But I would assume that when the web flow starts over again the jession is lost
it should let the user in. In our case the user will not be able to login
until they clear their cache and close their browser. So even though we see a
post in the access logs its not a guarantee that any user information actually
reached the server. Would decreasing the cas session timeout from the default
5mins or increasing the timeout help in any way.
So in order to see if the user information is reaching the server during the
post is it better to enable debugging on:
<logger name="org.jasig.cas.web.flow">
<level value="INFO" />
</logger>
or
<logger name="org.springframework.webflow">
<level value="INFO" />
</logger>
Thanks!
___________________
Juan Quintanilla
UTS - Enterprise Group
305-348-6573
[email protected]
________________________________________
From: Andrew Morgan <[email protected]>
Sent: Thursday, July 30, 2015 12:03 PM
To: [email protected]
Subject: Re: [cas-user] CAS Intermittent login issue
The behavior you describe is exactly what happens when the JSESSION is
lost and the login ticket cannot be validated. The web flow starts over
when that happens.
Andy
On Thu, 30 Jul 2015, Juan Quintanilla wrote:
> The other interesting part is the fact that I see a post in the Tomcat access
> logs but no user information in the cas.log. Would that be an indication
> that the user information within the sesison was not properly received or
> what logging can I enable to verify that the user info was passed. Usually in
> the logs I only see the entries after they have authenticated into ldap so it
> never reaches that part.
>
>
>
> Thanks!
>
>
> ___________________
> Juan Quintanilla
> UTS - Enterprise Group
> 305-348-6573
> [email protected]<mailto:[email protected]>
>
>
> ________________________________
> From: Juan Quintanilla <[email protected]>
> Sent: Thursday, July 30, 2015 11:19 AM
> To: [email protected]
> Subject: Re: [cas-user] CAS Intermittent login issue
>
>
>
>
>
>
> Prior to having the environment on the F5 we had the users test against the
> servers individually and there was no problem but then again the issue does
> not always happen. I have tried to reproduce the issue myself but have not
> been able to. So we didn't see the problem until we had more users accessing
> the system once it was on the F5. Our previous CAS environment 3.4.7 is
> running on a Cisco Ace if I'm not mistaken and there were no problems there.
> We have sticky sessions enabled based on the ip address.
>
>
>
>
> ___________________
> Juan Quintanilla
> [email protected]<mailto:[email protected]>
>
>
> ________________________________
> From: Michael O Holstein <[email protected]>
> Sent: Thursday, July 30, 2015 11:00 AM
> To: [email protected]
> Subject: Re: [cas-user] CAS Intermittent login issue
>
>
> I've noticed this as well, but if you use Chrome/Firefox in debug mode you'll
> see the JSESSION ID as a cookie in either case so I don't think that matters.
>
>
> Even though you've only got one app server I'd bet the F5 has stickyness
> configured (and you will need it) but how exactly it's being done might be
> screwing with your app. Have you tried setting up something simple like
> cas-sample-java-webapp against the inside address (bypass the F5) and see if
> the problem still exists?
>
>
> We ended up forgoing a Cisco ACE in favor of two Nginx boxes and HAProxy/VRRP
> as well as load balancing out the back .. for pretty much the same reasons ..
> plus it's much easier to troubleshoot when you have control over the whole
> path.
>
>
> Michael Holstein
>
> Cleveland State University
>
>
> ________________________________
> From: Christopher Myers <[email protected]>
> Sent: Thursday, July 30, 2015 10:38 AM
> To: [email protected]
> Subject: Re: [cas-user] CAS Intermittent login issue
>
> One thing to check - does the CASified application have the correct IP
> address for the CAS server? We had something similar happen when we put our
> CAS environment behind our Barracuda, and one of our hosted third-party
> applications still had the old DNS entry cached.
>
> Chris
>
>
>
>
>>>> Juan Quintanilla <[email protected]> 07/30/15 9:29 AM >>>
>
> Hi,
>
>
>
> We are implementing CAS 3.6.0 using ldap authentication, with oracle for the
> ticket registry, and tomcat 8. We have the environment running on an F5 load
> balancer but currently with only one web server in the loop. I just wanted
> to ask if any have encountered intermittent issues with logging into an
> application using CAS.
>
>
>
> What I'm encountering is a user hits the cas login page after being
> redirected by the client application but after they enter their credentials
> they are redirected to the login page with the login information cleared. If
> they try again logging again the process just repeats, if they enter bad
> credentials no error message is displayed on the screen or even in the logs.
> If the user closes their browser and clears their cache they are able to
> login.
>
>
>
> In the Tomcat access logs we notice that there is a post during that
> transaction but we didn't see a jessionid in the url string associated with
> the post. We are removing ldap pooling and extending the cas session timeout
> in the web.xml to see if maybe their session is expiring. It does not happen
> all the time its sporadic so it makes it difficult to troubleshoot. We have
> talked to our networking team but they don't seem to see any problems on
> their side, they have just extended the session timeout. Our last resort
> would be to take the environment off the F5 and see if that helps or place
> the old environment on the F5 to see if the problem persists on that
> environment then we can narrow it down the issue being on the F5 load
> balancer. Since the problem does not always happen we having a hard time
> determining whether the problem is with the load balancer or some
> configuration on the CAS/Tomcat side.
>
>
>
> Has anyone encountered something similar, any suggestions will really help.
>
>
> ___________________
> Juan Quintanilla
> [email protected]<mailto:[email protected]>
>
>
> --
> You are currently subscribed to [email protected] as:
> [email protected]
> To unsubscribe, change settings or access archives, see
> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.ja-2Dsig.org_wiki_display_JSG_cas-2Duser&d=AwICAg&c=1QsCMERiq7JOmEnKpsSyjg&r=NauC5-J1X4CCd25sdSxQCA&m=-iNdYBOtAzGOq2iqp68NvZd48uVjq3RYhUSTSOwP-hw&s=UhbKdLiKiH1dWDoIBTUyJ0Ys79eyXgz8yaFmaHy2Zu0&e=
>
> --
> You are currently subscribed to [email protected] as:
> [email protected]
> To unsubscribe, change settings or access archives, see
> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.ja-2Dsig.org_wiki_display_JSG_cas-2Duser&d=AwICAg&c=1QsCMERiq7JOmEnKpsSyjg&r=NauC5-J1X4CCd25sdSxQCA&m=-iNdYBOtAzGOq2iqp68NvZd48uVjq3RYhUSTSOwP-hw&s=UhbKdLiKiH1dWDoIBTUyJ0Ys79eyXgz8yaFmaHy2Zu0&e=
>
> --
> You are currently subscribed to [email protected] as: [email protected]
> To unsubscribe, change settings or access archives, see
> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.ja-2Dsig.org_wiki_display_JSG_cas-2Duser&d=AwICAg&c=1QsCMERiq7JOmEnKpsSyjg&r=NauC5-J1X4CCd25sdSxQCA&m=-iNdYBOtAzGOq2iqp68NvZd48uVjq3RYhUSTSOwP-hw&s=UhbKdLiKiH1dWDoIBTUyJ0Ys79eyXgz8yaFmaHy2Zu0&e=
>
> --
> You are currently subscribed to [email protected] as: [email protected]
> To unsubscribe, change settings or access archives, see
> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.ja-2Dsig.org_wiki_display_JSG_cas-2Duser&d=AwICAg&c=1QsCMERiq7JOmEnKpsSyjg&r=NauC5-J1X4CCd25sdSxQCA&m=-iNdYBOtAzGOq2iqp68NvZd48uVjq3RYhUSTSOwP-hw&s=UhbKdLiKiH1dWDoIBTUyJ0Ys79eyXgz8yaFmaHy2Zu0&e=
>
> --
> You are currently subscribed to [email protected] as: [email protected]
> To unsubscribe, change settings or access archives, see
> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.ja-2Dsig.org_wiki_display_JSG_cas-2Duser&d=AwICAg&c=1QsCMERiq7JOmEnKpsSyjg&r=NauC5-J1X4CCd25sdSxQCA&m=-iNdYBOtAzGOq2iqp68NvZd48uVjq3RYhUSTSOwP-hw&s=UhbKdLiKiH1dWDoIBTUyJ0Ys79eyXgz8yaFmaHy2Zu0&e=
>
--
You are currently subscribed to [email protected] as: [email protected]
To unsubscribe, change settings or access archives, see
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.ja-2Dsig.org_wiki_display_JSG_cas-2Duser&d=AwICAg&c=1QsCMERiq7JOmEnKpsSyjg&r=NauC5-J1X4CCd25sdSxQCA&m=-iNdYBOtAzGOq2iqp68NvZd48uVjq3RYhUSTSOwP-hw&s=UhbKdLiKiH1dWDoIBTUyJ0Ys79eyXgz8yaFmaHy2Zu0&e=
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
