Connection refused / Your account is forbidden to login at this thime

Samuel GARÇON

unread,

Aug 29, 2019, 3:51:21 AM8/29/19

to CAS Community

Hi,

After rebooting my cas server, i can't accessing services.

Authentification seems to be OK, but ticket granting seems to fail :

Error: java.net.ConnectException: Connection refused (Connection refused)

Your account is forbidden to login at this thime ( web broswer header)

Any ideas ?

Thanks,

Samuel GARÇON

unread,

Aug 29, 2019, 8:11:02 AM8/29/19

to CAS Community

This issue is very problematic for me.

So please find below more informations about my configuration

- Directory used : AD

- No logon_hour are configured

Thanks for your help :)

Sam

Samuel GARÇON

unread,

Aug 29, 2019, 12:11:25 PM8/29/19

to CAS Community

Hi,

After somme extensive debug, some services are working :

- G Suite (SAML via SAML SP Integration) OK

- WordPress Auth (CAS) OK
- SalesForce (SAML via SAML SP Integration) NOK

- CAS Admin Dashboard (CAS) NOK

The problem seems to be located on the service validate side :

2019-08-29 18:08:50,183 ERROR [org.jasig.cas.client.util.CommonUtils] - <Error getting response from host: [ssp.emd-management.fr] with path: [/cas/p3/serviceValidate] and protocol: [https] Error Message: Connection refused (Connection refused)>

Thanks for your help.

Sam

Samuel GARÇON

unread,

Aug 30, 2019, 5:23:13 AM8/30/19

to CAS Community

Hi,

I'm sorry to post again, but i really need some help.

Thanks,

Sam

Matthew Uribe

unread,

Aug 30, 2019, 6:46:31 AM8/30/19

to cas-...@apereo.org

Just my initial thoughts: is there an expired SSL cert or a closed port in a firewall? The connection refused seems to indicate something possibly along those lines.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/0a8ace89-f67f-4e25-ae99-955909bed2a9%40apereo.org.

Samuel GARÇON

unread,

Aug 30, 2019, 7:30:48 AM8/30/19

to CAS Community

Hi Matthew,

SSL cert used is valid util 21-Oct-20.

There is a firewall between the server and the client, but nothing is blocked, and some services (CAS/SAML) are working.

When i'm testing from the cas dashboard or from the cas-management web aps the connection is refused.

But if i'm testing from a wordpress using cas, it's working

- G Suite (SAML via SAML SP Integration) OK

- WordPress Auth (CAS) OK
- SalesForce (SAML via SAML SP Integration) NOK

- CAS Admin Dashboard (CAS) NOK

- CAS Management Web (CAS) NOK

I'm using CAS 5.3.11.

Thanks for your help,

Sam

Le vendredi 30 août 2019 12:46:31 UTC+2, Matthew Uribe a écrit :

Just my initial thoughts: is there an expired SSL cert or a closed port in a firewall? The connection refused seems to indicate something possibly along those lines.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-...@apereo.org.

David Curry

unread,

Aug 30, 2019, 7:38:31 AM8/30/19

to cas-...@apereo.org

Are the CAS dashboard and CAS management server running on the same host? Is your DNS doing the wrong thing and you're connecting to localhost (127.0.0.1) instead of the interface where Tomcat is listening?

I would turn on some logging or tracing and verify that the IP/port your client is connecting to is the same one where the server is listening.

--

DAVID A. CURRY, CISSP
DIRECTOR • INFORMATION SECURITY & PRIVACY
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david...@newschool.edu

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/6abb7c4f-bf14-4588-b99c-3fca2637a3bc%40apereo.org.

Samuel GARÇON

unread,

Aug 30, 2019, 7:49:04 AM8/30/19

to CAS Community

Hello David,

The CAS Dashboard and the CAS Management are running on the same host.

The DNS is pointing on the CAS server :

C:\Users\Samuel.GARCON>nslookup ssp.emd-management.fr

Server: w-app-1.emd-management.fr

Address: 172.16.17.3

Name: ssp.emd-management.fr

Address: 192.168.200.11

root@L-APP-2:/etc/cas/config# ifconfig

ens192: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500

inet 192.168.200.11 netmask 255.255.255.0 broadcast 192.168.200.255

inet6 fe80::250:56ff:fe95:689b prefixlen 64 scopeid 0x20<link>

ether 00:50:56:95:68:9b txqueuelen 1000 (Ethernet)

RX packets 151921 bytes 27672266 (26.3 MiB)

RX errors 0 dropped 19 overruns 0 frame 0

TX packets 134584 bytes 171085379 (163.1 MiB)

TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

Thanks,

Sam

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/6abb7c4f-bf14-4588-b99c-3fca2637a3bc%40apereo.org.

Samuel GARÇON

unread,

Aug 30, 2019, 7:52:54 AM8/30/19

to CAS Community

Same result from the cas log file :

2019-08-30 13:50:37,100 DEBUG [org.apereo.cas.services.RegisteredServiceAccessStrategyUtils] - <Current authentication via ticket [TGT-1-********************************************************V1sq-ij6t4EL-APP-2] allows service [https://ssp.emd-management.fr/cas-management/manage.html] to participate in the existing SSO session>

2019-08-30 13:50:37,101 DEBUG [org.apereo.cas.ticket.factory.DefaultServiceTicketFactory] - <Looking up service ticket id generator for [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl]>

2019-08-30 13:50:37,102 DEBUG [org.apereo.cas.ticket.factory.DefaultServiceTicketFactory] - <Attempting to encode service ticket [ST-16-bmk9P7VdByg7bhIWEAumssfID20L-APP-2]>

2019-08-30 13:50:37,103 DEBUG [org.apereo.cas.ticket.factory.DefaultServiceTicketFactory] - <Encoded service ticket id [ST-16-bmk9P7VdByg7bhIWEAumssfID20L-APP-2]>

2019-08-30 13:50:37,103 DEBUG [org.apereo.cas.ticket.registry.AbstractTicketRegistry] - <Encoding ticket [TGT-1-********************************************************V1sq-ij6t4EL-APP-2]>

2019-08-30 13:50:37,104 DEBUG [org.apereo.cas.ticket.registry.AbstractTicketRegistry] - <Encoded original ticket id [TGT-1-********************************************************V1sq-ij6t4EL-APP-2] to [71ffb9688b462aa1bbbe6f2c5fd703f195024b44510af78f67759dec125027bb87352535537c64134e2a2056610d5ede4e9dcc217fa5a078d65b6ac36cf898d7]>

2019-08-30 13:50:37,104 DEBUG [org.apereo.cas.ticket.registry.AbstractTicketRegistry] - <Created encoded ticket [EncodedTicket(id=71ffb9688b462aa1bbbe6f2c5fd703f195024b44510af78f67759dec125027bb87352535537c64134e2a2056610d5ede4e9dcc217fa5a078d65b6ac36cf898d7)]>

2019-08-30 13:50:37,105 DEBUG [org.apereo.cas.ticket.registry.AbstractMapBasedTicketRegistry] - <Added ticket [TGT-1-********************************************************V1sq-ij6t4EL-APP-2] to registry.>

2019-08-30 13:50:37,105 DEBUG [org.apereo.cas.ticket.registry.AbstractTicketRegistry] - <Encoding ticket [ST-16-bmk9P7VdByg7bhIWEAumssfID20L-APP-2]>

2019-08-30 13:50:37,106 DEBUG [org.apereo.cas.ticket.registry.AbstractTicketRegistry] - <Encoded original ticket id [ST-16-bmk9P7VdByg7bhIWEAumssfID20L-APP-2] to [5ce1d485a22d1617783c456a96cd0224851fd7379b2ae6d2308c1faa87664b73f146b352263e7980eebfaf935ba28cfef36bcff836caeb4cac1346d71452b05c]>

2019-08-30 13:50:37,106 DEBUG [org.apereo.cas.ticket.registry.AbstractTicketRegistry] - <Created encoded ticket [EncodedTicket(id=5ce1d485a22d1617783c456a96cd0224851fd7379b2ae6d2308c1faa87664b73f146b352263e7980eebfaf935ba28cfef36bcff836caeb4cac1346d71452b05c)]>

2019-08-30 13:50:37,107 DEBUG [org.apereo.cas.ticket.registry.AbstractMapBasedTicketRegistry] - <Added ticket [ST-16-bmk9P7VdByg7bhIWEAumssfID20L-APP-2] to registry.>

2019-08-30 13:50:37,107 INFO [org.apereo.cas.DefaultCentralAuthenticationService] - <Granted ticket [ST-16-bmk9P7VdByg7bhIWEAumssfID20L-APP-2] for service [https://ssp.emd-management.fr/cas-management/manage.html] and principal [samuel.garcon]>

2019-08-30 13:50:37,108 DEBUG [org.apereo.cas.AbstractCentralAuthenticationService] - <Publishing [CasServiceTicketGrantedEvent(ticketGrantingTicket=TGT-1-********************************************************V1sq-ij6t4EL-APP-2, serviceTicket=ST-16-bmk9P7VdByg7bhIWEAumssfID20L-APP-2)]>

2019-08-30 13:50:37,108 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN

=============================================================

WHO: samuel.garcon

WHAT: ST-16-bmk9P7VdByg7bhIWEAumssfID20L-APP-2 for https://ssp.emd-management.fr/cas-management/manage.html

ACTION: SERVICE_TICKET_CREATED

APPLICATION: CAS

WHEN: Fri Aug 30 13:50:37 CEST 2019

CLIENT IP ADDRESS: 172.16.9.25

SERVER IP ADDRESS: 192.168.200.11

=============================================================

2019-08-30 13:52:12,289 ERROR [org.jasig.cas.client.util.CommonUtils] - Error getting response from host: [ssp.emd-management.fr] with path: [/cas/p3/serviceValidate] and protocol: [https] Error Message: Connection refused (Connection refused)

David Curry

unread,

Aug 30, 2019, 8:04:20 AM8/30/19

to cas-...@apereo.org

You need to figure out why this:

2019-08-30 13:52:12,289 ERROR [org.jasig.cas.client.util.CommonUtils] - Error getting response from host: [ssp.emd-management.fr] with path: [/cas/p3/serviceValidate] and protocol: [https] Error Message: Connection refused (Connection refused)

is happening. Something somewhere is telling the host that this message appears on that it cannot connect to ssp.end-management.fr with https. Could be it's connecting to the wrong port (443 instead of 8443, or 8080 instead of 8443, or something), or could be it's connecting to the wrong IP, or could be there's a firewall in the way, or could be you don't have the operating system firewall's port(s) opened, or....

The fact that you're getting a connection refused and not a connection timeout suggests that the packets are reaching the destination (ssp.end-management.fr) and then it's turning them away. I would start there and see what's happening.

--

DAVID A. CURRY, CISSP
DIRECTOR • INFORMATION SECURITY & PRIVACY
THE NEW SCHOOL • INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 646 909-4728 • david...@newschool.edu

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1d80d60e-0d07-4fe4-91ff-95bb060a4d1e%40apereo.org.

Samuel GARÇON

unread,

Aug 30, 2019, 9:19:10 AM8/30/19

to CAS Community

Hello David,

Many thanks to point me to the right direction.

You were absolutely right, i'm using a prerouting rule to present the login page to the users on TCP/443.

But i have completely forget to create an outbound rule to match the localhost traffic.

When the server was rebooted, the outbout rule was no saved ......

All config files are pointing on https://ssp.emd-management.fr but from the localhost perspective only the 8443 was available.

Thank you so much ! :)

Sam

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1d80d60e-0d07-4fe4-91ff-95bb060a4d1e%40apereo.org.

Reply all

Reply to author

Forward