CAS Proxy Failure

86 views
Skip to first unread message

Fuhs, David

unread,
Sep 26, 2016, 5:33:54 PM9/26/16
to cas-...@apereo.org

Good afternoon all:

 

We are having difficulty getting CAS to proxy successfully.

 

Details for the CAS server and the client application:

 

CAS server:

Red Hat Enterprise Linux Server 6.8 (Santiago)

JRE 1.8.0_25

Tomcat 7.0.56

CAS 3.5.2.1

 

CAS client application server:

Red Hat Enterprise Linux Server 7.2 (Maipo)

Apache HTTPD 2.4

Application coded in PHP

 

User clicks to login to the application, is redirected to the CAS login page, submits user ID + password.

Authentication succeeds.

 

The CAS audit log shows:

AUTHENTICATION_SUCCESS

TICKET_GRANTING_TICKET_CREATED

SERVICE_TICKET_CREATED

 

We then get AUTHENTICATION_FAILED on the proxy callbackUrl:

error.authentication.credentials.bad

PROXY_GRANTING_TICKET_NOT_CREATED

 

The cas.log shows a couple Java exception traces at the point of failure.

 

Not certain if the first one is associated with the problem because there is no information in the exception trace that ties it to this particular client, other than the timestamp:

2016-09-26 13:39:36,518 ERROR [org.jasig.cas.util.HttpClient] – connection refused

Java.net.ConnectException: Connection refused

              At java.net.PlainSocketImpl.socketConnect(Native method)

 

However: an openssl s_client connection from the CAS server to the application server on port 443 succeeds and displays the contents of the certificate.

 

The second exception trace is associated with the client application:

2016-09-26 13:39:36,519 ERROR [org.jasig.cas.web.ServiceValidateController] – TicketException generating ticket for: [callbackUrl: https:/XXXXX]

Org.jasig.cas.ticket.TicketCreationException: error.authentication.credentials.bad

              At org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket_aroundBody6(CentralAuthenticationServiceImpl.java:325)

 

From what we can see CAS wants to validate the application and server requesting the proxy ticket before it will proceed.  It is not getting the expected response, but we don’t know what is causing the failure.

 

The SSL certificate on the application server is valid and contains the hostname of that server.

 

Because both servers are hosted locally the intermediate and CA certificate bundle on both the CAS server and application server are identical, and the CA bundle is available to CAS.

 

As noted above, we can connect on port 443 from the CAS server to the application server and view its SSL certificate.

 

What are we missing?

 

Other than validating the SSL certificate on the application server, exactly what other criteria must be satisfied when CAS validates the proxy callbackUrl?

 

Thanks in advance for any help.

 

David

 

 

 

 

 

 

Reply all
Reply to author
Forward
0 new messages