Unauthorized After Login

372 views
Skip to first unread message

Fahmi L. Ramdhani

unread,
Sep 23, 2018, 3:00:01 AM9/23/18
to CAS Community
Hello, all. I tried to build CAS server based on the guidelines from https://dacurry-tns.github.io/deploying-apereo-cas. In the trial phase my client application gets a problem:

Unauthorized
This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.

This problem appears after logging in. The following configuration of the cas:

etc/cas/config/cas.properties

cas.adminPagesSecurity.ip=127\.0\.0\.1

cas.tgc.secure: true
cas.tgc.crypto.signing.key: xxxxxxxx
cas.tgc.crypto.encryption.key: xxxxxxxxxxxxxxxx

cas.webflow.crypto.signing.key: xxxxxxxxxxxxxxxxxxxxxxxxx
cas.webflow.crypto.encryption.key: xxxxxxxxxxxxxxxxxxxxxx

cas.serviceRegistry.initFromJson: true
cas.serviceRegistry.json.location: file:/etc/cas/services

logging.config: file:/etc/cas/config/log4j2.xml

etc/cas/services/HTTPSandIMAPSwildcard-1503925297.json

{
  /*
   * Wildcard service definition that applies to any https or imaps url.
   * Do not use this definition in a production environment.
   */
  "@class" :            "org.apereo.cas.services.RegexRegisteredService",
  "serviceId" :          "^(https|imaps)://.*",
  "name" :              "HTTPS and IMAPS wildcard",
  "id" :                1503925297,
  "evaluationOrder" :   99999
}


apache site virtualhost configuration
<VirtualHost *:443>
        ServerName cas.domain.com
        ServerAdmin admin@domain.com

        <Directory "/var/www/html">
                <IfModule mod_auth_cas.c>
                        AuthType CAS
                </IfModule>
                Require valid-user
        </Directory>

        <IfModule mod_auth_cas.c>
                CASLoginUrl           https://cas.domain.com:8443/cas/login
                CASValidateUrl        https://cas.domain.com:8443/cas/serviceValidate
                CASCookiePath         /var/cache/apache2/mod_auth_cas/
                CASSSOEnabled         On
                CASDebug              Off
        </IfModule>

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        SSLCertificateFile /etc/pki/tls/certs/cas.crt
        SSLCertificateKeyFile /etc/pki/tls/private/cas.key
</VirtualHost>


How to solve this problem? I hope anyone can provide a detailed solution about this. Thank you.

David Curry

unread,
Sep 23, 2018, 11:21:09 AM9/23/18
to cas-...@apereo.org
That's usually a certificate problem. Are you using a self-signed certificate on the CAS server? If so, you need to have

CASCertificatePath    /etc/pki/tls/certs/casserver.crt

in the mod_auth_cas configuration.

--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728david...@newschool.edu

The New School



--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/b7cf7903-1f56-40e0-b177-d2bd67ee1eb8%40apereo.org.

Fahmi L. Ramdhani

unread,
Sep 23, 2018, 12:27:59 PM9/23/18
to CAS Community
Thank you for the reply. There seems to be no influence after I try it. I creating a certificate from openssl then signed by Let's Encrypt. I took several steps to convert the certificate to * .jks (keystore.jks).

I tried the above solution by adding CASCertificatePath to the /etc/apache2/mods-enabled/auth_cas.conf
configuration, the result remains the same (Unauthorized).

Are there suggestions for the my configuration? Or does CAS not support the Let's Encrypt certificate?

Fahmi L. Ramdhani

unread,
Sep 23, 2018, 12:33:08 PM9/23/18
to CAS Community
I forgot to tell. I am logged in using the static cas user that is user: casuser and password: Mellon. Is there a problem from that?

David Curry

unread,
Sep 23, 2018, 12:41:21 PM9/23/18
to cas-...@apereo.org
Using casuer/Mellon shouldn't make any difference.

Try turning mod_auth_cas debug logging on (CASDebug on) and see what it tells you. Note that you also need to set the Apache logging level on the virtual host to Debug to see the logs.

--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728david...@newschool.edu

The New School


On Sun, Sep 23, 2018 at 12:33 PM Fahmi L. Ramdhani <fahmilesti...@gmail.com> wrote:
I forgot to tell. I am logged in using the static cas user that is user: casuser and password: Mellon. Is there a problem from that?

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
Message has been deleted
Message has been deleted

Fahmi L. Ramdhani

unread,
Sep 24, 2018, 1:18:16 AM9/24/18
to CAS Community
/var/log/apache2/error.log
[Sun Sep 23 06:10:45.146542 2018] [core:notice] [pid 6176:tid 140196864534400] AH00094: Command line: '/usr/sbin/apache2'
[Sun Sep 23 06:16:11.910655 2018] [core:warn] [pid 6176:tid 140196864534400] AH00045: child process 6265 still did not exit, sending a SIGTERM
[Sun Sep 23 06:16:13.912849 2018] [core:warn] [pid 6176:tid 140196864534400] AH00045: child process 6265 still did not exit, sending a SIGTERM
[Sun Sep 23 06:16:15.915015 2018] [core:warn] [pid 6176:tid 140196864534400] AH00045: child process 6265 still did not exit, sending a SIGTERM
[Sun Sep 23 06:16:17.917170 2018] [core:error] [pid 6176:tid 140196864534400] AH00046: child process 6265 still did not exit, sending a SIGKILL
[Sun Sep 23 06:16:18.918335 2018] [mpm_event:notice] [pid 6176:tid 140196864534400] AH00491: caught SIGTERM, shutting down
[Sun Sep 23 06:16:19.713323 2018] [mpm_prefork:notice] [pid 7819] AH00163: Apache/2.4.18 (Ubuntu) OpenSSL/1.0.2g configured -- resuming normal operations
[Sun Sep 23 06:16:19.713431 2018] [core:notice] [pid 7819] AH00094: Command line: '/usr/sbin/apache2'
[Sun Sep 23 06:16:21.171327 2018] [mpm_prefork:notice] [pid 7819] AH00169: caught SIGTERM, shutting down
[Sun Sep 23 06:16:21.399655 2018] [mpm_prefork:notice] [pid 7931] AH00163: Apache/2.4.18 (Ubuntu) OpenSSL/1.0.2g configured -- resuming normal operations
[Sun Sep 23 06:16:21.400954 2018] [core:notice] [pid 7931] AH00094: Command line: '/usr/sbin/apache2'
[Sun Sep 23 06:17:55.903140 2018] [mpm_prefork:notice] [pid 7931] AH00169: caught SIGTERM, shutting down
[Sun Sep 23 06:17:57.068161 2018] [mpm_prefork:notice] [pid 9994] AH00163: Apache/2.4.18 (Ubuntu) OpenSSL/1.0.2g configured -- resuming normal operations
[Sun Sep 23 06:17:57.068249 2018] [core:notice] [pid 9994] AH00094: Command line: '/usr/sbin/apache2'
[Sun Sep 23 06:19:07.095798 2018] [mpm_prefork:notice] [pid 9994] AH00169: caught SIGTERM, shutting down
[Sun Sep 23 06:19:08.233925 2018] [mpm_prefork:notice] [pid 10058] AH00163: Apache/2.4.18 (Ubuntu) OpenSSL/1.0.2g configured -- resuming normal operations
[Sun Sep 23 06:19:08.233996 2018] [core:notice] [pid 10058] AH00094: Command line: '/usr/sbin/apache2'
[Sun Sep 23 06:38:04.951561 2018] [mpm_prefork:notice] [pid 10058] AH00169: caught SIGTERM, shutting down
[Sun Sep 23 06:38:05.901907 2018] [mpm_prefork:notice] [pid 10929] AH00163: Apache/2.4.18 (Ubuntu) OpenSSL/1.0.2g configured -- resuming normal operations
[Sun Sep 23 06:38:05.901987 2018] [core:notice] [pid 10929] AH00094: Command line: '/usr/sbin/apache2'
[Sun Sep 23 06:39:44.189688 2018] [mpm_prefork:notice] [pid 10929] AH00169: caught SIGTERM, shutting down
[Sun Sep 23 06:39:45.322707 2018] [mpm_prefork:notice] [pid 11082] AH00163: Apache/2.4.18 (Ubuntu) OpenSSL/1.0.2g configured -- resuming normal operations
[Sun Sep 23 06:39:45.322779 2018] [core:notice] [pid 11082] AH00094: Command line: '/usr/sbin/apache2'
[Sun Sep 23 16:12:04.527041 2018] [mpm_prefork:notice] [pid 11082] AH00169: caught SIGTERM, shutting down
[Sun Sep 23 16:12:05.522623 2018] [mpm_prefork:notice] [pid 14519] AH00163: Apache/2.4.18 (Ubuntu) OpenSSL/1.0.2g configured -- resuming normal operations
[Sun Sep 23 16:12:05.522717 2018] [core:notice] [pid 14519] AH00094: Command line: '/usr/sbin/apache2'
[Sun Sep 23 16:16:25.455612 2018] [mpm_prefork:notice] [pid 14519] AH00171: Graceful restart requested, doing restart
[Sun Sep 23 16:16:25.561815 2018] [mpm_prefork:notice] [pid 14519] AH00163: Apache/2.4.18 (Ubuntu) OpenSSL/1.0.2g configured -- resuming normal operations
[Sun Sep 23 16:16:25.561830 2018] [core:notice] [pid 14519] AH00094: Command line: '/usr/sbin/apache2'
[Sun Sep 23 16:16:28.182116 2018] [mpm_prefork:notice] [pid 14519] AH00169: caught SIGTERM, shutting down
[Sun Sep 23 16:16:29.316901 2018] [mpm_prefork:notice] [pid 14633] AH00163: Apache/2.4.18 (Ubuntu) OpenSSL/1.0.2g configured -- resuming normal operations
[Sun Sep 23 16:16:29.316968 2018] [core:notice] [pid 14633] AH00094: Command line: '/usr/sbin/apache2'
[Sun Sep 23 16:25:26.228347 2018] [mpm_prefork:notice] [pid 14633] AH00169: caught SIGTERM, shutting down
[Sun Sep 23 16:25:27.365960 2018] [mpm_prefork:notice] [pid 14718] AH00163: Apache/2.4.18 (Ubuntu) OpenSSL/1.0.2g configured -- resuming normal operations
[Sun Sep 23 16:25:27.366032 2018] [core:notice] [pid 14718] AH00094: Command line: '/usr/sbin/apache2'
[Sun Sep 23 16:25:42.492144 2018] [mpm_prefork:notice] [pid 14718] AH00169: caught SIGTERM, shutting down
[Sun Sep 23 16:25:54.046819 2018] [mpm_prefork:notice] [pid 1528] AH00163: Apache/2.4.18 (Ubuntu) OpenSSL/1.0.2g configured -- resuming normal operations
[Sun Sep 23 16:25:54.047599 2018] [core:notice] [pid 1528] AH00094: Command line: '/usr/sbin/apache2'
[Mon Sep 24 05:11:24.773490 2018] [mpm_prefork:notice] [pid 1528] AH00169: caught SIGTERM, shutting down
[Mon Sep 24 05:11:25.973885 2018] [mpm_prefork:notice] [pid 5786] AH00163: Apache/2.4.18 (Ubuntu) OpenSSL/1.0.2g configured -- resuming normal operations
[Mon Sep 24 05:11:25.973959 2018] [core:notice] [pid 5786] AH00094: Command line: '/usr/sbin/apache2'


/var/log/cas/cas-2018-09-24-03-1.log
I don't understand, why is there a log /wp-content/uploads/alternative.jpg. Even though the content of the website is only index.php.
=============================================================
2018-09-24 04:59:11,987 WARN [org.apereo.cas.services.resource.BaseResourceBasedRegisteredServiceWatcher] - <Found a service definition [^(https|imaps)://.*] with a duplicate id [1503925297]. This will overwrite previous service definitions and is likely a configuration problem. Make sure all services have a unique id and try again.>
2018-09-24 04:59:21,020 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO
: audit:unknown
WHAT
: [event=success,timestamp=Mon Sep 24 04:59:21 UTC 2018,source=RankedAuthenticationProviderWebflowEventResolver]
ACTION
: AUTHENTICATION_EVENT_TRIGGERED
APPLICATION
: CAS
WHEN
: Mon Sep 24 04:59:21 UTC 2018
CLIENT IP ADDRESS
: 36.72.136.149
SERVER IP ADDRESS
: 159.65.11.13
=============================================================


>
2018-09-24 04:59:28,338 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO
: casuser
WHAT
: Supplied credentials: [UsernamePasswordCredential(username=casuser)]
ACTION
: AUTHENTICATION_SUCCESS
APPLICATION
: CAS
WHEN
: Mon Sep 24 04:59:28 UTC 2018
CLIENT IP ADDRESS
: 36.72.136.149
SERVER IP ADDRESS
: 159.65.11.13
=============================================================


>
2018-09-24 04:59:28,339 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO
: casuser
WHAT
: [result=Service Access Granted,service=https://cas.domain.com/cas/index.php,principal=SimplePrincipal(id=casuser, attributes={}),requiredAttributes={}]
ACTION
: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
APPLICATION
: CAS
WHEN
: Mon Sep 24 04:59:28 UTC 2018
CLIENT IP ADDRESS
: 36.72.136.149
SERVER IP ADDRESS
: 159.65.11.13
=============================================================


>
2018-09-24 04:59:28,350 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO
: casuser
WHAT
: [result=Service Access Granted,service=https://cas.domain.com/cas/index.php,principal=SimplePrincipal(id=casuser, attributes={}),requiredAttributes={}]
ACTION
: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
APPLICATION
: CAS
WHEN
: Mon Sep 24 04:59:28 UTC 2018
CLIENT IP ADDRESS
: 36.72.136.149
SERVER IP ADDRESS
: 159.65.11.13
=============================================================


>
2018-09-24 04:59:28,368 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO
: casuser
WHAT
: TGT-2-********************************************************0KsYrS4BlOssft-app-sgp-01
ACTION
: TICKET_GRANTING_TICKET_CREATED
APPLICATION
: CAS
WHEN
: Mon Sep 24 04:59:28 UTC 2018
CLIENT IP ADDRESS
: 36.72.136.149
SERVER IP ADDRESS
: 159.65.11.13
=============================================================


>
2018-09-24 04:59:28,381 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO
: casuser
WHAT
: [result=Service Access Granted,service=https://cas.domain.com/cas/index.php,requiredAttributes={}]
ACTION
: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
APPLICATION
: CAS
WHEN
: Mon Sep 24 04:59:28 UTC 2018
CLIENT IP ADDRESS
: 36.72.136.149
SERVER IP ADDRESS
: 159.65.11.13
=============================================================


>
2018-09-24 04:59:28,396 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO
: casuser
WHAT
: ST-6-GAaunRIV7uQsB22F9-jMTKjtNiAsft-app-sgp-01 for https://cas.domain.com/cas/index.php
ACTION
: SERVICE_TICKET_CREATED
APPLICATION
: CAS
WHEN
: Mon Sep 24 04:59:28 UTC 2018
CLIENT IP ADDRESS
: 36.72.136.149
SERVER IP ADDRESS
: 159.65.11.13
=============================================================


>
2018-09-24 04:59:28,757 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO
: audit:unknown
WHAT
: [result=Service Access Granted,service=https://cas.domain.com/favicon.ico,principal=SimplePrincipal(id=casuser, attributes={}),requiredAttributes={}]
ACTION
: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
APPLICATION
: CAS
WHEN
: Mon Sep 24 04:59:28 UTC 2018
CLIENT IP ADDRESS
: 36.72.136.149
SERVER IP ADDRESS
: 159.65.11.13
=============================================================


>
2018-09-24 04:59:28,764 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO
: audit:unknown
WHAT
: [event=success,timestamp=Mon Sep 24 04:59:28 UTC 2018,source=InitialAuthenticationAttemptWebflowEventResolver]
ACTION
: AUTHENTICATION_EVENT_TRIGGERED
APPLICATION
: CAS
WHEN
: Mon Sep 24 04:59:28 UTC 2018
CLIENT IP ADDRESS
: 36.72.136.149
SERVER IP ADDRESS
: 159.65.11.13
=============================================================


>
2018-09-24 04:59:28,772 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO
: audit:unknown
WHAT
: [result=Service Access Granted,service=https://cas.domain.com/favicon.ico,requiredAttributes={}]
ACTION
: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
APPLICATION
: CAS
WHEN
: Mon Sep 24 04:59:28 UTC 2018
CLIENT IP ADDRESS
: 36.72.136.149
SERVER IP ADDRESS
: 159.65.11.13
=============================================================


>
2018-09-24 04:59:28,777 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO
: casuser
WHAT
: ST-7-gAHvuB4D2mVmiYhXDg-WfPbFj74sft-app-sgp-01 for https://cas.domain.com/favicon.ico
ACTION
: SERVICE_TICKET_CREATED
APPLICATION
: CAS
WHEN
: Mon Sep 24 04:59:28 UTC 2018
CLIENT IP ADDRESS
: 36.72.136.149
SERVER IP ADDRESS
: 159.65.11.13
=============================================================


>
2018-09-24 04:59:52,412 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO
: audit:unknown
WHAT
: [result=Service Access Granted,service=https://cas.domain.com/favicon.ico,principal=SimplePrincipal(id=casuser, attributes={}),requiredAttributes={}]
ACTION
: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
APPLICATION
: CAS
WHEN
: Mon Sep 24 04:59:52 UTC 2018
CLIENT IP ADDRESS
: 36.72.136.149
SERVER IP ADDRESS
: 159.65.11.13
=============================================================


>
2018-09-24 04:59:52,417 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO
: audit:unknown
WHAT
: [event=success,timestamp=Mon Sep 24 04:59:52 UTC 2018,source=InitialAuthenticationAttemptWebflowEventResolver]
ACTION
: AUTHENTICATION_EVENT_TRIGGERED
APPLICATION
: CAS
WHEN
: Mon Sep 24 04:59:52 UTC 2018
CLIENT IP ADDRESS
: 36.72.136.149
SERVER IP ADDRESS
: 159.65.11.13
=============================================================


>
2018-09-24 04:59:52,424 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO
: audit:unknown
WHAT
: [result=Service Access Granted,service=https://cas.domain.com/favicon.ico,requiredAttributes={}]
ACTION
: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
APPLICATION
: CAS
WHEN
: Mon Sep 24 04:59:52 UTC 2018
CLIENT IP ADDRESS
: 36.72.136.149
SERVER IP ADDRESS
: 159.65.11.13
=============================================================


>
2018-09-24 04:59:52,440 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO
: casuser
WHAT
: ST-8-yasysCUTbY2xajh0-wPXyGFPym8sft-app-sgp-01 for https://cas.domain.com/favicon.ico
ACTION
: SERVICE_TICKET_CREATED
APPLICATION
: CAS
WHEN
: Mon Sep 24 04:59:52 UTC 2018
CLIENT IP ADDRESS
: 36.72.136.149
SERVER IP ADDRESS
: 159.65.11.13
=============================================================


>
2018-09-24 04:59:54,796 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO
: audit:unknown
WHAT
: [result=Service Access Granted,service=https://cas.domain.com/cas/index.php,principal=SimplePrincipal(id=casuser, attributes={}),requiredAttributes={}]
ACTION
: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
APPLICATION
: CAS
WHEN
: Mon Sep 24 04:59:54 UTC 2018
CLIENT IP ADDRESS
: 36.72.136.149
SERVER IP ADDRESS
: 159.65.11.13
=============================================================


>
2018-09-24 04:59:54,800 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO
: audit:unknown
WHAT
: [event=success,timestamp=Mon Sep 24 04:59:54 UTC 2018,source=InitialAuthenticationAttemptWebflowEventResolver]
ACTION
: AUTHENTICATION_EVENT_TRIGGERED
APPLICATION
: CAS
WHEN
: Mon Sep 24 04:59:54 UTC 2018
CLIENT IP ADDRESS
: 36.72.136.149
SERVER IP ADDRESS
: 159.65.11.13
=============================================================


>
2018-09-24 04:59:54,814 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO
: audit:unknown
WHAT
: [result=Service Access Granted,service=https://cas.domain.com/cas/index.php,requiredAttributes={}]
ACTION
: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
APPLICATION
: CAS
WHEN
: Mon Sep 24 04:59:54 UTC 2018
CLIENT IP ADDRESS
: 36.72.136.149
SERVER IP ADDRESS
: 159.65.11.13
=============================================================


>
2018-09-24 04:59:54,818 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO
: casuser
WHAT
: ST-9-4pLaJCqU-rtGVI0ddRb2cvDQepwsft-app-sgp-01 for https://cas.domain.com/cas/index.php
ACTION
: SERVICE_TICKET_CREATED
APPLICATION
: CAS
WHEN
: Mon Sep 24 04:59:54 UTC 2018
CLIENT IP ADDRESS
: 36.72.136.149
SERVER IP ADDRESS
: 159.65.11.13
=============================================================


>
2018-09-24 04:59:55,059 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO
: audit:unknown
WHAT
: [result=Service Access Granted,service=https://cas.domain.com/favicon.ico,principal=SimplePrincipal(id=casuser, attributes={}),requiredAttributes={}]
ACTION
: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
APPLICATION
: CAS
WHEN
: Mon Sep 24 04:59:55 UTC 2018
CLIENT IP ADDRESS
: 36.72.136.149
SERVER IP ADDRESS
: 159.65.11.13
=============================================================


>
2018-09-24 04:59:55,064 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO
: audit:unknown
WHAT
: [event=success,timestamp=Mon Sep 24 04:59:55 UTC 2018,source=InitialAuthenticationAttemptWebflowEventResolver]
ACTION
: AUTHENTICATION_EVENT_TRIGGERED
APPLICATION
: CAS
WHEN
: Mon Sep 24 04:59:55 UTC 2018
CLIENT IP ADDRESS
: 36.72.136.149
SERVER IP ADDRESS
: 159.65.11.13
=============================================================


>
2018-09-24 04:59:55,070 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO
: audit:unknown
WHAT
: [result=Service Access Granted,service=https://cas.domain.com/favicon.ico,requiredAttributes={}]
ACTION
: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
APPLICATION
: CAS
WHEN
: Mon Sep 24 04:59:55 UTC 2018
CLIENT IP ADDRESS
: 36.72.136.149
SERVER IP ADDRESS
: 159.65.11.13
=============================================================


>
2018-09-24 04:59:55,075 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO
: casuser
WHAT
: ST-10-u0XMV0sW7ExYPlqln4pNYKxxlIUsft-app-sgp-01 for https://cas.domain.com/favicon.ico
ACTION
: SERVICE_TICKET_CREATED
APPLICATION
: CAS
WHEN
: Mon Sep 24 04:59:55 UTC 2018
CLIENT IP ADDRESS
: 36.72.136.149
SERVER IP ADDRESS
: 159.65.11.13
=============================================================


Please help me on this issue. Thank you.

Ramakrishna G

unread,
Sep 24, 2018, 1:40:24 AM9/24/18
to CAS Community
Fahmi,

I your HTTPSandIMAPSwildcard-1503925297.json you have specified https and trying to validate http. "http://cas.domain.com/wp-content/uploads/alternative.jpg"

You can ignore js, css and images service validation by doing this in your ssl.conf

<Location ~ "^/sso(/images/.*|/js/.*|/css/.*|/files/.*|/fonts/.*|/html/.*|/webjars/.*)*$">
                Require all granted
                ProxyPass http://localhost/sso/$1/
                ProxyPassReverse http://localhost/sso/$1/
         </Location>

Thanks
Ramakrishna G
Message has been deleted

Fahmi L. Ramdhani

unread,
Sep 24, 2018, 9:11:39 AM9/24/18
to CAS Community
I don't know why wp-content is loaded, even though the web content is only index.php. There is no link that points to the wp-content.

The following is apache web settings:
<VirtualHost *:443>
        ServerName cas.domain.com
        ServerAdmin ad...@domain.com


       
<Directory "/var/www/html">

               
<IfModule mod_auth_cas.c>
                        AuthType CAS
               
</IfModule>

                # Options Indexes FollowSymLinks
                # AllowOverride All
                # Require all granted
                Require valid-user
       
</Directory>


       
<IfModule mod_auth_cas.c>

                CASLoginUrl           https://cas.domain.com:8443/cas/login
                CASValidateUrl        https://cas.domain.com:8443/cas/serviceValidate
                CASCookiePath         /var/cache/apache2/mod_auth_cas/
                CASCertificatePath    /etc/pki/tls/certs/cas.crt
                CASSSOEnabled         On
                CASDebug              On
       
</IfModule>



        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined


        SSLCertificateFile /etc/pki/tls/certs/cas.crt
        SSLCertificateKeyFile /etc/pki/tls/private/cas.key
</VirtualHost>

The main problem with this topic is error Unauthorized content after logging in using the static user: casuser, Mellon. Can anyone help Unauthorized problems?

Ramakrishna G

unread,
Sep 24, 2018, 10:15:31 AM9/24/18
to cas-...@apereo.org
https://cas.domain.com:8443/cas/serviceValidate

Can you curl the above url and see what response you are getting?

Check if the above url is accessible first?

Along with apache logs can you also post cas server logs


Sent from my iPhone
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

Fahmi L. Ramdhani

unread,
Sep 24, 2018, 5:59:40 PM9/24/18
to CAS Community
It's disguised. Please try the actual url.


Please help me if anyone can provide a solution.

Fahmi L. Ramdhani

unread,
Sep 25, 2018, 7:27:16 AM9/25/18
to CAS Community
Hi all, It is resolved.

casuser# mkdir /opt/tomcat/keystore
casuser
# openssl pkcs12 -export -in /etc/letsencrypt/live/cas.domain.com/fullchain.pem -inkey /etc/letsencrypt/live/cas.domain.com/privkey.pem -out /opt/tomcat/keystore/cas.domain.com.p12 -password pass:changeit
casuser
# keytool -importkeystore -srckeystore /opt/tomcat/keystore/cas.sentrasoft.com.p12 -srcstoretype pkcs12 -srcstorepass changeit -destkeystore /opt/tomcat/keystore/cas.sentrasoft.com.keystore -deststoretype jks -deststorepass changeit


In /opt/tomcat/conf/server.xml use this:
<Connector
 
protocol="org.apache.coyote.http11.Http11NioProtocol"
 
port="8443" maxThreads="150"
 
scheme="https" secure="true" SSLEnabled="true"
 
keystoreFile="/opt/tomcat/keystore/cas.domain.com.keystore" keystorePass="changeit"
 
clientAuth="false" sslProtocol="TLS" />

Thank you all.
Message has been deleted

arti wavale

unread,
Dec 5, 2019, 5:04:58 AM12/5/19
to CAS Community, fahmilesti...@gmail.com
Hello,

I am also facing same error "

Unauthorized

This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required"


so can you tell me how to create certificate for cas server and mod_auth_cas client step by step because I don't understand how to Configure TLS/SSL settings for cas server side and mod_auth_cas client side. Right now I am working on ubuntu 16.04. Please guide me and Please find the attachment which include detail information regarding cas server and cas client.


Thanks and Regards


CAS.pdf

arti wavale

unread,
Dec 5, 2019, 7:39:25 AM12/5/19
to CAS Community, fahmilesti...@gmail.com
It is resolved.

Thank you



On Tuesday, September 25, 2018 at 4:57:16 PM UTC+5:30, Fahmi L. Ramdhani wrote:
Reply all
Reply to author
Forward
0 new messages