I think we've been through most of these at one time or another, but to assemble them all in one place...
1. You have all of these: # The /status endpoint is protected by IP address only. cas.adminPagesSecurity.ip: ...a valid regex to match your authorized addresses... # The /status/whatever endpoints are protected by the CAS server, using a # list of admin users in "users.properties". cas.adminPagesSecurity.loginUrl: ${cas.server.prefix}/login cas.adminPagesSecurity.service: ${cas.server.prefix}/status/dashboard cas.adminPagesSecurity.users: file:/etc/cas/config/users.properties # Define an administrator role. (This is the default; you probably don't need to set it explicitly.) cas.adminPagesSecurity.adminRoles[0]: ROLE_ADMIN # Enable the Spring Boot actuators as well as the CAS actuators. cas.adminPagesSecurity.actuatorEndpointsEnabled: true cas.monitor.endpoints.enabled: true endpoints.enabled: true # Marking the endpoints "sensitive" would protect them with Spring Security; # we want to protect them with the CAS server. cas.monitor.endpoints.sensitive: false endpoints.sensitive: false 2. You have a service definition that allows the dashboard to authenticate via CAS: { "@class" : "org.apereo.cas.services.RegexRegisteredService", "serviceId" : "^ https://your.cas.server.host.and.port.here/cas/status/dashboard(\\z|/.*)", "name" : "CAS Admin Dashboard", "id" : 123456789, "description" : "CAS dashboard and administrative endpoints", "evaluationOrder" : 1234 } 3. You're sure that the "ccheltenham-ext" user can successfully authenticate via CAS. Go to https:/yourserver/cas/login to check. (Even if you're "sure," check it anyway, just to remove it from the equation.) 4. You're attempting to access the dashboard from an IP address that matches the pattern configured in cas.adminPagesSecurity.ip. All of that together ought to do it. If it doesn't, change the CAS logging level to "debug" and see what you get in cas.log.... --Dave -- DAVID A. CURRY, CISSP *DIRECTOR OF INFORMATION SECURITY* INFORMATION TECHNOLOGY 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 +1 212 229-5300 x4728 • david.cu...@newschool.edu [image: The New School] On Mon, Feb 26, 2018 at 2:04 PM, Cheltenham, Chris < ccheltenham-...@philasd.org> wrote: > Hello, > > > > I have been stuggling with access denied on the dashboard > > > > - users.properties only has the following. > > > > ccheltenham-ext=passwordnotused,ROLE_ADMIN > > > > What else could I have misconfigured? > > > > > > > > =========================== > > Thank You; > > Chris Cheltenham > Technology Services > The School District of Philadelphia > > Work # 215-400-5025 > Cell # 215-301-6571 > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to cas-user+unsubscr...@apereo.org. > To view this discussion on the web visit https://groups.google.com/a/ > apereo.org/d/msgid/cas-user/00a001d3af34%24a1de58a0% > 24e59b09e0%24%40philasd.org > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/00a001d3af34%24a1de58a0%24e59b09e0%24%40philasd.org?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAPG8nL99g6-zYfwWMCZBXQ2FhK6gR6UWatTYTGBK2fZqg%40mail.gmail.com.