Requirement : Enable CAS authentication for Kibana using HTTPD and MOD CAS
Software Version :
mod_auth_cas 1.1
OpenSSL 1.0.2k-fips
Apache Portable Runtime apr-1.6.3
Apache Web Server httpd-2.4.34
libcurl curl-7.61.1
libpcre pcre-8.42
RHEL Red Hat Enterprise Linux Server release 7.5 (Maipo)
Server and Software details :
Server 1 (10.0.0.12) : CAS
Server 2 (10.0.0.13) : Kibana, mod_auth_cas, openssl, Apache Portable Runtime, Apache Web Server, libcurl and libpcre
Status : While connecting to HTTPD URL, based on configuration file, CAS login page is loaded and CAS authentication is successful, but it is not routing to Kibana page (Note : If invalid credentials is entered, then getting valid message in CAS login page)
Error Message in UI : This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g bad password), or your browser doesnt understand how to supply the credentials required.
Error in TOMCAT Catalina.out file :
=============================================================
WHO: user1
WHAT: Supplied credentials: [user1]
ACTION: AUTHENTICATION_SUCCESS
APPLICATION: CAS
WHEN: Tue Oct 30 10:36:54 UTC 2018
CLIENT IP ADDRESS: 10.0.121.9
SERVER IP ADDRESS: 10.0.0.12
=============================================================
2018-10-30 10:36:54,872 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: user1
WHAT: TGT-**************************************************D4hA1i3dcK-server1
ACTION: TICKET_GRANTING_TICKET_CREATED
APPLICATION: CAS
WHEN: Tue Oct 30 10:36:54 UTC 2018
CLIENT IP ADDRESS: 10.0.121.9
SERVER IP ADDRESS: 10.0.0.12
=============================================================
2018-10-30 10:36:54,874 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: user1
ACTION: SERVICE_TICKET_CREATED
APPLICATION: CAS
WHEN: Tue Oct 30 10:36:54 UTC 2018
CLIENT IP ADDRESS: 10.0.121.9
SERVER IP ADDRESS: 10.0.0.12
=============================================================
2018-10-30 10:36:55,255 WARN [org.apereo.cas.support.pac4j.web.flow.DelegatedClientAuthenticationAction] - <No clients could be determined based on the provided configuration>
2018-10-30 10:36:55,258 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: [event=success,timestamp=Tue Oct 30 10:36:55 UTC 2018,source=InitialAuthenticationAttemptWebflowEventResolver]
ACTION: AUTHENTICATION_EVENT_TRIGGERED
APPLICATION: CAS
WHEN: Tue Oct 30 10:36:55 UTC 2018
CLIENT IP ADDRESS: 10.0.121.9
SERVER IP ADDRESS: 10.0.0.12
=============================================================
Httpd.conf file :
<VirtualHost *:4010>
CASCookiePath /data/CAS_Kibana_Integration/cache/httpd/mod_auth_cas/
CASCertificatePath CASCertificatePath
ServerName 10.0.0.13
ProxyRequests Off
SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
SSLCertificateFile “SERVER2.pem file path"
SSLCertificateKeyFile “Server2_private.key"
ErrorLog logs/kibana_error.log
LogLevel debug
CustomLog logs/kibana_access.log combined
<Location "/.*">
CASScope /
AuthType CAS
AuthName "CAS"
Options Indexes MultiViews
Order allow,deny
Allow from all
require valid-user
</Location>
</VirtualHost>
Please let us know configuration changes required to overcome this issue.
Regards,
Bharath