Odd mfa-duo behavior

Wickham, Jeremy

unread,

Feb 4, 2025, 7:49:02 PM2/4/25

to cas-...@apereo.org

Here for the past week or so I have had quite a few users receive the MFA Unavailable screen after they Duo Authenticate. Duo shows a successful authentication, but when it is returned back to CAS, it appears to throw a DecryptionException. I cannot recreate this behavior myself, but I do have one coworker who can. I have turned on trace on quite a few packages to attempt to, I have found the following stacktrace, Any idea how I can diagnose this?

2025-02-04 15:09:52,977 TRACE [org.apereo.cas.adaptors.duo.web.flow.action.DuoSecurityUniversalPromptValidateLoginAction] - <Received Duo Security state [XXXXXXXXXXXXXXXXXXXXXXXXX]>

2025-02-04 15:09:52,977 WARN [org.apereo.cas.adaptors.duo.web.flow.action.DuoSecurityUniversalPromptValidateLoginAction] - <DecryptionException>

org.apereo.cas.util.crypto.DecryptionException: null

at org.apereo.cas.util.cipher.BaseBinaryCipherExecutor.decode(BaseBinaryCipherExecutor.java:96) ~[cas-server-core-util-api-7.0.9.jar:7.0.9]

at org.apereo.cas.util.cipher.BaseBinaryCipherExecutor.decode(BaseBinaryCipherExecutor.java:36) ~[cas-server-core-util-api-7.0.9.jar:7.0.9]

at org.apereo.cas.util.serialization.SerializationUtils.decodeAndDeserializeObject(SerializationUtils.java:140) ~[cas-server-core-util-api-7.0.9.jar:7.0.9]

at org.apereo.cas.util.serialization.SerializationUtils.decodeAndDeserializeObject(SerializationUtils.java:156) ~[cas-server-core-util-api-7.0.9.jar:7.0.9]

at org.apereo.cas.pac4j.BrowserWebStorageSessionStore.buildFromTrackableSession(BrowserWebStorageSessionStore.java:68) ~[cas-server-support-pac4j-api-7.0.9.jar:7.0.9]

at org.apereo.cas.adaptors.duo.web.flow.action.DuoSecurityUniversalPromptValidateLoginAction.handleDuoSecurityUniversalPromptResponse(DuoSecurityUniversalPromptValidateLoginAction.java:96) ~[cas-server-support-duo-core-7.0.9.jar:7.0.9]

Thanks,

-Jeremy

________________________

Jeremy Wickham

Mississippi State University

jeremy....@msstate.edu

Webex Personal Room: https://msstate.webex.com/meet/jrw16

Ray Bon

unread,

Feb 5, 2025, 7:51:09 PM2/5/25

to cas-...@apereo.org

Jeremy,

Assuming _no_ changes to cas (config, UI, upgrades, etc), it may be a cookie issue.

Does this happen in a private window?

In browser dev tools, check the value of cookies sent and received from cas.

If you have multiple cas hosts, is this isolated to only one of them?

Ray

On Tue, 2025-02-04 at 23:03 +0000, Wickham, Jeremy wrote:

You don't often get email from jeremy....@msstate.edu. Learn why this is important

Dmitriy Kopylenko

unread,

Feb 5, 2025, 7:51:15 PM2/5/25

to cas-...@apereo.org

This browser storage state decryption issue might have been fixed in 7.1.x (no, I don’t have a specific commit info). Just need to try it out.

Best,

D.

--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CYYPR01MB83129872901186AC0E8E0E2899F42%40CYYPR01MB8312.prod.exchangelabs.com.

Wickham, Jeremy

unread,

Feb 5, 2025, 7:51:28 PM2/5/25

to cas-...@apereo.org

I added some more classes into my log4j2.xml file and it is now printing a bit more information other than null –

2025-02-05 10:55:56,226 TRACE [org.apereo.cas.adaptors.duo.web.flow.action.DuoSecurityUniversalPromptValidateLoginAction] - <Received Duo Security state [REDACTED]>

2025-02-05 10:55:56,226 WARN [org.apereo.cas.adaptors.duo.web.flow.action.DuoSecurityUniversalPromptValidateLoginAction] - <java.lang.IllegalArgumentException: org.jooq.lambda.UncheckedException: org.jose4j.lang.JoseException: A JWS Compact Serialization must have exactly 3 parts separated by period ('.') characters>

org.apereo.cas.util.crypto.DecryptionException: java.lang.IllegalArgumentException: org.jooq.lambda.UncheckedException: org.jose4j.lang.JoseException: A JWS Compact Serialization must have exactly 3 parts separated by period ('.') characters

at org.apereo.cas.util.cipher.BaseBinaryCipherExecutor.decode(BaseBinaryCipherExecutor.java:96) ~[cas-server-core-util-api-7.0.9.jar:7.0.9]

at org.apereo.cas.util.cipher.BaseBinaryCipherExecutor.decode(BaseBinaryCipherExecutor.java:36) ~[cas-server-core-util-api-7.0.9.jar:7.0.9]

at org.apereo.cas.util.serialization.SerializationUtils.decodeAndDeserializeObject(SerializationUtils.java:140) ~[cas-server-core-util-api-7.0.9.jar:7.0.9]

at org.apereo.cas.util.serialization.SerializationUtils.decodeAndDeserializeObject(SerializationUtils.java:156) ~[cas-server-core-util-api-7.0.9.jar:7.0.9]

at org.apereo.cas.pac4j.BrowserWebStorageSessionStore.buildFromTrackableSession(BrowserWebStorageSessionStore.java:68) ~[cas-server-support-pac4j-api-7.0.9.jar:7.0.9]

at org.apereo.cas.adaptors.duo.web.flow.action.DuoSecurityUniversalPromptValidateLoginAction.handleDuoSecurityUniversalPromptResponse(DuoSecurityUniversalPromptValidateLoginAction.java:96) ~[cas-server-support-duo-core-7.0.9.jar:7.0.9]

at org.apereo.cas.adaptors.duo.web.flow.action.DuoSecurityUniversalPromptValidateLoginAction.doExecuteInternal(DuoSecurityUniversalPromptValidateLoginAction.java:72) ~[cas-server-support-duo-core-7.0.9.jar:7.0.9]

Would appreciate any insight anyone might have.

Thanks,

-Jeremy

--

Eugene Willis

unread,

Feb 5, 2025, 10:35:14 PM2/5/25

to cas-...@apereo.org

May need to update webflo and tgc keys for version 7 cas . Comment the old keys out to get the new ones.

Sent from my iPhone

On Feb 5, 2025, at 7:51 PM, Wickham, Jeremy <jeremy....@msstate.edu> wrote:

To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CYYPR01MB831236C71C686D9D13257A6B99F72%40CYYPR01MB8312.prod.exchangelabs.com.

AJ

unread,

Feb 5, 2025, 10:35:27 PM2/5/25

to cas-...@apereo.org, cas-...@apereo.org

We have experienced the same behavior running CAS 7.0.10.

On Feb 5, 2025, at 7:51 PM, Wickham, Jeremy <jeremy....@msstate.edu> wrote:

I added some more classes into my log4j2.xml file and it is now printing a bit more information other than null –

To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CYYPR01MB831236C71C686D9D13257A6B99F72%40CYYPR01MB8312.prod.exchangelabs.com.

Wickham, Jeremy

unread,

Feb 10, 2025, 11:07:52 AM2/10/25

to cas-...@apereo.org

I have regenerated the webflow and tgc keys. Users are still reporting the same behavior. I have narrowed it down to “mostly” the Firefox browser.

Next step is to try to go to 7.1.x.

Thanks for all of the input. If anyone else has other ideas, please let me know.

Thanks,

-Jeremy

To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/AA9FE9F7-D1CC-4143-AC35-64A74173564A%40gmail.com.

Pablo Vidaurri

unread,

Feb 13, 2025, 10:29:51 PM2/13/25

to CAS Community, Eugene Willis

This fixed my problem. I commented out existing tgc signing and encryption keys. Let CAS generate new ones for me via warning message. Then use those in my properties file.

Pablo Vidaurri

unread,

Feb 13, 2025, 10:30:08 PM2/13/25

to CAS Community, Wickham, Jeremy

also running into same issue with cas 7.1.3 after upgrading from cas 6. I've trimmed down customization (no login webflow, no custom ui, no web filters) I only have a custom authentication.

Interestingly enough, I had been using firefox, just tried with chrome and i get a different error (my side probably with stripped down customization). But at least not getting DecryptionException. Will try commenting out my tgc encryption/signing keys and let CAS generate new ones for me.

-psv

Reply all

Reply to author

Forward