Application Not Authorized to Use CAS (SERVICE_TICKET_NOT_CREATED)

2,424 views
Skip to first unread message

Gunny Kc

unread,
Sep 24, 2017, 1:52:40 AM9/24/17
to CAS Developer

Please help in this regard, I have been struggling for more than a week now to solve this one, however, no success. I have tried all possible changes from my side.


Logs which I get in catalina.out:


2017-09-19 09:45:20,094 WARN [org.jasig.cas.CentralAuthenticationServiceImpl] - <ServiceManagement: Unauthorized Service Access. Service [http://hidden1:9001/ssomanager/c/SSB] not found in Service Registry.>
2017-09-19 09:45:20,094 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: CASAdmin
WHAT: http://hidden:9001/ssomanager/c/SSB
ACTION: SERVICE_TICKET_NOT_CREATED
APPLICATION: CAS
WHEN: Tue Sep 19 09:45:20 AST 2017
CLIENT IP ADDRESS: <abc>
SERVER IP ADDRESS: <pqr>
=============================================================


On the front end I get the below error:


Application Not Authorized to Use CAS
The application you attempted to authenticate to is not authorized to use CAS.


cas.properties file:


server.prefix=https://hidden1:8443/cas

cas.securityContext.serviceProperties.service=${server.prefix}/services/j_acegi_cas_security_check
# Names of roles allowed to access the CAS service manager
cas.securityContext.serviceProperties.adminRoles=ROLE_ADMIN
cas.securityContext.casProcessingFilterEntryPoint.loginUrl=${server.prefix}/login
cas.securityContext.ticketValidator.casServerUrlPrefix=${server.prefix}


cas.themeResolver.defaultThemeName=cas-theme-default
cas.viewResolver.basename=default_views

host.name=hidden1

#database.hibernate.dialect=org.hibernate.dialect.OracleDialect
#database.hibernate.dialect=org.hibernate.dialect.MySQLDialect
database.hibernate.dialect=org.hibernate.dialect.HSQLDialect


deployerConfigContext.xml has these entries to open the application, still, it's not going through:


<bean class="org.jasig.cas.services.RegisteredServiceImpl">
               <property name="id" value="2" />
               <property name="name" value="SSO Manager" />
               <property name="description" value="CAS Client for SSB/INB" />
               <property name="serviceId" value="http://hidden:9001/ssomanager/c/**" />
               <property name="allowedAttributes">
               <list>
               <value>uid</value>
               <value>UDC_IDENTIFIER</value>
               </list>
               </property>
               <property name="evaluationOrder" value="10000002" />
</bean>

    <bean class="org.jasig.cas.services.RegisteredServiceImpl">
                    <property name="id" value="1" />
                    <property name="name" value="CAS Managed Services" />
                    <property name="description" value="CAS Managed Services Endpoint" />
                    <property name="serviceId" value="https://hidden1:8443/cas/services/**" />
                    <property name="allowedAttributes">
                    <list>
                    <value>uid</value>
                    <value>UDC_IDENTIFIER</value>
                    </list>
                    </property>
                    <property name="evaluationOrder" value="10000001" />
            </bean>


Folder Structure:


[tomcat@bancas cas-server-3.4.12.1]$ ls
assembly.xml                       cas-server-integration-memcached  cas-server-support-legacy   cas-server-support-x509  modules
cas-server-core                    cas-server-integration-restlet    cas-server-support-openid   cas-server-uber-webapp   notice.txt
cas-server-documentation           cas-server-support-generic        cas-server-support-radius   cas-server-webapp        pom.xml
cas-server-integration-berkeleydb  cas-server-support-jdbc           cas-server-support-spnego   INSTALL.txt              tasks.xml
cas-server-integration-jboss       cas-server-support-ldap           cas-server-support-trusted  license.txt
[tomcat@bancas cas-server-3.4.12.1]$
[tomcat@bancas cas-server-3.4.12.1]$ cd cas-server-webapp/
[tomcat@bancas cas-server-webapp]$

[tomcat@bancas cas-server-webapp]$ ls
old_targets  pom.xml  pom.xml_orig  src  target
[tomcat@bancas cas-server-webapp]$


pom.xml:


<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">

    <parent>

        <groupId>org.jasig.cas</groupId>

        <artifactId>cas-server</artifactId>

        <version>3.4.12.1</version>

    </parent>

    <modelVersion>4.0.0</modelVersion>

    <groupId>org.jasig.cas</groupId>

    <artifactId>cas-server-webapp</artifactId>

    <packaging>war</packaging>

    <name>JA-SIG CAS Web Application</name>

    <dependencies>


<!-- LDAP SUPPORT -->

       <dependency>

           <groupId>org.jasig.cas</groupId>

           <artifactId>cas-server-support-ldap</artifactId>

           <version>${project.version}</version>

           <type>jar</type>

       </dependency>

<!-- Apache Commons DBCP for Java 6 (use version 1.3 for Java 5 or lower)-->

       <dependency>

           <groupId>commons-dbcp</groupId>

           <artifactId>commons-dbcp</artifactId>

           <version>1.4</version>

           <scope>runtime</scope>

       </dependency>

<!-- Hibernate Core and Entity Manager -->

       <dependency>

           <groupId>org.hibernate</groupId>

           <artifactId>hibernate-core</artifactId>

           <version>${hibernate.core.version}</version>

           <scope>compile</scope>

       </dependency>

       <dependency>

           <groupId>org.hibernate</groupId>

           <artifactId>hibernate-entitymanager</artifactId>

           <version>${hibernate.core.version}</version>

           <scope>runtime</scope>

       </dependency>

<!-- Oracle JDBC Driver -->

       <dependency>

           <groupId>com.oracle</groupId>

           <artifactId>ojdbc6</artifactId>

           <version>11.2.0</version>

       </dependency>

        <dependency>

            <groupId>org.mockito</groupId>

            <artifactId>mockito-all</artifactId>

            <version>${mockito.version}</version>

            <scope>test</scope>

            <type>jar</type>

        </dependency>

        <dependency>

            <groupId>com.github.inspektr</groupId>

            <artifactId>inspektr-support-spring</artifactId>

            <scope>runtime</scope>

        </dependency>

        <dependency>

            <groupId>org.springframework.security</groupId>

            <artifactId>spring-security-cas-client</artifactId>

            <scope>runtime</scope>

        </dependency>

        <dependency>

            <groupId>org.springframework.security</groupId>

            <artifactId>spring-security-config</artifactId>

            <scope>runtime</scope>

        </dependency>

        <dependency>

            <groupId>org.springframework</groupId>

            <artifactId>spring-aop</artifactId>

        </dependency>

        <dependency>

            <groupId>org.jasig.cas</groupId>

            <artifactId>cas-server-core</artifactId>

            <version>${project.version}</version>

        </dependency>

        <dependency>

            <groupId>org.springframework</groupId>

            <artifactId>spring-context-support</artifactId>

            <scope>compile</scope>

        </dependency>

        <dependency>

            <groupId>org.opensymphony.quartz</groupId>

            <artifactId>quartz</artifactId>

            <version>1.6.1</version>

            <type>jar</type>

        </dependency>

        <dependency>

            <groupId>javax.servlet</groupId>

            <artifactId>jstl</artifactId>

            <version>1.1.2</version>

            <type>jar</type>

        </dependency>

        <dependency>

            <groupId>taglibs</groupId>

            <artifactId>standard</artifactId>

            <version>1.1.2</version>

            <type>jar</type>

        </dependency>

        <dependency>

            <groupId>ognl</groupId>

            <artifactId>ognl</artifactId>

            <version>2.7.3</version>

            <scope>runtime</scope>

        </dependency>

        <dependency>

            <groupId>org.hibernate</groupId>

            <artifactId>hibernate-validator</artifactId>

            <scope>runtime</scope>

        </dependency>

    </dependencies>

    <build>

        <plugins>

            <plugin>

                <groupId>org.apache.maven.plugins</groupId>

                <artifactId>maven-war-plugin</artifactId>

                <configuration>

                    <warName>cas</warName>

                                        <webResources>

                                                <resource>

                            <directory>${basedir}/src/main/webapp/WEB-INF</directory>

                            <filtering>true</filtering>

                            <targetPath>WEB-INF</targetPath>

                            <includes>

                                <include>**/web.xml</include>

                            </includes>

                        </resource>

                                        </webResources>

                </configuration>

            </plugin>

        </plugins>

    </build>



</project>



Not able to figure out where is the problem or If I need to provide more information please do let me know.


Thanks in advance.


Waldbieser, Carl

unread,
Sep 25, 2017, 9:22:31 AM9/25/17
to Gunny Kc, CAS Developer

It sounds like the log is telling you that the service ("http://hidden1:9001/ssomanager/c/SSB") is not allowed in your service registry/whitelist. I assume you are not running CAS open, as that is in general, not a great idea.

It also looks like you are running CAS server v3.x. You may have constraints that force you to do this, but if you have any choice in the matter, I'd suggest you upgrade to v5.1.x. Version v3.x has passed the EOL date [1].

Thanks,
Carl Waldbieser
ITS Identity Management
Lafayette College

[1] https://apereo.github.io/cas/developer/Maintenance-Policy.html

----- Original Message -----
From: "Gunny Kc" <gun...@gmail.com>
To: "CAS Developer" <cas...@apereo.org>
Sent: Sunday, September 24, 2017 1:52:40 AM
Subject: [cas-dev] Application Not Authorized to Use CAS (SERVICE_TICKET_NOT_CREATED)

Please help in this regard, I have been struggling for more than a week now
to solve this one, however, no success. I have tried all possible changes
from my side.


Logs which I get in catalina.out:


2017-09-19 09:45:20,094 WARN [org.jasig.cas.CentralAuthenticationServiceImpl] - <ServiceManagement: Unauthorized Service Access. Service [http://hidden1:9001/ssomanager/c/SSB] not found in Service Registry.>2017-09-19 09:45:20,094 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN=============================================================
WHO: CASAdmin
WHAT: http://hidden:9001/ssomanager/c/SSB
ACTION: SERVICE_TICKET_NOT_CREATED
APPLICATION: CAS
WHEN: Tue Sep 19 09:45:20 AST 2017
CLIENT IP ADDRESS: <abc>
SERVER IP ADDRESS: <pqr>=============================================================


*On the front end I get the below error:*


Application Not Authorized to Use CASThe application you attempted to authenticate to is not authorized to use CAS.


*cas.properties file:*


server.prefix=https://hidden1:8443/cas

cas.securityContext.serviceProperties.service=${server.prefix}/services/j_acegi_cas_security_check# Names of roles allowed to access the CAS service manager
cas.securityContext.serviceProperties.adminRoles=ROLE_ADMIN
cas.securityContext.casProcessingFilterEntryPoint.loginUrl=${server.prefix}/login
cas.securityContext.ticketValidator.casServerUrlPrefix=${server.prefix}


cas.themeResolver.defaultThemeName=cas-theme-default
cas.viewResolver.basename=default_views

host.name=hidden1
#database.hibernate.dialect=org.hibernate.dialect.OracleDialect#database.hibernate.dialect=org.hibernate.dialect.MySQLDialect
database.hibernate.dialect=org.hibernate.dialect.HSQLDialect


*deployerConfigContext.xml has these entries to open the application,
still, it's not going through:*
*Folder Structure:*


[tomcat@bancas cas-server-3.4.12.1]$ ls
assembly.xml cas-server-integration-memcached cas-server-support-legacy cas-server-support-x509 modules
cas-server-core cas-server-integration-restlet cas-server-support-openid cas-server-uber-webapp notice.txt
cas-server-documentation cas-server-support-generic cas-server-support-radius cas-server-webapp pom.xml
cas-server-integration-berkeleydb cas-server-support-jdbc cas-server-support-spnego INSTALL.txt tasks.xml
cas-server-integration-jboss cas-server-support-ldap cas-server-support-trusted license.txt[tomcat@bancas cas-server-3.4.12.1]$[tomcat@bancas cas-server-3.4.12.1]$ cd cas-server-webapp/[tomcat@bancas cas-server-webapp]$
[tomcat@bancas cas-server-webapp]$ ls
old_targets pom.xml pom.xml_orig src target[tomcat@bancas cas-server-webapp]$


*pom.xml:*
--
You received this message because you are subscribed to the Google Groups "CAS Developer" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-dev+u...@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-dev/.

Gunny Kc

unread,
Sep 25, 2017, 10:20:15 AM9/25/17
to Waldbieser, Carl, CAS Developer
Does Ellucian Banner BEIS Support CAS 5.1? And is it as straightforward as Ver 3- because there is a document provided by Ellucian - however, I did not find any doc for Version 5. Please suggest.

Gunny Kc

unread,
Sep 27, 2017, 9:32:32 AM9/27/17
to Waldbieser, Carl, CAS Developer
Hello Team

I got this issue with my CAS BEIS Setup; I was on Java 7 and got to know there are issues with cipher and all, so downgraded to Java 6 but still, the error is there:

Any hint - how can I get rid of this? Do I need to have a wallet on BEIS Server (containing CAS Certificates) to communicate? Please let me know. 

Error 500--Internal Server Error

java.lang.RuntimeException: javax.net.ssl.SSLException: Received fatal alert: handshake_failure
at org.jasig.cas.client.validation.Saml11TicketValidator.retrieveResponseFromServer(Saml11TicketValidator.java:203)
at org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:178)
at org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:132)
at com.ellucian.sso.client.web.filter.SSOValidationFilter.doFilter(Unknown Source)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:102)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at com.ellucian.sso.client.web.filter.QueryParamStorageFilter.doFilter(Unknown Source)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3730)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3696)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2273)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2179)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1490)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
Caused by: javax.net.ssl.SSLException: Received fatal alert: handshake_failure
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:190)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1447)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1415)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1581)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1011)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:845)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:721)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:647)
at weblogic.security.SSL.jsseadapter.JaSSLEngine$5.run(JaSSLEngine.java:134)
at weblogic.security.SSL.jsseadapter.JaSSLEngine.doAction(JaSSLEngine.java:732)
at weblogic.security.SSL.jsseadapter.JaSSLEngine.unwrap(JaSSLEngine.java:132)
at weblogic.socket.JSSEFilterImpl.unwrap(JSSEFilterImpl.java:505)
at weblogic.socket.JSSEFilterImpl.unwrapAndHandleResults(JSSEFilterImpl.java:448)
at weblogic.socket.JSSEFilterImpl.doHandshake(JSSEFilterImpl.java:80)
at weblogic.socket.JSSEFilterImpl.doHandshake(JSSEFilterImpl.java:64)
at weblogic.socket.JSSEFilterImpl.doHandshake(JSSEFilterImpl.java:59)
at weblogic.socket.JSSEFilterImpl.write(JSSEFilterImpl.java:390)
at weblogic.socket.JSSESocket$JSSEOutputStream.write(JSSESocket.java:78)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
at java.io.FilterOutputStream.flush(FilterOutputStream.java:123)
at weblogic.net.http.HttpURLConnection.writeRequests(HttpURLConnection.java:186)
at weblogic.net.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:280)

On Mon, Sep 25, 2017 at 9:18 PM, Waldbieser, Carl <wald...@lafayette.edu> wrote:

I almost forgot about fiddling with "deployerConfig.xml"!

In newer CAS versions, you pretty much don't mess around with Java beans and XML files anymore.
There are different "service registry" components you can swap in for CAS.  The JSON service registry is a pretty popular flat file approach, but there are a lot of different types:

  https://apereo.github.io/cas/5.1.x/installation/Service-Management.html

By default, CAS 5.1.x also uses regular expression syntax instead of Apache ant globbing (**).

Your service definition looks good to me (it matches the "WHAT" in the error).  But apache ant style globbing was always a source of headaches for me.

Thanks,
Carl Waldbieser
ITS Identity Management
Lafayette College

----- Original Message -----
From: "Gunny Kc" <gun...@gmail.com>
To: "waldbiec" <wald...@lafayette.edu>
Cc: "CAS Developer" <cas...@apereo.org>
Sent: Monday, September 25, 2017 1:32:18 PM
Subject: Re: [cas-dev] Application Not Authorized to Use CAS (SERVICE_TICKET_NOT_CREATED)

I have configured my 2 URLs in deployerConfigContext.xml:
CAS URL is SSL Protected with Orignal Certificates.


I did not understand this part - what CAS service registry are you using?  -
What do you mean by this?

This is my first CAS Setup - so not having the full knowledge about it.

Please suggest.



On Mon, Sep 25, 2017 at 6:57 PM, Waldbieser, Carl <wald...@lafayette.edu>
wrote:

>
> With CAS 5, the JSON service registry splits each service definition into
> its own file.  Here is an example definition for BEIS:
>
>     {
>       "@class" : "org.apereo.cas.services.RegexRegisteredService",
>       "serviceId" : "https://banner-server.example.org/.*",
>       "id" : 1100,
>       "evaluationOrder" : 1100,
>       "name" : "Banner Self-service",
>       "description" : "Some description",
>       "logo" : "https://path/to/your/logo.jpg",
>       "attributeReleasePolicy" : {
>         "@class" : "org.apereo.cas.services.ReturnAllowedAttributeReleaseP
> olicy",
>         "allowedAttributes" : [ "java.util.ArrayList",
>             [
>                 "UDC_IDENTIFIER"
>             ]
>         ]
>       },
>       "properties" : {
>         "@class" : "java.util.HashMap",
>         "InformationURL" : {
>           "@class" : "org.apereo.cas.services.
> DefaultRegisteredServiceProperty",
>           "values" : [ "java.util.HashSet", [ "
> https://path/to/online/docs.html" ] ]
>         }
>       }
>     }
>
> For your more immediate problem, what CAS service registry are you using?
> And how do you have it configured to allow your (test?) instance of Banner?

>
> Thanks,
> Carl Waldbieser
> ITS Identity Management
> Lafayette College
>
>
> ----- Original Message -----
> From: "Gunny Kc" <gun...@gmail.com>
> To: "waldbiec" <wald...@lafayette.edu>
> Cc: "CAS Developer" <cas...@apereo.org>
> Sent: Monday, September 25, 2017 11:44:49 AM
> Subject: Re: [cas-dev] Application Not Authorized to Use CAS
> (SERVICE_TICKET_NOT_CREATED)
>
> Thank you, Carl.
>
> I am still not convinced why Cas Version 3 is not allowing the
> registered services and I have been struggling with for more than 10 days
> now. I have started version 4 and it is also giving me error while
> generating war file.
>
> I will see what are the challenges for me with version 5. I need to give
> justification too to go for 5.
>
> Are there the same files we need to edit for version 5 too? Is it possible
> for you to share those files after removing your custom links?
>
> Sorry If I have been asking more.
>
>
>
> On Mon, Sep 25, 2017 at 5:33 PM, Waldbieser, Carl <wald...@lafayette.edu>
> wrote:
>
> >
> > We used to use CAS 3.x as recent as a year ago.  We used it with Banner
> > (ala BEIS).
> > We've since upgraded to CAS server v5.1.x and have had no issues with it.
> > The new server still supports the old /samlValidate endpoint, which I
> > believe BEIS uses to get the UDC_IDENTIFIER.
> >
> > Some configuration for the CAS server itself has changed, but it is
> > generally for the better and a lot easier to manage.
> >
> > One thing worth pointing out is that during testing, if you are not using
> > TLS for your Banner test instance, CAS v5.1.x doesn't want to release
> > attributes to an HTTP-only service (it will still validate the ST and
> > return the cas-user).  I'd suggest using self-signed certs for testing.

> >
> > Thanks,
> > Carl Waldbieser
> > ITS Identity Management
> > Lafayette College
> >
> > > - <Audit trail record BEGIN=========================
> > > ====================================

Waldbieser, Carl

unread,
Sep 27, 2017, 9:55:59 AM9/27/17
to Gunny Kc, CAS Developer

The CAS *client* your BEIS service uses needs to trust the CA that signed the CAS certificate.
So you do need a wallet to use as a trust store, but I'm not sure where that is configured.
Also, I seem to recall that the default Java 6 client didn't like wildcard certificates, but I don't really recall the specific symptoms or remedies for that.

Thanks,
Carl Waldbieser
ITS Identity Management
Lafayette College

----- Original Message -----
From: "Gunny Kc" <gun...@gmail.com>
To: "waldbiec" <wald...@lafayette.edu>
Cc: "CAS Developer" <cas...@apereo.org>
Sent: Wednesday, September 27, 2017 9:32:29 AM
Subject: Re: [cas-dev] Application Not Authorized to Use CAS (SERVICE_TICKET_NOT_CREATED)

Hello Team

I got this issue with my CAS BEIS Setup; I was on Java 7 and got to know
there are issues with cipher and all, so downgraded to Java 6 but still,
the error is there:

Any hint - how can I get rid of this? Do I need to have a wallet on BEIS
Server (containing CAS Certificates) to communicate? Please let me know.

*Error 500--Internal Server Error*

*java.lang.RuntimeException: javax.net.ssl.SSLException: Received fatal
alert: handshake_failure*

Gunny Kc

unread,
Sep 27, 2017, 10:21:25 AM9/27/17
to Waldbieser, Carl, CAS Developer
CAS Client in the Sense - SSO Manager here?

Waldbieser, Carl

unread,
Sep 27, 2017, 10:34:11 AM9/27/17
to Gunny Kc, CAS Developer
Yes. SSO manager has a Java HTTP client it uses to validate the service ticket with CAS. That Java HTTP client is the "CAS client".

Thanks,
Carl Waldbieser
ITS Identity Management
Lafayette College

Gunny Kc

unread,
Sep 29, 2017, 3:23:33 AM9/29/17
to Matt Borja, Waldbieser, Carl, CAS Developer
I tried to start tomcat in SSL Debug Mode and found below in the logs:


http-bio-8443-exec-3, WRITE: TLSv1.2 Application Data, length = 576
http-bio-8443-exec-4, setSoTimeout(60000) called
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
http-bio-8443-Acceptor-0, setSoTimeout(60000) called
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
http-bio-8443-exec-5, handling exception: javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled
http-bio-8443-exec-5, SEND TLSv1 ALERT:  fatal, description = handshake_failure
http-bio-8443-exec-5, WRITE: TLSv1 Alert, length = 2
http-bio-8443-exec-5, called closeSocket()
http-bio-8443-exec-5, IOException in getSession():  javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled
http-bio-8443-exec-5, called close()
http-bio-8443-exec-5, called closeInternal(true)


Any suggestion in this regard. Please suggest.

On Fri, Sep 29, 2017 at 9:31 AM, Gunny Kc <gun...@gmail.com> wrote:
Hi Team,

I am stuck here now - I have imported CAS Certs at all possible paths on BEIS Server (cacerts, demostore, demotrust) still I am stuck here. It's failing at step 6 as per below processing steps:

Inline image 1

How can I troubleshoot this one? Any suggestion, please.



On Wed, Sep 27, 2017 at 10:43 AM, Gunny Kc <gun...@gmail.com> wrote:
Okay. Thank You.

On Wed, Sep 27, 2017 at 10:37 AM, Matt Borja <matt....@gmail.com> wrote:
I believe you'll see errors along the lines of PKIX path not found if it's related to server name or FQDN as this indicates Java is able to connect but cannot find a trusted certificate path/root which (i.e. missing cert in local JRE cacerts, server name mismatch, etc.).

The SSLPoke class (https://gist.github.com/4ndrej/4547029) is also useful for further debugging SSL connections outside of the application itself.

On Wed, Sep 27, 2017 at 12:33 AM, Gunny Kc <gun...@gmail.com> wrote:
Thanks Matt for your prompt reply. Let me try to fix this handshake problem. I will update you

1 Question: Is there anything to do with FQDN for handshake? 

On Wed, Sep 27, 2017 at 10:23 AM, Matt Borja <matt....@gmail.com> wrote:
Yes, it looks like that did it and you are getting a service ticket issued now. Congrats :)

The handshake failure is likely due to ciphers and your version of Java. The way we deploy ours is behind a load balancer/reverse proxy that defines a cipher suite BEIS will work with (i.e. cas.example.com:443 is actually the load balancer with a working cipher suite that is also forwarding traffic to origin services on port 8443, etc.).

Without this sort of configuration, you'll have to determine what cipher suite/order BEIS will negotiate with and define that in your Connectors in your Tomcat instance for the CAS application.

I'm actually out of the office this week, but I have emails that cover this specific error and I'm fairly certain it has to do with ciphers. I'll have to dig through those to confirm, however.



On Wed, Sep 27, 2017 at 12:12 AM, Gunny Kc <gun...@gmail.com> wrote:
I changed it like below as you said:

<bean class="org.jasig.cas.services.RegexRegisteredService">
                                <property name="id" value="2" />
                                <property name="name" value="SSO Manager" />
                                <property name="description" value="CAS Client for SSB/INB" />
                                <property name="serviceId" value="https?://dev\-banbeis\.example.com(:\d+)?/ssomanager/c/.*" />
                                <property name="allowedAttributes">
                                <list>
                                <value>uid</value>
                                <!--value>UDC_IDENTIFIER</value-->
                                </list>
                                </property>
                                <property name="evaluationOrder" value="10000002" />
                </bean>



On this page I am getting below error:


Error 500--Internal Server Error

java.lang.RuntimeException: javax.net.ssl.SSLException: Received fatal alert: handshake_failure
at org.jasig.cas.client.validation.Saml11TicketValidator.retrieveResponseFromServer(Saml11TicketValidator.java:203)
at org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:178)
at org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:132)
at com.ellucian.sso.client.web.filter.SSOValidationFilter.doFilter(Unknown Source)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:102)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at com.ellucian.sso.client.web.filter.QueryParamStorageFilter.doFilter(Unknown Source)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3730)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3696)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2273)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2179)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1490)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
Caused by: javax.net.ssl.SSLException: Received fatal alert: handshake_failure
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1639)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1607)
at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1776)
at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1068)
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:890)
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:764)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:664)
at weblogic.security.SSL.jsseadapter.JaSSLEngine$5.run(JaSSLEngine.java:134)
at weblogic.security.SSL.jsseadapter.JaSSLEngine.doAction(JaSSLEngine.java:732)
at weblogic.security.SSL.jsseadapter.JaSSLEngine.unwrap(JaSSLEngine.java:132)
at weblogic.socket.JSSEFilterImpl.unwrap(JSSEFilterImpl.java:505)
at weblogic.socket.JSSEFilterImpl.unwrapAndHandleResults(JSSEFilterImpl.java:448)
at weblogic.socket.JSSEFilterImpl.doHandshake(JSSEFilterImpl.java:80)
at weblogic.socket.JSSEFilterImpl.doHandshake(JSSEFilterImpl.java:64)
at weblogic.socket.JSSEFilterImpl.doHandshake(JSSEFilterImpl.java:59)
at weblogic.socket.JSSEFilterImpl.write(JSSEFilterImpl.java:390)
at weblogic.socket.JSSESocket$JSSEOutputStream.write(JSSESocket.java:78)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
at java.io.FilterOutputStream.flush(FilterOutputStream.java:140)
at weblogic.net.http.HttpURLConnection.writeRequests(HttpURLConnection.java:186)
at weblogic.net.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:280)
at org.jasig.cas.client.validation.Saml11TicketValidator.retrieveResponseFromServer(Saml11TicketValidator.java:186)
... 21 more

On Wed, Sep 27, 2017 at 8:22 AM, Matt Borja <matt....@gmail.com> wrote:
You may need to escape a couple other regex characters (i.e. hyphen and literal periods).

So:

https?://dev\-banbeis\.example\.com(:\d+)?/ssomanager/c/.*

What does your login URL look like when you're at the CAS login page with the service URL in your address bar?

On Tue, Sep 26, 2017 at 10:14 PM, Gunny Kc <gun...@gmail.com> wrote:
Hi Matt,

Sorry for replying late. I changed as you recommended(generated a new cas.war file and deployed under tomcat and started tomcat):

<bean class="org.jasig.cas.services.RegexRegisteredService">
                                <property name="id" value="2" />
                                <property name="name" value="SSO Manager" />
                                <property name="description" value="CAS Client for SSB/INB" />
                                <property name="serviceId" value="https?://dev-banbeis.example.com(:\d+)?/ssomanager/c/.*" />
                                <property name="allowedAttributes">
                                <list>
                                <value>uid</value>
                                <!--value>UDC_IDENTIFIER</value-->
                                </list>
                                </property>
                                <property name="evaluationOrder" value="10000002" />
                </bean>


But still same issue. Is there any chance that it's still picking up from cache? Do I need to clean something before trying the above one? Please suggest.

Thanks!

On Tue, Sep 26, 2017 at 9:16 AM, Matt Borja <matt....@gmail.com> wrote:
Try changing out the bean:

<bean class="org.jasig.cas.services.RegisteredServiceImpl">

to:

<bean class="org.jasig.cas.services.RegexRegisteredService">

and use that pattern I gave you. This may be why your efforts to match have been unsuccessful to date.

Also, as mentioned by another user, you ought to seriously consider at least CAS 5.1.1-SNAPSHOT. We have BEIS (Banner 8) deployed at work and assuming a proper service configuration (regex serviceId), it works just fine. More importantly, you're not throwing away hours invested into a version of CAS that is now end-of-life.



On Mon, Sep 25, 2017 at 10:39 PM, Gunny Kc <gun...@gmail.com> wrote:
I am using cas-server-3.4.12.1- and why I chose this old version - because there is only 1 document available with Ellucian for this version, else I could have tested with the latest version. Now I am stuck at this and not proceeding further.

I would be happy to share with you any configuration file you want - I am really desperate to get this thing configured.

Thank you.


On Tue, Sep 26, 2017 at 8:33 AM, Matt <matt...@gmail.com> wrote:
BEIS should support CAS 5.1.x and uses /samlValidate (YaleCAS used /serviceValidate).

Given a login URL of:


You would get the following if that service URL was not whitelisted:

WARN [org.jasig.cas.CentralAuthenticationServiceImpl] - <ServiceManagement: Unauthorized Service Access. Service [http://hidden1:9001/ssomanager/c/SSB] not found in Service Registry.>

I guess it might be good to go back to a working configuration you had before and then start with a permissive pattern (i.e. only matching https://) and slowly build it back up to a more proper whitelist pattern for BEIS.

What version of CAS are you running that you're trying to do this with?

On Mon, Sep 25, 2017 at 8:26 PM, Matt <matt...@gmail.com> wrote:
Will try to reply later tonight. We deployed CAS 5.1.1-SNAPSHOT with BEIS.

Michael Herring

unread,
Sep 29, 2017, 7:27:59 AM9/29/17
to Gunny Kc, Matt Borja, Waldbieser, Carl, CAS Developer
Add "SSLv2Hello" to your protocol list in tomcat:

<Connector
 sslProtocol="TLS"
 sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello"
 ...
 />

-Michael 
Michael Herring
Information Technology Services
Web Developer
Denison University
740-587-6360
herr...@denison.edu

Gunny Kc

unread,
Sep 29, 2017, 9:16:59 AM9/29/17
to Michael Herring, Matt Borja, Waldbieser, Carl, CAS Developer
Thanks, Michael. Looks like the exception is gone. I also found this solution in okta, however, I was changing the sslProtocol parameter to sslEnabledProtocols instead of adding it to the next line.

Gunny Kc

unread,
Sep 30, 2017, 11:02:03 AM9/30/17
to Michael Herring, Matt Borja, Waldbieser, Carl, CAS Developer
Hello Team

Next Error of logs I got it are below - there is no load balancer in between for CAS Server:


SSO Manager Logs:

GET /ssomanager/c/SSB?ticket=ST-3-DdGRhD36kxCiVXfCnsHT-bancas.example.com HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: JSESSIONID=tSdYZPlTcD3yT09c6p20JrZ5JQBykz2nNGqwtM4xjvSp0j9VZQQZ!-444403804
Connection: keep-alive
Upgrade-Insecure-Requests: 1

]] Root cause of ServletException.
org.jasig.cas.client.validation.TicketValidationException: org.opensaml.SAMLException: ticket 'ST-3-DdGRhD36kxCiVXfCnsHT-bancas.example.com' not recognized
        at org.jasig.cas.client.validation.Saml11TicketValidator.parseResponseFromServer(Saml11TicketValidator.java:94)
        at org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:188)
        at org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:132)
        at com.ellucian.sso.client.web.filter.SSOValidationFilter.doFilter(Unknown Source)
        at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
        at org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:102)
        at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)
        at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
        at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
        at com.ellucian.sso.client.web.filter.QueryParamStorageFilter.doFilter(Unknown Source)
        at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
        at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27)
        at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
        at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3730)
        at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3696)
        at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
        at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)


Tomcat Error Logs:

2017-09-30 17:12:14,412 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket [ST-3-DdGRhD36kxCiVXfCnsHT-bancas.example.com] for service [http://dev-banbeis.example.com:9001/ssomanager/c/SSB] for user [casadmin]>
2017-09-30 17:12:14,412 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: casadmin
ACTION: SERVICE_TICKET_CREATED
APPLICATION: CAS
WHEN: Sat Sep 30 17:12:14 AST 2017
CLIENT IP ADDRESS: 10.31.60.17
SERVER IP ADDRESS: 172.17.31.17
=============================================================

>
2017-09-30 17:12:25,442 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - <ServiceTicket [ST-3-DdGRhD36kxCiVXfCnsHT-bancas.example.com] has expired.>
2017-09-30 17:12:25,443 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: audit:unknown
ACTION: SERVICE_TICKET_VALIDATE_FAILED
APPLICATION: CAS
WHEN: Sat Sep 30 17:12:25 AST 2017
CLIENT IP ADDRESS: 10.31.60.17
SERVER IP ADDRESS: 172.17.31.17
=============================================================

Any suggestion, please.

Thanks!

Gunny Kc

unread,
Sep 30, 2017, 11:45:15 AM9/30/17
to Michael Herring, Matt Borja, Waldbieser, Carl, CAS Developer
Hello Team

Is there anything that can help me get the values coming from LDAP after the user authentication? It looks like UDCID is configured in LDAP, however, I am not sure if it's coming back for verification.

How can I be sure about it?  Please suggest.

Thanks!


Gunny Kc

unread,
Oct 2, 2017, 4:42:26 AM10/2/17
to Michael Herring, Matt Borja, Waldbieser, Carl, CAS Developer
I am getting this error in the browser after ticket validation - com.ellucian.sso.exception.ApplicationException: UDC Id not available

I have below configuration in deployerConfigContext.xml file:


<bean id="attributeRepository"
                                class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao">
                                <property name="contextSource" ref="contextSource" />
                                <property name="baseDN" value="ou=root,dc=example,dc=local" />
                                <property name="requireAllQueryAttributes" value="true" />
                                <!--Attribute mapping between principal (key) and LDAP (value) names used to perform the
                                                                     LDAP search. By default, multiple search criteria are ANDed together. Set the queryType
                                property to change to OR.-->
                                <property name="queryAttributeMapping">
                                <map>
                                <entry key="username" value="sAMAccountName" />
                                </map>
                                </property>
                                <property name="resultAttributeMapping">
                                <map>
                                <!-- Mapping between LDAP entry attributes (key) and Principal's (value) -->
                                <entry key="cn" value="uid" />
                                <entry key="uid" value="uid" />
                                </map>
                                </property>
                </bean>


And we have UDCID saved under attribute name uid in LDAP - does this configuration look okay?


Gunny Kc

unread,
Oct 2, 2017, 12:42:00 PM10/2/17
to Michael Herring, Waldbieser, Carl, Matt Borja, CAS Developer
Any recommendations in this regard?

Waldbieser, Carl

unread,
Oct 2, 2017, 12:49:14 PM10/2/17
to Gunny Kc, Michael Herring, Matt Borja, CAS Developer

It appears that a service ticket is issued for service "http://dev-banbeis.example.com:9001/ssomanager/c/SSB", but the ticket was never validated because it expired.
What is the timeout for your service tickets?

Thanks,
Carl Waldbieser
ITS Identity Management
Lafayette College

>>> *SSO Manager Logs:*
>>>
>>> GET /ssomanager/c/SSB?ticket=ST-3-DdGRhD36kxCiVXfCnsHT-bancas.ex
>>> ample.com HTTP/1.1
>>> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
>>> Firefox/52.0
>>> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>>> Accept-Language: en-US,en;q=0.5
>>> Accept-Encoding: gzip, deflate
>>> Cookie: JSESSIONID=tSdYZPlTcD3yT09c6p20JrZ5JQBykz2nNGqwtM4xjvSp0j9VZ
>>> QQZ!-444403804
>>> Connection: keep-alive
>>> Upgrade-Insecure-Requests: 1
>>>
>>> ]] Root cause of ServletException.
>>> org.jasig.cas.client.validation.TicketValidationException:
>>> org.opensaml.SAMLException: ticket 'ST-3-DdGRhD36kxCiVXfCnsHT-ban
>>> cas.example.com' not recognized
>>> at org.jasig.cas.client.validation.Saml11TicketValidator.parseR
>>> esponseFromServer(Saml11TicketValidator.java:94)
>>> at org.jasig.cas.client.validation.AbstractUrlBasedTicketValida
>>> tor.validate(AbstractUrlBasedTicketValidator.java:188)
>>> at org.jasig.cas.client.validation.AbstractTicketValidationFilt
>>> er.doFilter(AbstractTicketValidationFilter.java:132)
>>> at com.ellucian.sso.client.web.filter.SSOValidationFilter.doFilter(Unknown
>>> Source)
>>> at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterCha
>>> inImpl.java:56)
>>> at org.jasig.cas.client.authentication.AuthenticationFilter.doF
>>> ilter(AuthenticationFilter.java:102)
>>> at org.springframework.web.filter.DelegatingFilterProxy.invokeD
>>> elegate(DelegatingFilterProxy.java:237)
>>> at org.springframework.web.filter.DelegatingFilterProxy.doFilte
>>> r(DelegatingFilterProxy.java:167)
>>> at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterCha
>>> inImpl.java:56)
>>> at com.ellucian.sso.client.web.filter.QueryParamStorageFilter.doFilter(Unknown
>>> Source)
>>> at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterCha
>>> inImpl.java:56)
>>> at weblogic.servlet.internal.RequestEventsFilter.doFilter(Reque
>>> stEventsFilter.java:27)
>>> at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterCha
>>> inImpl.java:56)
>>> at weblogic.servlet.internal.WebAppServletContext$ServletInvoca
>>> tionAction.wrapRun(WebAppServletContext.java:3730)
>>> at weblogic.servlet.internal.WebAppServletContext$ServletInvoca
>>> tionAction.run(WebAppServletContext.java:3696)
>>> at weblogic.security.acl.internal.AuthenticatedSubject.doAs(Aut
>>> henticatedSubject.java:321)
>>> at weblogic.security.service.SecurityManager.runAs(SecurityMana
>>> ger.java:120)
>>>
>>>
>>> *Tomcat Error Logs:*
>>>
>>> 2017-09-30 17:12:14,412 INFO [org.jasig.cas.CentralAuthenticationServiceImpl]
>>> - <Granted service ticket [ST-3-DdGRhD36kxCiVXfCnsHT-bancas.example.com]
>>> for service [http://dev-banbeis.example.com:9001/ssomanager/c/SSB] for
>>> user [casadmin]>
>>> 2017-09-30 17:12:14,412 INFO [com.github.inspektr.audit.sup
>>> port.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
>>> =============================================================
>>> WHO: casadmin
>>> WHAT: ST-3-DdGRhD36kxCiVXfCnsHT-bancas.example.com for
>>> http://dev-banbeis.example.com:9001/ssomanager/c/SSB
>>> ACTION: SERVICE_TICKET_CREATED
>>> APPLICATION: CAS
>>> WHEN: Sat Sep 30 17:12:14 AST 2017
>>> CLIENT IP ADDRESS: 10.31.60.17
>>> SERVER IP ADDRESS: 172.17.31.17
>>> =============================================================
>>>
>>> >
>>> 2017-09-30 17:12:25,442 INFO [org.jasig.cas.CentralAuthenticationServiceImpl]
>>> - <*ServiceTicket [ST-3-DdGRhD36kxCiVXfCnsHT-bancas.example.com
>>> <http://ST-3-DdGRhD36kxCiVXfCnsHT-bancas.example.com>] has expired*.>
>>>>>>>>> I believe you'll see errors along the lines of *PKIX path not
>>>>>>>>> found* if it's related to server name or FQDN as this indicates
>>>>>>>>>>>> 001%2Fssomanager%2Fc%2FSSB <-- Here I get a CAS Login Page
>>>>>>>>>>>> Step 3: http://dev-banbeis.example.com
>>>>>>>>>>>> :9001/ssomanager/c/SSB?ticket=ST-4-ec1BYc9F9tenPtcL6kW4-banc
>>>>>>>>>>>> as.example.com <-- I think the issue is resolved now ??
>>>>>>>>>>>>
>>>>>>>>>>>> On this page I am getting below error:
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Error 500--Internal Server Error
>>>>>>>>>>>>
>>>>>>>>>>>> java.lang.RuntimeException: javax.net.ssl.SSLException:
>>>>>>>>>>>> Received fatal alert: handshake_failure
>>>>>>>>>>>> at org.jasig.cas.client.validation.Saml11TicketValidator.retrie
>>>>>>>>>>>> veResponseFromServer(Saml11TicketValidator.java:203)
>>>>>>>>>>>> at org.jasig.cas.client.validation.AbstractUrlBasedTicketValida
>>>>>>>>>>>> tor.validate(AbstractUrlBasedTicketValidator.java:178)
>>>>>>>>>>>> at org.jasig.cas.client.validation.AbstractTicketValidationFilt
>>>>>>>>>>>> er.doFilter(AbstractTicketValidationFilter.java:132)
>>>>>>>>>>>> at com.ellucian.sso.client.web.filter.SSOValidationFilter.doFilter(Unknown
>>>>>>>>>>>> Source)
>>>>>>>>>>>> at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterCha
>>>>>>>>>>>> inImpl.java:56)
>>>>>>>>>>>> at org.jasig.cas.client.authentication.AuthenticationFilter.doF
>>>>>>>>>>>> ilter(AuthenticationFilter.java:102)
>>>>>>>>>>>> at org.springframework.web.filter.DelegatingFilterProxy.invokeD
>>>>>>>>>>>> elegate(DelegatingFilterProxy.java:237)
>>>>>>>>>>>> at org.springframework.web.filter.DelegatingFilterProxy.doFilte
>>>>>>>>>>>> r(DelegatingFilterProxy.java:167)
>>>>>>>>>>>> at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterCha
>>>>>>>>>>>> inImpl.java:56)
>>>>>>>>>>>> at com.ellucian.sso.client.web.filter.QueryParamStorageFilter.doFilter(Unknown
>>>>>>>>>>>> Source)
>>>>>>>>>>>> at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterCha
>>>>>>>>>>>> inImpl.java:56)
>>>>>>>>>>>> at weblogic.servlet.internal.RequestEventsFilter.doFilter(Reque
>>>>>>>>>>>> stEventsFilter.java:27)
>>>>>>>>>>>> at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterCha
>>>>>>>>>>>> inImpl.java:56)
>>>>>>>>>>>> at weblogic.servlet.internal.WebAppServletContext$ServletInvoca
>>>>>>>>>>>> tionAction.wrapRun(WebAppServletContext.java:3730)
>>>>>>>>>>>> at weblogic.servlet.internal.WebAppServletContext$ServletInvoca
>>>>>>>>>>>> tionAction.run(WebAppServletContext.java:3696)
>>>>>>>>>>>> at weblogic.security.acl.internal.AuthenticatedSubject.doAs(Aut
>>>>>>>>>>>> henticatedSubject.java:321)
>>>>>>>>>>>> at weblogic.security.service.SecurityManager.runAs(SecurityMana
>>>>>>>>>>>> ger.java:120)
>>>>>>>>>>>> at weblogic.servlet.internal.WebAppServletContext.securedExecut
>>>>>>>>>>>> e(WebAppServletContext.java:2273)
>>>>>>>>>>>> at weblogic.servlet.internal.WebAppServletContext.execute(WebAp
>>>>>>>>>>>> pServletContext.java:2179)
>>>>>>>>>>>> at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequ
>>>>>>>>>>>> estImpl.java:1490)
>>>>>>>>>>>> at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
>>>>>>>>>>>> at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
>>>>>>>>>>>> Caused by: javax.net.ssl.SSLException: Received fatal alert:
>>>>>>>>>>>> handshake_failure
>>>>>>>>>>>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
>>>>>>>>>>>> at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1639
>>>>>>>>>>>> )
>>>>>>>>>>>> at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1607
>>>>>>>>>>>> )
>>>>>>>>>>>> at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:
>>>>>>>>>>>> 1776)
>>>>>>>>>>>> at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java
>>>>>>>>>>>> :1068)
>>>>>>>>>>>> at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.j
>>>>>>>>>>>> ava:890)
>>>>>>>>>>>> at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:764
>>>>>>>>>>>> )
>>>>>>>>>>>> at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:664)
>>>>>>>>>>>> at weblogic.security.SSL.jsseadapter.JaSSLEngine$5.run(JaSSLEng
>>>>>>>>>>>> ine.java:134)
>>>>>>>>>>>> at weblogic.security.SSL.jsseadapter.JaSSLEngine.doAction(JaSSL
>>>>>>>>>>>> Engine.java:732)
>>>>>>>>>>>> at weblogic.security.SSL.jsseadapter.JaSSLEngine.unwrap(JaSSLEn
>>>>>>>>>>>> gine.java:132)
>>>>>>>>>>>> at weblogic.socket.JSSEFilterImpl.unwrap(JSSEFilterImpl.java:50
>>>>>>>>>>>> 5)
>>>>>>>>>>>> at weblogic.socket.JSSEFilterImpl.unwrapAndHandleResults(JSSEFi
>>>>>>>>>>>> lterImpl.java:448)
>>>>>>>>>>>> at weblogic.socket.JSSEFilterImpl.doHandshake(JSSEFilterImpl.ja
>>>>>>>>>>>> va:80)
>>>>>>>>>>>> at weblogic.socket.JSSEFilterImpl.doHandshake(JSSEFilterImpl.ja
>>>>>>>>>>>> va:64)
>>>>>>>>>>>> at weblogic.socket.JSSEFilterImpl.doHandshake(JSSEFilterImpl.ja
>>>>>>>>>>>> va:59)
>>>>>>>>>>>> at weblogic.socket.JSSEFilterImpl.write(JSSEFilterImpl.java:390
>>>>>>>>>>>> )
>>>>>>>>>>>> at weblogic.socket.JSSESocket$JSSEOutputStream.write(JSSESocket
>>>>>>>>>>>> .java:78)
>>>>>>>>>>>> at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStrea
>>>>>>>>>>>> m.java:82)
>>>>>>>>>>>> at java.io.BufferedOutputStream.flush(BufferedOutputStream.java
>>>>>>>>>>>> :140)
>>>>>>>>>>>> at java.io.FilterOutputStream.flush(FilterOutputStream.java:140
>>>>>>>>>>>> )
>>>>>>>>>>>> at weblogic.net.http.HttpURLConnection.writeRequests(HttpURLCon
>>>>>>>>>>>> nection.java:186)
>>>>>>>>>>>> at weblogic.net.http.HttpURLConnection.getOutputStream(HttpURLC
>>>>>>>>>>>> onnection.java:280)
>>>>>>>>>>>> at org.jasig.cas.client.validation.Saml11TicketValidator.retrie
>>>>>>>>>>>>>>> consider *at least* CAS 5.1.1-SNAPSHOT. We have BEIS
>>>>>>>>>>>>>>>>>>>> port.Slf4jLoggingAuditTrailManager] - <Audit trail
>>>>>>>>>>>>>>>>>>>> record BEGIN=========================
>>>>>>>>>>>>>>>>>>>> ====================================
>>>>>>>>>>>>>>>>>>>> WHO: CASAdmin
>>>>>>>>>>>>>>>>>>>> WHAT: http://hidden:9001/ssomanager/c/SSB
>>>>>>>>>>>>>>>>>>>> ACTION: SERVICE_TICKET_NOT_CREATED
>>>>>>>>>>>>>>>>>>>> APPLICATION: CAS
>>>>>>>>>>>>>>>>>>>> WHEN: Tue Sep 19 09:45:20 AST 2017
>>>>>>>>>>>>>>>>>>>> CLIENT IP ADDRESS: <abc>
>>>>>>>>>>>>>>>>>>>> SERVER IP ADDRESS: <pqr>=========================
>>>>>>>>>>>>>>>>>>>> ====================================
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> *On the front end I get the below error:*
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Application Not Authorized to Use CASThe application
>>>>>>>>>>>>>>>>>>>> you attempted to authenticate to is not authorized to use CAS.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> *cas.properties file:*
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> server.prefix=https://hidden1:8443/cas
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> cas.securityContext.servicePro
>>>>>>>>>>>>>>>>>>>> perties.service=${server.prefi
>>>>>>>>>>>>>>>>>>>> x}/services/j_acegi_cas_security_check# Names of roles
>>>>>>>>>>>>>>>>>>>> allowed to access the CAS service manager
>>>>>>>>>>>>>>>>>>>> cas.securityContext.servicePro
>>>>>>>>>>>>>>>>>>>> perties.adminRoles=ROLE_ADMIN
>>>>>>>>>>>>>>>>>>>> cas.securityContext.casProcess
>>>>>>>>>>>>>>>>>>>> ingFilterEntryPoint.loginUrl=${server.prefix}/login
>>>>>>>>>>>>>>>>>>>> cas.securityContext.ticketVali
>>>>>>>>>>>>>>>>>>>> dator.casServerUrlPrefix=${server.prefix}
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> cas.themeResolver.defaultThemeName=cas-theme-default
>>>>>>>>>>>>>>>>>>>> cas.viewResolver.basename=default_views
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> host.name=hidden1
>>>>>>>>>>>>>>>>>>>> #database.hibernate.dialect=or
>>>>>>>>>>>>>>>>>>>> g.hibernate.dialect.OracleDial
>>>>>>>>>>>>>>>>>>>> ect#database.hibernate.dialect
>>>>>>>>>>>>>>>>>>>> =org.hibernate.dialect.MySQLDialect
>>>>>>>>>>>>>>>>>>>> database.hibernate.dialect=org
>>>>>>>>>>>>>>>>>>>> .hibernate.dialect.HSQLDialect
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> s-client</artifactId>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> <scope>runtime</scope>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> </dependency>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> <dependency>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> <groupId>org.springframework.s
>>>>>>>>>>>>>>>>>>>> ecurity</groupId>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> <artifactId>spring-security-co
>>>>> --
>>>>> Michael Herring
>>>>> Information Technology Services
>>>>> Web Developer
>>>>> Denison University
>>>>> 740-587-6360 <(740)%20587-6360>
>>>>> herr...@denison.edu
>>>>>
>>>>
>>>>
>>>
>>
>

Gunny Kc

unread,
Oct 2, 2017, 1:10:37 PM10/2/17
to Waldbieser, Carl, Michael Herring, Matt Borja, CAS Developer
How can I check the timeout? And moreover, I am getting below issue now:

I am getting this error in the browser after ticket validation - com.ellucian.sso.exception.ApplicationException: UDC Id not available

I have below configuration in deployerConfigContext.xml file:


<bean id="attributeRepository"
                                class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao">
                                <property name="contextSource" ref="contextSource" />
                                <property name="baseDN" value="ou=root,dc=example,dc=local" />
                                <property name="requireAllQueryAttributes" value="true" />
                                <!--Attribute mapping between principal (key) and LDAP (value) names used to perform the
                                                                     LDAP search. By default, multiple search criteria are ANDed together. Set the queryType
                                property to change to OR.-->
                                <property name="queryAttributeMapping">
                                <map>
                                <entry key="username" value="sAMAccountName" />
                                </map>
                                </property>
                                <property name="resultAttributeMapping">
                                <map>
                                <!-- Mapping between LDAP entry attributes (key) and Principal's (value) -->
                                <entry key="cn" value="uid" />
                                <entry key="uid" value="uid" />
                                </map>
                                </property>
                </bean>


And we have UDCID saved under attribute name uid in LDAP - does this configuration look okay?

Waldbieser, Carl

unread,
Oct 2, 2017, 1:24:11 PM10/2/17
to Gunny Kc, Michael Herring, Matt Borja, CAS Developer

Under CAS 5, the settings would be in `cas.properties` as the setting `cas.ticket.st.timeToKillInSeconds`. I'm not sure any more where it would be in CAS 3.x.
Also, in CAS 5, your LDAP settings would probably looks something like this:

cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].ldapUrl=ldap://ldap.example.net:389
cas.authn.ldap[0].useStartTls=true
cas.authn.ldap[0].useSsl=false
cas.authn.ldap[0].baseDn=O=lafayette
cas.authn.ldap[0].userFilter=uid={user}
cas.authn.ldap[0].bindDn=ou=root,dc=example,dc=local
cas.authn.ldap[0].bindCredential=YOUR-PASSWORD
cas.authn.ldap[0].principalAttributeId=uid
cas.authn.ldap[0].principalAttributeList=bannerSelfServeId:UDC_IDENTIFIER,uid
cas.authn.ldap[0].poolPassivator=BIND
cas.authn.ldap[0].enhanceWithEntryResolver=true

You'd probably have additional attributes, but I gave an example of the UDC_IDENTIFIER mapping as well as an unmapped identifier.

The fact that the service says "UDC Id" makes sense. The attributes are only released to the application when the ST is successfully validated. If validation fails, you won't get any attributes.

Thanks,
Carl


----- Original Message -----
From: "Gunny Kc" <gun...@gmail.com>
To: "waldbiec" <wald...@lafayette.edu>
Cc: "Michael Herring" <herr...@denison.edu>, "Matt Borja" <matt....@gmail.com>, "CAS Developer" <cas...@apereo.org>
Sent: Monday, October 2, 2017 1:10:34 PM
Subject: Re: [cas-dev] Application Not Authorized to Use CAS (SERVICE_TICKET_NOT_CREATED)

How can I check the timeout? And moreover, I am getting below issue now:

I am getting this error in the browser after ticket validation
- com.ellucian.sso.exception.ApplicationException: UDC Id not available

I have below configuration in deployerConfigContext.xml file:


<bean id="attributeRepository"
> >>> inImpl.java:56)
> >>> at com.ellucian.sso.client.web.filter.QueryParamStorageFilter.
> doFilter(Unknown
> >>> Source)
> >>> at weblogic.servlet.internal.FilterChainImpl.doFilter(
> FilterCha
> >>> inImpl.java:56)
> >>> at weblogic.servlet.internal.RequestEventsFilter.doFilter(
> Reque
> >>> stEventsFilter.java:27)
> >>> at weblogic.servlet.internal.FilterChainImpl.doFilter(
> FilterCha
> >>> inImpl.java:56)
> >>> at weblogic.servlet.internal.WebAppServletContext$
> ServletInvoca
> >>> tionAction.wrapRun(WebAppServletContext.java:3730)
> >>> at weblogic.servlet.internal.WebAppServletContext$
> ServletInvoca
> >>> tionAction.run(WebAppServletContext.java:3696)
> >>> at weblogic.security.acl.internal.AuthenticatedSubject.
> doAs(Aut
> >>> henticatedSubject.java:321)
> >>> at weblogic.security.service.SecurityManager.runAs(
> SecurityMana
> >>>>>> Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_
> SHA256
> >>>>>> for TLSv1
> >>>>>> Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_
> SHA256
> >>>>>> for TLSv1
> >>>>>> Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_
> SHA256
> >>>>>> for TLSv1
> >>>>>> Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_S
> >>>>>> HA256
> >>>>>> Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC
> >>>>>> _SHA384
> >>>>>> Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_
> CBC_SHA256
> >>>>>> for TLSv1.1
> >>>>>> Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_
> CBC_SHA256
> >>>>>> for TLSv1.1
> >>>>>> Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
> >>>>>> for TLSv1.1
> >>>>>> Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_
> CBC_SHA256
> >>>>>> for TLSv1.1
> >>>>>> Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_
> SHA256
> >>>>>> for TLSv1.1
> >>>>>> Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_
> SHA256
> >>>>>> for TLSv1.1
> >>>>>> Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_
> SHA256

Gunny Kc

unread,
Oct 2, 2017, 2:02:55 PM10/2/17
to Waldbieser, Carl, Michael Herring, Matt Borja, CAS Developer
Thank you, Carl.

Have you implemented any solution where it shows what comes back from LDAP? I know there is something that can show - what LDAP is returning, however, I don't know what is that. Do you have any idea about that?

Waldbieser, Carl

unread,
Oct 2, 2017, 2:12:22 PM10/2/17
to Gunny Kc, Michael Herring, Matt Borja, CAS Developer
I have a command line tool I wrote to test what the CAS/SAML response looks like, but it is easy to replicate the steps manually if you have a tool like `curl`.

1) Log into CAS with a test account. Get the TGT from your browser or from logs.
2) Use `curl` to make an HTTP GET request to the CAS service including the target service in the URL and the CAS TGT as a cookie. The response will be an HTTP 301 or 302 redirect which will include the ST in the URL. You need to copy the ST. It helps if you set the ST timeout to a long time for testing (say ~5 minutes).
3) Make a `curl` call to CAS pretending to be the service. Include the ST and service parameter (the same one from step 2) in the URL. The response should be an XML document that contains the attributes released.

If you are familiar with setting up a Python 2.7 virtual environment, I can send you the code for a command line tool that does this for you. If not, others may have shell scripts or something else you can use, or you can try it manually with `curl` or something similar.
> SHA
> > >>>>>> Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_
> > SHA
> > >>>>>> Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_S
> > >>>>>> HA256
> > >>>>>> Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_
> > CBC_SHA256
> > >>>>>> for TLSv1
> > >>>>>> Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_
> > CBC_SHA256
> > >>>>>> for TLSv1
> > >>>>>> Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_
> SHA256
> > >>>>>> for TLSv1.1
> > >>>>>> Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_
> > CBC_SHA256
> > >>>>>> for TLSv1.1
> > >>>>>> Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_
> > SHA256
> > >>>>>> for TLSv1.1
> > >>>>>> Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_
> > SHA256
> > >>>>>> for TLSv1.1
> > >>>>>> Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_
> > SHA256
> > >>>>>> for TLSv1.1
> > >>>>>> Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CB
> > >>>>>> C_SHA384
> > >>>>>> Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_
> SHA256
> > >>>>>> Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_C
> > >>>>>> BC_SHA
> > >>>>>> Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_C
> > >>>>>> BC_SHA384
> > >>>>>> Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_
> SHA
> > >>>>>>>>>>>> value="https?://dev\-banbeis\.example.com

Gunny Kc

unread,
Oct 4, 2017, 7:53:17 AM10/4/17
to Waldbieser, Carl, Michael Herring, Matt Borja, CAS Developer
Hi Carl,

Did you try SAML DevTools extension for Chrome to check the SAML Response? I tried but not able to figure out if it really works and shows /samlValidate response.

Every issue of CAS is making me crazy. You hinted a lot however not able to figure out how to get /samlValidate Response in a simpler way.

Regards,

Waldbieser, Carl

unread,
Oct 4, 2017, 8:48:54 AM10/4/17
to Gunny Kc, Michael Herring, Matt Borja, CAS Developer

What platform are you testing from? Windows/Mac/Linux? If Linux, what distribution?

Gunny Kc

unread,
Oct 4, 2017, 10:08:13 AM10/4/17
to Waldbieser, Carl, Michael Herring, Matt Borja, CAS Developer
Hi Carl

Please help me understand this one:

<property name="resultAttributeMapping">
                                <map>
                                <!-- Mapping between LDAP entry attributes (key) and Principal's (value) -->
                                <entry key="cn" value="uid" />
                                <entry key="sAMAccountName" value="sAMAccountName" />
                                </map>
                                </property>


The portion - <entry key="cn" value="uid" />  -- what would it do - it will pick up the value of UDCID from AD and save it in cn? We have a variable uid in AD that holds a UDCID for us. 

or can we have something like this - <entry key="UDC_IDENTIFIER" value="uid" />?

Please suggest.

Waldbieser, Carl

unread,
Oct 4, 2017, 10:42:03 AM10/4/17
to Gunny Kc, Michael Herring, Matt Borja, CAS Developer

The way we have it set up our directory has a special identifier we added and we map it to UDC_IDENTIFIER. That is the value we release to BEIS. It is basically some form of the SPRIDEN_ID.
The mapping you have below shows how attributes from LDAP (AD in your case) will be mapped to attributes that are released. I'd read it as "cn" in LDAP will be mapped to "uid" during attribute release. "sAMAccountName" will be released as-is (no name change).
> > > > >>> at com.ellucian.sso.client.web.
> filter.SSOValidationFilter.
> > > > doFilter(Unknown
> > > > >>> Source)
> > > > >>> at weblogic.servlet.internal.FilterChainImpl.doFilter(
> > > > FilterCha
> > > > >>> inImpl.java:56)
> > > > >>> at org.jasig.cas.client.authentication.
> > > > AuthenticationFilter.doF
> > > > >>> ilter(AuthenticationFilter.java:102)
> > > > >>> at org.springframework.web.filter.DelegatingFilterProxy.
> > > > invokeD
> > > > >>> elegate(DelegatingFilterProxy.java:237)
> > > > >>> at org.springframework.web.filter.DelegatingFilterProxy.
> > > > doFilte
> > > > >>> r(DelegatingFilterProxy.java:167)
> > > > >>> at weblogic.servlet.internal.FilterChainImpl.doFilter(
> > > > FilterCha
> > > > >>> inImpl.java:56)
> > > > >>> at com.ellucian.sso.client.web.filter.
> > > QueryParamStorageFilter.
> > > > doFilter(Unknown
> > > > >>> Source)
> > > > >>> at weblogic.servlet.internal.FilterChainImpl.doFilter(
> > > > FilterCha
> > > > >>> inImpl.java:56)
> > > > >>> at weblogic.servlet.internal.
> RequestEventsFilter.doFilter(
> > > > Reque
> > > > >>> stEventsFilter.java:27)
Reply all
Reply to author
Forward
0 new messages