32.0 200 > 0 0 0 > > > Any help would be greatly appreciated. > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
