logging authentication failures as successes

22 views
Skip to first unread message

Christine Pasek

unread,
Jun 4, 2019, 1:50:07 PM6/4/19
to CAS Community
Hello,

We just noticed that the log files (cas_audit.log and cas-2019<date>.log) are reporting authentication failures as successes. Below is a sniped from cas-2019-06-04-10-2.log which shows it sees it as a failure on line 18436 but then reports it as a success in both cas_audit.log and cas-2019-06-04-10-2.log (line 18441).

We know that failures were reporting correctly at some point but am unsure what has changed.

Below are also the configs from log4j2.xml.

Any help or insight that you can offer would be greatly apprecited.

Thank you,
Chris Pasek
The College of St. Scholastica
Duluth, MN 


cas-2019-06-04-10-2.log:
18436 2019-06-04 11:20:36,369 ERROR [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Authentication has failed. Credentials may be incorrect or CAS cannot find authentication handler that supports [wrossing] of type [UsernamePasswordCredential]. Exami      ne the configuration to ensure a method of authentication is defined and analyze CAS logs at DEBUG level to trace the authentication event.>
18437 2019-06-04 11:20:36,370 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
18438 =============================================================
18439 WHO: wrossing
18440 WHAT: Supplied credentials: [wrossing]
18441 ACTION: AUTHENTICATION_SUCCESS
18442 APPLICATION: CAS
18443 WHEN: Tue Jun 04 11:20:36 CDT 2019
18444 CLIENT IP ADDRESS: 143.110.2.42
18445 SERVER IP ADDRESS: 143.110.1.81
18446 =============================================================
18447 
18448 >18449 2019-06-04 11:20:38,308 INFO [org.apereo.cas.web.flow.authentication.RankedMultifactorAuthenticationProviderSelector] - <here: [cn=casmfabanner,ou=Groups,o=vault, cn=students,ou=Google Groups,ou=Groups,o=vault, cn=studentcommunity,ou=Google Groups,ou=Groups,o=vaul      t]>
18450 2019-06-04 11:20:38,309 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
18451 =============================================================
18452 WHO: audit:unknown18453 WHAT: [event=mfa-gauth,timestamp=Tue Jun 04 11:20:38 CDT 2019,source=RegisteredServicePrincipalAttributeMultifactorAuthenticationPolicyEventResolver]
18454 ACTION: AUTHENTICATION_EVENT_TRIGGERED
18455 APPLICATION: CAS
18456 WHEN: Tue Jun 04 11:20:38 CDT 2019
18457 CLIENT IP ADDRESS: 143.110.42.50
18458 SERVER IP ADDRESS: 143.110.1.81
18459 =============================================================
18460 


log4j2.xml:


        <RollingFile name="file" fileName="/var/log/cas/cas.log" append="true"
                     filePattern="/var/log/cas/cas-%d{yyyy-MM-dd-HH}-%i.log">
            <PatternLayout pattern="%d %p [%c] - &lt;%m&gt;%n"/>
            <Policies>
                <OnStartupTriggeringPolicy />
                <SizeBasedTriggeringPolicy size="10 MB"/>
                <TimeBasedTriggeringPolicy />
            </Policies>
        </RollingFile>
        <RollingFile name="auditlogfile" fileName="/var/log/cas/cas_audit.log" append="true"
                     filePattern="/var/log/cas/cas_audit-%d{yyyy-MM-dd-HH}-%i.log">
            <PatternLayout pattern="%d %p [%c] - %m%n"/>
            <Policies>
                <OnStartupTriggeringPolicy />
                <SizeBasedTriggeringPolicy size="10 MB"/>
                <TimeBasedTriggeringPolicy />
            </Policies>
        </RollingFile>

        <AsyncLogger name="org.apereo.inspektr.audit.support" level="info" includeLocation="true" additivity="false">
            <AppenderRef ref="casAudit"/>
            <AppenderRef ref="casFile"/>
        </AsyncLogger>






Reply all
Reply to author
Forward
0 new messages