CAS integration with AD domain authentication is very slow！！

[何以]

I set up a CAS server on a virtual machine with 8 cores and 16 GB of RAM. 

Our company has approximately 8,000 users in the AD domain.  

I deployed CAS 5.3 on Tomcat 9.0 and completed the basic configuration to connect to the AD domain. 

When using the authentication page to log in with users from the AD domain, it succeeds, but it takes 2-3 minutes to log in.

I checked the logs and noticed that the two lines in the blue box take 2 minutes.

However, if I enter incorrect credentials, the prompt for authentication failure is very quick.

Please help me resolve this issue!

[Ray Bon]

何以,

If you are using cas 5.3, my suggestion is to upgrade. 7.1 is current.

The loading of services happens every minute and has nothing to do with authentication.

Check your AD logs to see to see if it is responding quickly.

You can also see cas ldap logging by setting this property to debug or trace:

<Property name="ldap.log.level">warn</Property>

Ray

[何以]

Ray Bon

Thanks for your help！

1. When using CAS6 or later, I can't find the configuration file location, and the CAS page cannot load normally, so I have to choose CAS5.3 

2. If I use the ldap command to request information in the AD domain, I can get the information back immediately, but I need to wait two to three minutes to log in through the CAS authentication page.

3. I wonder why those two service items are loaded every time I authenticate; can I cache these two services for faster authentication?

[Ray Bon]

何以,

You can put config in this file that is built into the war, https://github.com/apereo/cas-overlay-template/blob/7.1/src/main/resources/application.yml

Cas will look for other config files in /etc/cas/config

You can add an application.properties file with secrets (or the whole config) in that location. Or you can set your own config location by adding it to tomcat startup:

CATALINA_OPTS="-Dspring.config.additional-location=/path/to/cas/config/application.properties ...

Since cas is a spring application, the config is managed by spring. Review spring docs to see what options are available.

See this for getting started with a cas deployment, https://fawnoos.com/2024/04/26/cas71x-gettingstarted-overlay/

Cas works with an in memory collection of services. It refreshes those services every minute; that is what those log lines are. If that version of cas must read the services at login, then that is another reason to use a current, _supported_, version.

Ray

On Sun, 2024-12-15 at 22:40 -0800, 何以 wrote:

You don't often get email from 4672...@qq.com. Learn why this is important

[何以]

Thanks!

Before I build CAS 7.1, I would like to test it with the existing CAS 6.4. 

Now the configuration of ldap in the configuration file is the same, using the same AD domain user, CAS5.3 needs to wait for two to three minutes for the authentication to succeed, while CAS6.4 directly prompts the authentication failure. 

what is the reason? Do Different Versions of CAS Have Different Requirements for LDAP Configurations in Configuration Files?

[Ray Bon]

What do logs say when you increase ldap log level in cas?

Why go backwards to 5.3 when you can go forward to 7.1?

Even 6.4 is out of support!

It is possible there are config key name changes between versions.

When you work with unsupported versions, you risk security and support problems; The number of people using the old version is small, ergo, less help available.

Ray