Issues w/ CAS 7.0.2 and Spnego+Duo-MFA
91 views
Skip to first unread message
mailing_...@melson.fastmail.net
Apr 2, 2024, 3:10:31 PM4/2/24
to cas-...@apereo.org
Currently testing an upgrade to CAS 7.0.2 and running into an issue
where if the user authenticates with Spnego/Kerberos, Duo-MFA will not
trigger properly (user is dropped back to the standard login page, which
works fine). The same config works fine in CAS 6.6.x if I flip back and
I've tried switching to MFA to trigger globally, by attribute, etc.,
etc.. and see the same behavior.
The error message that is thrown is:
2024-04-02 14:27:29,422 WARN
[org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowEventResolver]
- <State [spnego:success:success] does not have a matching transition
for mfa-duo>
I'm not terribly familiar with the frameworks CAS uses, so not sure the
best way to poke at it to try and find the underlying issue. I turned on
trace and the state of 7.0.x before the error is:
2024-04-01 15:15:21,175 TRACE
[org.apereo.cas.authentication.MultifactorAuthenticationUtils] -
<Reviewing current state [[ActionState@1778ddbb id = 'spnego', flow =
'login', entryActionList = list[[empty]], exceptionHandlerSet =
list[[empty]], actionList = list[[EvaluateAction@60d6801e expression =
spnego, resultExpression = [null]]], transitions =
list[[Transition@69dd918c on = success, to =
createTicketGrantingTicket], [Transition@73437e5d on = error, to =
viewLoginForm], [Transition@e79c832 on = warn, to = warn],
[Transition@5f3d4943 on = authenticationFailure, to = viewLoginForm],
[Transition@5a69e2d9 on = successWithWarnings, to =
showAuthenticationWarningMessages]], exitActionList =
list[[EvaluateAction@32b0ce5f expression =
clearWebflowCredentialsAction, resultExpression = [null]]]]], event
[success] and transition [[Transition@72c8a863 on = success, to = spnego]]>
Whereas in 6.6.x, it looks like the state has the necessary transitions.
2024-04-01 15:07:02,344 TRACE
[org.apereo.cas.authentication.MultifactorAuthenticationUtils] -
<Reviewing current state [[ActionState@4575c53f id = 'spnego', flow =
'login', entryActionList = list[[empty]], exceptionHandlerSet =
list[[empty]], actionList = list[[EvaluateAction@66a1941c expression =
spnego, resultExpression = [null]]], transitions =
list[[Transition@5af3c5cf on = success, to =
createTicketGrantingTicket], [Transition@44f05cc4 on = error, to =
viewLoginForm], [Transition@65ee10f9 on = warn, to = warn],
[Transition@ed96d46 on = authenticationFailure, to = viewLoginForm],
[Transition@4ac01cef on = successWithWarnings, to =
showAuthenticationWarningMessages], [Transition@c907f0f on = deny, to =
mfaDenied], [Transition@196ccfbc on = unavailable, to = mfaUnavailable],
[Transition@5c9a328a on = mfa-duo, to = mfa-duo]], exitActionList =
list[[EvaluateAction@16f76a92 expression =
clearWebflowCredentialsAction, resultExpression = [null]]]]], event
[success] and transition [[Transition@19101744 on = success, to = spnego]]>
In any case, any help that can be given would be greatly appreciated,
since this is blocking an upgrade for us until I figure it out.
Thanks in advance,
Matt
where if the user authenticates with Spnego/Kerberos, Duo-MFA will not
trigger properly (user is dropped back to the standard login page, which
works fine). The same config works fine in CAS 6.6.x if I flip back and
I've tried switching to MFA to trigger globally, by attribute, etc.,
etc.. and see the same behavior.
The error message that is thrown is:
2024-04-02 14:27:29,422 WARN
[org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowEventResolver]
- <State [spnego:success:success] does not have a matching transition
for mfa-duo>
I'm not terribly familiar with the frameworks CAS uses, so not sure the
best way to poke at it to try and find the underlying issue. I turned on
trace and the state of 7.0.x before the error is:
2024-04-01 15:15:21,175 TRACE
[org.apereo.cas.authentication.MultifactorAuthenticationUtils] -
<Reviewing current state [[ActionState@1778ddbb id = 'spnego', flow =
'login', entryActionList = list[[empty]], exceptionHandlerSet =
list[[empty]], actionList = list[[EvaluateAction@60d6801e expression =
spnego, resultExpression = [null]]], transitions =
list[[Transition@69dd918c on = success, to =
createTicketGrantingTicket], [Transition@73437e5d on = error, to =
viewLoginForm], [Transition@e79c832 on = warn, to = warn],
[Transition@5f3d4943 on = authenticationFailure, to = viewLoginForm],
[Transition@5a69e2d9 on = successWithWarnings, to =
showAuthenticationWarningMessages]], exitActionList =
list[[EvaluateAction@32b0ce5f expression =
clearWebflowCredentialsAction, resultExpression = [null]]]]], event
[success] and transition [[Transition@72c8a863 on = success, to = spnego]]>
Whereas in 6.6.x, it looks like the state has the necessary transitions.
2024-04-01 15:07:02,344 TRACE
[org.apereo.cas.authentication.MultifactorAuthenticationUtils] -
<Reviewing current state [[ActionState@4575c53f id = 'spnego', flow =
'login', entryActionList = list[[empty]], exceptionHandlerSet =
list[[empty]], actionList = list[[EvaluateAction@66a1941c expression =
spnego, resultExpression = [null]]], transitions =
list[[Transition@5af3c5cf on = success, to =
createTicketGrantingTicket], [Transition@44f05cc4 on = error, to =
viewLoginForm], [Transition@65ee10f9 on = warn, to = warn],
[Transition@ed96d46 on = authenticationFailure, to = viewLoginForm],
[Transition@4ac01cef on = successWithWarnings, to =
showAuthenticationWarningMessages], [Transition@c907f0f on = deny, to =
mfaDenied], [Transition@196ccfbc on = unavailable, to = mfaUnavailable],
[Transition@5c9a328a on = mfa-duo, to = mfa-duo]], exitActionList =
list[[EvaluateAction@16f76a92 expression =
clearWebflowCredentialsAction, resultExpression = [null]]]]], event
[success] and transition [[Transition@19101744 on = success, to = spnego]]>
In any case, any help that can be given would be greatly appreciated,
since this is blocking an upgrade for us until I figure it out.
Thanks in advance,
Matt
Matt Elson
Apr 8, 2024, 3:38:49 PM4/8/24
to cas-...@apereo.org
Following up from this, I was able to get SPNEGO+Duo-MFA working by
making sure that the SPNEGO webflow is ordered before DuoSecurity webflow.
Specifically, I modified the WEBFLOW_CONFIGURER_ORDER from 0 to 50 in
DuoSecurityAuthenticationEventExecutionPlanConfiguration
private static final int WEBFLOW_CONFIGURER_ORDER = 50;
And changed SPNEGO from 100 to be 5 via in SpnegoProperties.java
private WebflowAutoConfigurationProperties webflow = new
WebflowAutoConfigurationProperties().setOrder(5);
(The numbers chosen were basically random on my part as part of
debugging; I have no strong sense of what numbers should be best).
I also noticed that google-mfa+spnego will also not work, unless spnego
is put to run before the google-mfa order (currently set to 100 as well).
I guess the question is if this is intended, if there are downsides to
changing the order of webflow, and if there is a more elegant way than
recompiling to get this to work. (I see a way to customize the webflow
in the docs, but not sure how to wire up existing flows properly).
In any case, thanks in advance for any help!
Matt
making sure that the SPNEGO webflow is ordered before DuoSecurity webflow.
Specifically, I modified the WEBFLOW_CONFIGURER_ORDER from 0 to 50 in
DuoSecurityAuthenticationEventExecutionPlanConfiguration
private static final int WEBFLOW_CONFIGURER_ORDER = 50;
And changed SPNEGO from 100 to be 5 via in SpnegoProperties.java
private WebflowAutoConfigurationProperties webflow = new
WebflowAutoConfigurationProperties().setOrder(5);
(The numbers chosen were basically random on my part as part of
debugging; I have no strong sense of what numbers should be best).
I also noticed that google-mfa+spnego will also not work, unless spnego
is put to run before the google-mfa order (currently set to 100 as well).
I guess the question is if this is intended, if there are downsides to
changing the order of webflow, and if there is a more elegant way than
recompiling to get this to work. (I see a way to customize the webflow
in the docs, but not sure how to wire up existing flows properly).
In any case, thanks in advance for any help!
Matt
Otto Myyrä
Mar 23, 2026, 10:07:29 AM (5 days ago) Mar 23
to CAS Community, Matt Elson
I'm having similar issues with a newer CAS (7.3.4 at the moment) and as far as I've been able to understand, the solution that is described in this thread and helped with 7.0.x is no longer feasible in the newer versions. Would anyone happen to know what is the preferred and correct way to solve this on newer CAS versions?
We are getting the same errors about spnego being unable to transition to mfa.
2026-03-20 09:20:30,186 WARN [org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowEventResolver] - <State [spnego:success:success] does not have a matching transition for mfa-duo
BR,
Otto Myyrä
Reply all
Reply to author
Forward
0 new messages