Petr, Unfortunately, I do not have SPNEGO setup. We only have a single authn flow.
Ray On Thu, 2023-08-03 at 08:58 -0700, Petr Bodnár wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. Ray, the problem is I know all of that and have throttling correctly setup and working,except this one scenario. Do you think you could test this yourself? Or maybe you have done so already and failed to reproduce? I'm setting<Logger name="org.apereo.cas.web.security.CasWebSecurityConfigurerAdapter" level="debug" /> in log4j2.xml to see every request details in the CAS log. Note that the protocols you write about are something else, I am discussing the authentication flow itself here. See https://apereo.github.io/cas/6.6.x/authentication/Configuring-Authentication-Throttling.html#failure-throttling, where this is written (and is apparently true; and increasing the rate to a high value would effectively go against the purpose of throttling): > The failure threshold rate is calculated as: failureThreshold / > failureRangeInSeconds. For instance, the failure rate for the above scenario > would be 0.333333. An authentication attempt may be considered throttled if > the request submission rate (calculated as the difference between the current > date and the last submission date) exceeds the failure threshold rate. Petr On Thursday, 3 August 2023 at 16:49:37 UTC+2 Ray Bon wrote: Petr, Check your throttling settings, https://apereo.github.io/cas/6.5.x/authentication/Configuring-Authentication-Throttling.html#configuration It, cas.authn.throttle.failure.*, is a range per second (even when set to multiple seconds). If set, it should be more than 2 attempts per second. If there is a round trip to the browser, it should be visible in the developer tools. Cas does perform some internal authentication to handle non cas protocols (https://apereo.github.io/cas/6.5.x/protocol/Protocol-Overview.html#the-bridge), the audit log events should state what is happening. Ray On Thu, 2023-08-03 at 00:17 -0700, Petr Bodnár wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. When turning on SPNEGO (typically for Kerberos SSO), together with CAS mixed authentication turned on (i.e. showing login form when SPNEGO fails), CAS login failure throttling seems to be broken. Reproduction (tested with the 6.x CAS series, but probably manifests also in other versions): 1. User enters the CAS login page and SPNEGO fails for whatever reason (e.g. when in a testing environment). 2. User enters invalid credentials and submits the login form for the very first time (in a given period of time). 3. Expected: CAS shows "Invalid name or password" or similar to the user. 4. Actual: CAS shows "You've entered the wrong password for the user too many times. You've been throttled." I couldn't find this reported anywhere, yet the issue's reason seems to be quite an evident shortcoming in the CAS Login Web Flow definition: * there is this seemingly unnecessary transition from "failed login form submission" back to the very beginning of the login flow - which immediately launches the SPNEGO decision step, which sends the appropriate status 401 andWWW-Authenticate<https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/WWW-Authenticate> header to the browser again * upon this, browser reacts according to the specs, i.e. re-posts the login form immediately with a corresponding Authorization header (caution: this second request is not visible in browser's network console) * as this happens within a few (tens of) milliseconds, the Failure throttling mechanism evaluates this as misbehavior and blocks the user as described above I wonder if anybody also experienced this issue. And if so, what was your solution? Altering the web flow, altering the SPNEGO decision action class to remember its last decision, or something else? -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/580b18707721b6c1ca8aa695b228bb40292eecee.camel%40uvic.ca.