CAS 5.0.8 + Active Directory - Note receiving user information

[Micas Camela]

Hi there!

I have configured on casdev (CentOS 7 + Tomcat 8.5.20 + CAS 5.0.8) and casclient (Apache 2.4 + mod_auth_cas + php app).

After a successfull login I am getting an error page with:

Unauthorized

This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.

CASDEV output:

2017-09-12 21:57:21,374 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Locating principal attributes for mrafael>
2017-09-12 21:57:21,374 DEBUG [org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository] - <DefaultPrincipalAttributesRepository will return the collection of attributes directly associated with the principal object which are [{cn=Micas Rafael, givenName=Micas, LdapAuthenticationHandler.dn=CN=Micas Rafael,OU=Users,OU=DSI,DC=BCITESTES,DC=local, sn=Rafael}]>
2017-09-12 21:57:21,375 DEBUG [org.apereo.cas.authentication.principal.cache.AbstractPrincipalAttributesRepository] - <Found [4] cached attributes for principal [mrafael] that are {cn=Micas Rafael, givenName=Micas, LdapAuthenticationHandler.dn=CN=Micas Rafael,OU=Users,OU=DSI,DC=BCITESTES,DC=local, sn=Rafael}>
2017-09-12 21:57:21,375 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Found principal attributes {cn=Micas Rafael, givenName=Micas, LdapAuthenticationHandler.dn=CN=Micas Rafael,OU=Users,OU=DSI,DC=BCITESTES,DC=local, sn=Rafael} for mrafael>
2017-09-12 21:57:21,375 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Calling attribute policy ReturnAllAttributeReleasePolicy to process attributes for mrafael>
2017-09-12 21:57:21,376 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Attribute policy ReturnAllAttributeReleasePolicy allows release of {cn=Micas Rafael, givenName=Micas, LdapAuthenticationHandler.dn=CN=Micas Rafael,OU=Users,OU=DSI,DC=BCITESTES,DC=local, sn=Rafael} for mrafael>
2017-09-12 21:57:21,376 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Checking default attribute policy attributes>
2017-09-12 21:57:21,376 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Located application context. Retrieving default attributes for release, if any>
2017-09-12 21:57:21,377 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Default attributes for release are: [cn, sn, givenName]>
2017-09-12 21:57:21,377 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Found and added default attribute for release: cn>
2017-09-12 21:57:21,378 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Found and added default attribute for release: sn>
2017-09-12 21:57:21,378 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Found and added default attribute for release: givenName>
2017-09-12 21:57:21,379 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Default attributes found to be released are {cn=Micas Rafael, givenName=Micas, sn=Rafael}>
2017-09-12 21:57:21,379 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Attempting to merge policy attributes and default attributes>
2017-09-12 21:57:21,380 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Adding default attributes first to the released set of attributes>
2017-09-12 21:57:21,380 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Adding policy attributes to the released set of attributes>
2017-09-12 21:57:21,380 DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Final collection of attributes allowed are: {cn=Micas Rafael, givenName=Micas, LdapAuthenticationHandler.dn=CN=Micas Rafael,OU=Users,OU=DSI,DC=BCITESTES,DC=local, sn=Rafael}>
2017-09-12 21:57:21,381 DEBUG [org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy] - <Skipping access strategy policy, since no attributes rules are defined>
2017-09-12 21:57:21,381 DEBUG [org.apereo.cas.services.RegisteredServiceAccessStrategyUtils] - <Current authentication via ticket TGT-**********************************************HSoxyIIULz-casdev allows service https://192.168.0.151/secured-by-cas/index.php to participate in the existing SSO session>
2017-09-12 21:57:21,382 DEBUG [org.apereo.cas.ticket.DefaultServiceTicketFactory] - <Looking up service ticket id generator for [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl]>
2017-09-12 21:57:21,382 DEBUG [org.apereo.cas.ticket.DefaultServiceTicketFactory] - <Attempting to encode service ticket ST-13-cHtrhddFq5kPa9nFdymw-casdev>
2017-09-12 21:57:21,383 DEBUG [org.apereo.cas.ticket.DefaultServiceTicketFactory] - <Encoded service ticket id ST-13-cHtrhddFq5kPa9nFdymw-casdev>
2017-09-12 21:57:21,383 DEBUG [org.apereo.cas.ticket.registry.DefaultTicketRegistry] - <Added ticket [TGT-**********************************************HSoxyIIULz-casdev] to registry.>
2017-09-12 21:57:21,384 DEBUG [org.apereo.cas.ticket.registry.DefaultTicketRegistry] - <Added ticket [ST-13-cHtrhddFq5kPa9nFdymw-casdev] to registry.>
2017-09-12 21:57:21,384 INFO [org.apereo.cas.CentralAuthenticationServiceImpl] - <Granted ticket [ST-13-cHtrhddFq5kPa9nFdymw-casdev] for service [https://192.168.0.151/secured-by-cas/index.php] and principal [mrafael]>
2017-09-12 21:57:21,384 DEBUG [org.apereo.cas.CentralAuthenticationServiceImpl] - <Publishing org.apereo.cas.support.events.CasServiceTicketGrantedEvent@72e6be69[ticketGrantingTicket=TGT-**********************************************HSoxyIIULz-casdev,serviceTicket=ST-13-cHtrhddFq5kPa9nFdymw-casdev]>
2017-09-12 21:57:21,384 DEBUG [org.apereo.cas.audit.spi.ThreadLocalPrincipalResolver] - <Resolving principal at audit point [execution(ServiceTicket org.apereo.cas.CentralAuthenticationServiceImpl.grantServiceTicket(String,Service,AuthenticationResult))]>
2017-09-12 21:57:21,385 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: mrafael
WHAT: ST-13-cHtrhddFq5kPa9nFdymw-casdev for https://192.168.0.151/secured-by-cas/index.php
ACTION: SERVICE_TICKET_CREATED
APPLICATION: CAS
WHEN: Tue Sep 12 21:57:21 EDT 2017
CLIENT IP ADDRESS: 192.168.0.1
SERVER IP ADDRESS: 192.168.0.150
=============================================================

CASCLIENT:

[Tue Sep 12 21:58:22.473143 2017] [ssl:info] [pid 10811] (70007)The timeout specified has expired: [client 192.168.0.1:62026] AH01991: SSL input filter read failed.
[Tue Sep 12 21:58:22.473219 2017] [ssl:debug] [pid 10811] ssl_engine_io.c(992): [client 192.168.0.1:62026] AH02001: Connection closed to child 2 with standard shutdown (server 192.168.0.151:443)
[Tue Sep 12 21:58:23.222991 2017] [ssl:info] [pid 10812] [client 192.168.0.1:62029] AH01964: Connection to child 3 established (server 192.168.0.151:443)
[Tue Sep 12 21:58:23.223794 2017] [ssl:debug] [pid 10812] ssl_engine_kernel.c(1812): [client 192.168.0.1:62029] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
[Tue Sep 12 21:58:23.224096 2017] [ssl:info] [pid 10812] (70014)End of file found: [client 192.168.0.1:62029] AH01991: SSL input filter read failed.
[Tue Sep 12 21:58:23.224146 2017] [ssl:debug] [pid 10812] ssl_engine_io.c(992): [client 192.168.0.1:62029] AH02001: Connection closed to child 3 with standard shutdown (server 192.168.0.151:443)
[Tue Sep 12 21:58:23.224847 2017] [ssl:info] [pid 10809] [client 192.168.0.1:62030] AH01964: Connection to child 0 established (server 192.168.0.151:443)
[Tue Sep 12 21:58:23.225255 2017] [ssl:debug] [pid 10809] ssl_engine_kernel.c(1812): [client 192.168.0.1:62030] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
[Tue Sep 12 21:58:23.225750 2017] [ssl:debug] [pid 10809] ssl_engine_kernel.c(224): [client 192.168.0.1:62030] AH02034: Initial (No.1) HTTPS request received for child 0 (server 192.168.0.151:443), referer: https://192.168.0.151/
[Tue Sep 12 21:58:23.225832 2017] [authz_core:debug] [pid 10809] mod_authz_core.c(809): [client 192.168.0.1:62030] AH01626: authorization result of Require valid-user : denied (no authenticated user yet), referer: https://192.168.0.151/
[Tue Sep 12 21:58:23.225840 2017] [authz_core:debug] [pid 10809] mod_authz_core.c(809): [client 192.168.0.1:62030] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet), referer: https://192.168.0.151/
[Tue Sep 12 21:58:23.225846 2017] [auth_cas:debug] [pid 10809] mod_auth_cas.c(2076): [client 192.168.0.1:62030] Entering cas_authenticate(), referer: https://192.168.0.151/
[Tue Sep 12 21:58:23.225854 2017] [auth_cas:debug] [pid 10809] mod_auth_cas.c(584): [client 192.168.0.1:62030] CAS Service 'https%3a%2f%2f192.168.0.151%2fsecured-by-cas%2findex.php', referer: https://192.168.0.151/
[Tue Sep 12 21:58:23.225856 2017] [auth_cas:debug] [pid 10809] mod_auth_cas.c(532): [client 192.168.0.1:62030] entering getCASLoginURL(), referer: https://192.168.0.151/
[Tue Sep 12 21:58:23.225860 2017] [auth_cas:debug] [pid 10809] mod_auth_cas.c(509): [client 192.168.0.1:62030] entering getCASGateway(), referer: https://192.168.0.151/
[Tue Sep 12 21:58:23.225861 2017] [auth_cas:debug] [pid 10809] mod_auth_cas.c(599): [client 192.168.0.1:62030] entering redirectRequest(), referer: https://192.168.0.151/
[Tue Sep 12 21:58:23.225863 2017] [auth_cas:debug] [pid 10809] mod_auth_cas.c(611): [client 192.168.0.1:62030] Adding outgoing header: Location: https://192.168.0.150:8443/cas/login?service=https%3a%2f%2f192.168.0.151%2fsecured-by-cas%2findex.php, referer: https://192.168.0.151/
[Tue Sep 12 21:58:23.275446 2017] [ssl:debug] [pid 10809] ssl_engine_kernel.c(224): [client 192.168.0.1:62030] AH02034: Subsequent (No.2) HTTPS request received for child 0 (server 192.168.0.151:443), referer: https://192.168.0.151/
[Tue Sep 12 21:58:23.275554 2017] [authz_core:debug] [pid 10809] mod_authz_core.c(809): [client 192.168.0.1:62030] AH01626: authorization result of Require valid-user : denied (no authenticated user yet), referer: https://192.168.0.151/
[Tue Sep 12 21:58:23.275560 2017] [authz_core:debug] [pid 10809] mod_authz_core.c(809): [client 192.168.0.1:62030] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet), referer: https://192.168.0.151/
[Tue Sep 12 21:58:23.275580 2017] [auth_cas:debug] [pid 10809] mod_auth_cas.c(2076): [client 192.168.0.1:62030] Entering cas_authenticate(), referer: https://192.168.0.151/
[Tue Sep 12 21:58:23.275588 2017] [auth_cas:debug] [pid 10809] mod_auth_cas.c(656): [client 192.168.0.1:62030] Modified r->args (now ''), referer: https://192.168.0.151/
[Tue Sep 12 21:58:23.275602 2017] [auth_cas:debug] [pid 10809] mod_auth_cas.c(1779): [client 192.168.0.1:62030] entering getResponseFromServer(), referer: https://192.168.0.151/
[Tue Sep 12 21:58:23.275643 2017] [auth_cas:debug] [pid 10809] mod_auth_cas.c(584): [client 192.168.0.1:62030] CAS Service 'https%3a%2f%2f192.168.0.151%2fsecured-by-cas%2findex.php', referer: https://192.168.0.151/
[Tue Sep 12 21:58:23.276407 2017] [auth_cas:debug] [pid 10809] mod_auth_cas.c(1848): [client 192.168.0.1:62030] MOD_AUTH_CAS: curl_easy_perform() failed (\x11\xee'~\x01\x80\xff\xffA), referer: https://192.168.0.151/
[Tue Sep 12 21:58:23.276446 2017] [auth_cas:debug] [pid 10809] mod_auth_cas.c(1440): [client 192.168.0.1:62030] entering isValidCASTicket(), referer: https://192.168.0.151/

Here is my cas.properties:

cas.server.name: https://192.168.0.150:8443
cas.server.prefix: https://192.168.0.150:8443/cas

cas.adminPagesSecurity.ip=127\.0\.0\.1

#cas.authn.accept.users=

logging.config: file:/etc/cas/config/log4j2.xml
cas.serviceRegistry.config.location: file:/etc/cas/services

cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].ldapUrl=ldap://qualadds.bcitestes.local:389
cas.authn.ldap[0].useSsl=false
cas.authn.ldap[0].useStartTls=false
cas.authn.ldap[0].connectTimeout=5000
cas.authn.ldap[0].baseDn=OU=Users,OU=DSI,DC=BCITESTES,DC=local
cas.authn.ldap[0].userFilter=(sAMAccountName={user})
cas.authn.ldap[0].subtreeSearch=true
cas.authn.ldap[0].usePasswordPolicy=false
cas.authn.ldap[0].bindDn=CN=Micas Rafael,OU=Users,OU=DSI,DC=BCITESTES,DC=local
cas.authn.ldap[0].bindCredential=P@ssword1
cas.authn.ldap[0].principalAttributeId=sAMAccountName
cas.authn.ldap[0].principalAttributeList=sn,cn,givenName
cas.authn.ldap[0].allowMultiplePrincipalAttributeValues=true
cas.authn.attributeRepository.defaultAttributesToRelease=cn,sn,givenName
cas.authn.ldap[0].attributes.cn:    uid
cas.authn.ldap[0].attributes.givenName:   Formatted Name
cas.authn.ldap[0].attributes.sn:    sn
cas.authn.ldap[0].allowMissingPrincipalAttributeValue=true

/etc/httpd/conf.d/cas.conf:

LoadModule auth_cas_module modules/mod_auth_cas.so

<Directory "/var/www/html/secured-by-cas">
    <IfModule mod_auth_cas.c>
        AuthType CAS
        CASAuthNHeader On
    </IfModule>

    Require valid-user
</Directory>

#<Location /secured-by-cas>
#    <IfModule mod_auth_cas.c>
#        AuthType CAS
#       CASAuthNHeader On
#    </IfModule>
#
#    Require valid-user
#</Location>

<IfModule mod_auth_cas.c>
    CASLoginUrl           https://192.168.0.150:8443/cas/login
    CASValidateUrl        https://192.168.0.150:8443/cas/serviceValidate
    CASCookiePath         /var/cache/httpd/mod_auth_cas/
    CASValidateSAML       On
    CASSSOEnabled         On
    CASDebug              On
    CASCertificatePath    /etc/httpd/conf/casdev.crt
</IfModule>

What can be wrong?

Thanks in advance

[Doug C]

It might be an issue with the SSL certificate for the CAS server and the fact you are using an IP address.  When mod_auth_cas goes to validate the ticket my guess is that it is unable to establish the SSL connection due to the untrusted certificate.  I think this would be true even if you have trusted the certificate because you are using an IP address for CAS.

[Micas Camela]

Thank Doug for the reply.

After changing the IP to the hostname I am still getting the error page.

Here is the output from apache:

[Wed Sep 13 00:51:14.091627 2017] [ssl:info] [pid 11557] [client 192.168.0.1:49515] AH01964: Connection to child 1 established (server casclient.gas.local:443)
[Wed Sep 13 00:51:14.091794 2017] [ssl:debug] [pid 11557] ssl_engine_kernel.c(1879): [client 192.168.0.1:49515] AH02043: SSL virtual host for servername casclient.gas.local found
[Wed Sep 13 00:51:14.092245 2017] [ssl:debug] [pid 11557] ssl_engine_kernel.c(1812): [client 192.168.0.1:49515] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
[Wed Sep 13 00:51:14.092526 2017] [ssl:info] [pid 11557] (70014)End of file found: [client 192.168.0.1:49515] AH01991: SSL input filter read failed.
[Wed Sep 13 00:51:14.092553 2017] [ssl:debug] [pid 11557] ssl_engine_io.c(992): [client 192.168.0.1:49515] AH02001: Connection closed to child 1 with standard shutdown (server casclient.gas.local:443)
[Wed Sep 13 00:51:14.093534 2017] [ssl:info] [pid 11558] [client 192.168.0.1:49516] AH01964: Connection to child 2 established (server casclient.gas.local:443)
[Wed Sep 13 00:51:14.093858 2017] [ssl:debug] [pid 11558] ssl_engine_kernel.c(1879): [client 192.168.0.1:49516] AH02043: SSL virtual host for servername casclient.gas.local found
[Wed Sep 13 00:51:14.094427 2017] [ssl:debug] [pid 11558] ssl_engine_kernel.c(1812): [client 192.168.0.1:49516] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
[Wed Sep 13 00:51:14.094807 2017] [ssl:debug] [pid 11558] ssl_engine_kernel.c(224): [client 192.168.0.1:49516] AH02034: Initial (No.1) HTTPS request received for child 2 (server casclient.gas.local:443), referer: https://casclient.gas.local/
[Wed Sep 13 00:51:14.094910 2017] [authz_core:debug] [pid 11558] mod_authz_core.c(809): [client 192.168.0.1:49516] AH01626: authorization result of Require valid-user : denied (no authenticated user yet), referer: https://casclient.gas.local/
[Wed Sep 13 00:51:14.094919 2017] [authz_core:debug] [pid 11558] mod_authz_core.c(809): [client 192.168.0.1:49516] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet), referer: https://casclient.gas.local/
[Wed Sep 13 00:51:14.094926 2017] [auth_cas:debug] [pid 11558] mod_auth_cas.c(2076): [client 192.168.0.1:49516] Entering cas_authenticate(), referer: https://casclient.gas.local/
[Wed Sep 13 00:51:14.094934 2017] [auth_cas:debug] [pid 11558] mod_auth_cas.c(584): [client 192.168.0.1:49516] CAS Service 'https%3a%2f%2fcasclient.gas.local%2fsecured-by-cas%2findex.php', referer: https://casclient.gas.local/
[Wed Sep 13 00:51:14.094936 2017] [auth_cas:debug] [pid 11558] mod_auth_cas.c(532): [client 192.168.0.1:49516] entering getCASLoginURL(), referer: https://casclient.gas.local/
[Wed Sep 13 00:51:14.094940 2017] [auth_cas:debug] [pid 11558] mod_auth_cas.c(509): [client 192.168.0.1:49516] entering getCASGateway(), referer: https://casclient.gas.local/
[Wed Sep 13 00:51:14.094942 2017] [auth_cas:debug] [pid 11558] mod_auth_cas.c(599): [client 192.168.0.1:49516] entering redirectRequest(), referer: https://casclient.gas.local/
[Wed Sep 13 00:51:14.094944 2017] [auth_cas:debug] [pid 11558] mod_auth_cas.c(611): [client 192.168.0.1:49516] Adding outgoing header: Location: https://casdev.gas.local:8443/cas/login?service=https%3a%2f%2fcasclient.gas.local%2fsecured-by-cas%2findex.php, referer: https://casclient.gas.local/
[Wed Sep 13 00:51:19.101068 2017] [ssl:info] [pid 11558] (70007)The timeout specified has expired: [client 192.168.0.1:49516] AH01991: SSL input filter read failed.
[Wed Sep 13 00:51:19.101166 2017] [ssl:debug] [pid 11558] ssl_engine_io.c(992): [client 192.168.0.1:49516] AH02001: Connection closed to child 2 with standard shutdown (server casclient.gas.local:443)
[Wed Sep 13 00:51:26.874122 2017] [ssl:info] [pid 11559] [client 192.168.0.1:49558] AH01964: Connection to child 3 established (server casclient.gas.local:443)
[Wed Sep 13 00:51:26.874276 2017] [ssl:debug] [pid 11559] ssl_engine_kernel.c(1879): [client 192.168.0.1:49558] AH02043: SSL virtual host for servername casclient.gas.local found
[Wed Sep 13 00:51:26.874666 2017] [ssl:debug] [pid 11559] ssl_engine_kernel.c(1812): [client 192.168.0.1:49558] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
[Wed Sep 13 00:51:26.874848 2017] [ssl:info] [pid 11559] (70014)End of file found: [client 192.168.0.1:49558] AH01991: SSL input filter read failed.
[Wed Sep 13 00:51:26.874880 2017] [ssl:debug] [pid 11559] ssl_engine_io.c(992): [client 192.168.0.1:49558] AH02001: Connection closed to child 3 with standard shutdown (server casclient.gas.local:443)
[Wed Sep 13 00:51:26.875464 2017] [ssl:info] [pid 11561] [client 192.168.0.1:49559] AH01964: Connection to child 5 established (server casclient.gas.local:443)
[Wed Sep 13 00:51:26.875571 2017] [ssl:debug] [pid 11561] ssl_engine_kernel.c(1879): [client 192.168.0.1:49559] AH02043: SSL virtual host for servername casclient.gas.local found
[Wed Sep 13 00:51:26.876552 2017] [ssl:debug] [pid 11561] ssl_engine_kernel.c(1812): [client 192.168.0.1:49559] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
[Wed Sep 13 00:51:26.877040 2017] [ssl:debug] [pid 11561] ssl_engine_kernel.c(224): [client 192.168.0.1:49559] AH02034: Initial (No.1) HTTPS request received for child 5 (server casclient.gas.local:443), referer: https://casdev.gas.local:8443/cas/login?service=https%3a%2f%2fcasclient.gas.local%2fsecured-by-cas%2findex.php
[Wed Sep 13 00:51:26.877222 2017] [authz_core:debug] [pid 11561] mod_authz_core.c(809): [client 192.168.0.1:49559] AH01626: authorization result of Require valid-user : denied (no authenticated user yet), referer: https://casdev.gas.local:8443/cas/login?service=https%3a%2f%2fcasclient.gas.local%2fsecured-by-cas%2findex.php
[Wed Sep 13 00:51:26.877229 2017] [authz_core:debug] [pid 11561] mod_authz_core.c(809): [client 192.168.0.1:49559] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet), referer: https://casdev.gas.local:8443/cas/login?service=https%3a%2f%2fcasclient.gas.local%2fsecured-by-cas%2findex.php
[Wed Sep 13 00:51:26.877241 2017] [auth_cas:debug] [pid 11561] mod_auth_cas.c(2076): [client 192.168.0.1:49559] Entering cas_authenticate(), referer: https://casdev.gas.local:8443/cas/login?service=https%3a%2f%2fcasclient.gas.local%2fsecured-by-cas%2findex.php
[Wed Sep 13 00:51:26.877249 2017] [auth_cas:debug] [pid 11561] mod_auth_cas.c(656): [client 192.168.0.1:49559] Modified r->args (now ''), referer: https://casdev.gas.local:8443/cas/login?service=https%3a%2f%2fcasclient.gas.local%2fsecured-by-cas%2findex.php
[Wed Sep 13 00:51:26.877319 2017] [auth_cas:debug] [pid 11561] mod_auth_cas.c(1779): [client 192.168.0.1:49559] entering getResponseFromServer(), referer: https://casdev.gas.local:8443/cas/login?service=https%3a%2f%2fcasclient.gas.local%2fsecured-by-cas%2findex.php
[Wed Sep 13 00:51:26.877577 2017] [auth_cas:debug] [pid 11561] mod_auth_cas.c(584): [client 192.168.0.1:49559] CAS Service 'https%3a%2f%2fcasclient.gas.local%2fsecured-by-cas%2findex.php', referer: https://casdev.gas.local:8443/cas/login?service=https%3a%2f%2fcasclient.gas.local%2fsecured-by-cas%2findex.php
[Wed Sep 13 00:51:26.976446 2017] [auth_cas:debug] [pid 11561] mod_auth_cas.c(1848): [client 192.168.0.1:49559] MOD_AUTH_CAS: curl_easy_perform() failed (), referer: https://casdev.gas.local:8443/cas/login?service=https%3a%2f%2fcasclient.gas.local%2fsecured-by-cas%2findex.php
[Wed Sep 13 00:51:26.976523 2017] [auth_cas:debug] [pid 11561] mod_auth_cas.c(1440): [client 192.168.0.1:49559] entering isValidCASTicket(), referer: https://casdev.gas.local:8443/cas/login?service=https%3a%2f%2fcasclient.gas.local%2fsecured-by-cas%2findex.php
[Wed Sep 13 00:51:31.981146 2017] [ssl:info] [pid 11561] (70007)The timeout specified has expired: [client 192.168.0.1:49559] AH01991: SSL input filter read failed.
[Wed Sep 13 00:51:31.981234 2017] [ssl:debug] [pid 11561] ssl_engine_io.c(992): [client 192.168.0.1:49559] AH02001: Connection closed to child 5 with standard shutdown (server casclient.gas.local:443)

[Doug C]

Micas,

I am not really sure.  I assuming you did change the CASLoginUrl and CASValidateUrl to use the casdev.gas.local domain and that the casdev.gas.local domain SSL certificate is what is stored at /etc/httpd/conf/casdev.crt.

If that is the case I am currently out of ideas though I really do think it has something to do with your the server hosting the casclient not being able to communicate with the casdev server.

Doug

[David Hawes]

I think this is the right path to go down, but I would have expected a
better error message from curl.

I do see that you have "CASValidateSaml On", so you should most likely
use the /samlValidate endpoint.

So, you should now have:

CASValidateUrl https://casdev.gas.local:8443/cas/samlValidate
CASCertificatePath /etc/httpd/conf/casdev.crt

What is the CN and subjectAltName of /etc/httpd/conf/casdev.crt?

What do you get when you:

curl -v https://casdev.gas.local:8443

from your machine running Apache?

> ...
>
> [Message clipped]

[Micas Camela]

Hi dhawes,

This is how I left cas.conf content:

LoadModule auth_cas_module modules/mod_auth_cas.so

<Directory "/var/www/html/secured-by-cas">
    <IfModule mod_auth_cas.c>
        AuthType CAS
        CASAuthNHeader On
    </IfModule>

    #Require all granted

    Require valid-user
</Directory>

<IfModule mod_auth_cas.c>
    CASLoginUrl           https://casdev.gas.local:8443/cas/login
    CASValidateUrl        https://casdev.gas.local:8443/cas/serviceValidate
    CASCookiePath         /var/cache/httpd/mod_auth_cas/
    CASValidateSAML       Off
    CASSSOEnabled         On
    CASDebug              On
    CASCertificatePath    /etc/httpd/conf/casdev.gas.local.crt
</IfModule>


This is the output of "curl -v https://casdev.gas.local:8443" :

* About to connect() to casdev.gas.local port 8443 (#0)
*   Trying 192.168.0.150...
* Connected to casdev.gas.local (192.168.0.150) port 8443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* Server certificate:
*     subject: CN=casdev.gas.local,OU=DSI-GAS,O=BCI,L=MPT,ST=Maputo,C=MZ
*     start date: Sep 13 05:24:14 2017 GMT
*     expire date: Sep 03 05:24:14 2019 GMT
*     common name: casdev.gas.local
*     issuer: CN=casdev.gas.local,OU=DSI-GAS,O=BCI,L=MPT,ST=Maputo,C=MZ
* NSS error -8156 (SEC_ERROR_CA_CERT_INVALID)
* Issuer certificate is invalid.
* Closing connection 0
curl: (60) Issuer certificate is invalid.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

Here is info about casdev.gas.local (I generated a new one trying to solve the problem):

keytool -printcert -v -file conf/casdev.gas.local.crt

Owner: CN=casdev.gas.local, OU=DSI-GAS, O=BCI, L=MPT, ST=Maputo, C=MZ
Issuer: CN=casdev.gas.local, OU=DSI-GAS, O=BCI, L=MPT, ST=Maputo, C=MZ
Serial number: 660b315e
Valid from: Wed Sep 13 01:24:14 EDT 2017 until: Tue Sep 03 01:24:14 EDT 2019
Certificate fingerprints:
     MD5:  23:C1:A1:AE:85:F3:75:F4:88:BA:DE:3C:3F:2F:B2:AA
     SHA1: 0E:CE:B8:F4:70:C8:87:82:B8:53:A0:F7:D2:DF:E2:91:8D:CD:D2:02
     SHA256: 14:7B:65:2C:0B:61:E5:3E:17:14:E1:E1:FD:4D:8A:D9:15:D3:D2:09:E2:48:C0:61:27:CF:9A:03:DD:91:D4:EF
     Signature algorithm name: SHA256withRSA
     Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: DB 59 D4 74 C4 D3 F2 16   31 70 53 AA C9 38 65 47  .Y.t....1pS..8eG
0010: 65 53 AF 72                                        eS.r
]
]

[Micas Camela]

Hi Doug C,

I solved the problem generating the casdev certificate (previous generated using keytool) using the following commands:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout casdev.key -out casdev.crt

openssl pkcs12 -export -inkey casdev.key -in casdev.crt -name tomcat -out casdev.p12

keytool -importkeystore -srckeystore casdev.p12 -srcstoretype pkcs12 -destkeystore keystore.jks


And importing the casdev.crt in CASCLIENT (/etc/httpd/conf/casdev.crt).

But unfortunatelly I am only getting the username, without any attributes.


Thank you

[David Hawes]

Have you tried using the /samlValidate endpoint with "CASValidateSaml On"?

/serviceValidate may or may not return attributes, depending on your
CAS server. If it does, you can use mod_auth_cas from git master,
which supports CASv2 attributes.

> ...
>
> [Message clipped]

[Micas Camela]

Hi dhawes,

I did that and now I am getting the attributes.

I assume my problems are all solved.

Thank you all

Best regards

[arti wavale]

Hi,

can you share more information about how to retrieve user attribute from LDAP databse by using samlValidate because i am facing some error and also explain how to create ssl connection mod_auth_cas client site.

Thanks and Regards