[cas-user] CAS 2 protocol attributes release
Hi,
We are trying to implement the cas 2 protocol attribute release and it seems to
be working for the most part after adding the necessary changes to the
casServiceValidationSuccess.jsp the only problem we run into is with attribute
names that contain spaces. It seems to cause the cas ticket validation process
to fail on the client side. Since we can't really go back and change the
attribute names without causing problems with other saml1 clients we changed to
the code to use fn:replace() instead of the fn:escapeXML() for the attribute
names and we would advise anyone who wishes to use CAS 2 protocol of the new
attribute names. After making the changes we can see all the attributes and
don't run into any problems with the client we are testing phpcas 1.3.2.
Is there any problems that might arise from having used fn:replace to take out
the spaces contained in the attribute name and not implement the fn:excapeXML
function for the attribute name value? Is there a way to use both in the
casServiceValidationSuccess.jsp page?
${fn:escapeXml(attr.value)}
Thanks!
___
Juan Quintanilla
UTS - Enterprise Group
305-348-6573
jquin...@fiu.edu<mailto:jquin...@fiu.edu>
--
You are currently subscribed to cas-user@lists.jasig.org as:
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] CAS 2.0 Protocol Attribute Release
Correct, I apologize we added the snippet below to
casServiceValidationSuccess.jsp so that we can release attributes to CAS 2
protocol but we run into issues with the phpcas client were it does not like
that fact that some of the attribute names being sent contain spaces. So I
wanted to know if there is a way to modify the snippet so that phpcas can
accept the attribute names with spaces when using CAS 2 protocol.
Thanks!
___
Juan Quintanilla
UTS - Enterprise Group
305-348-6573
jquin...@fiu.edu<mailto:jquin...@fiu.edu>
From: Misagh Moayyed
Sent: Friday, September 4, 2015 4:57 PM
To: cas-user@lists.jasig.org
Subject: RE: [cas-user] CAS 2.0 Protocol Attribute Release
The snippet for CAS2 is likely in this file for your CAS server:
https://github.com/Jasig/cas/blob/3.6.x/cas-server-webapp/src/main/webapp/WEB-INF/view/jsp/protocol/2.0/casServiceValidationSuccess.jsp<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_Jasig_cas_blob_3.6.x_cas-2Dserver-2Dwebapp_src_main_webapp_WEB-2DINF_view_jsp_protocol_2.0_casServiceValidationSuccess.jsp&d=AwMFAg&c=1QsCMERiq7JOmEnKpsSyjg&r=NauC5-J1X4CCd25sdSxQCA&m=4J_maQ6u6AiO1ksSbbe5ZsukSdCiX6qwl0lc00i2j50&s=-kQ-XTKUP9sjOQzAc1chWMgiBauJJpwiUSDFpgT7nOM&e=>
From: Juan Quintanilla [mailto:jquin...@fiu.edu]
Sent: Friday, September 4, 2015 1:21 PM
To: cas-user@lists.jasig.org
Subject: [cas-user] CAS 2.0 Protocol Attribute Release
Hi,
We are using CAS 3.6.0 and we have no problem releasing attributes using saml1,
we attempted to use the cas 2 protocol and it seems to work using the
configuration specified on the wiki but the only problem we are running into is
the when the attribute name has a space, it causes the transaction to fail
with Authentication failure: Ticket not validated . We are testing using
phpcas1.3.2, is there a way to modify the snippet
${fn:escapeXml(attr.value)}
so that the CAS_Client::_readExtraAttributesCas20 can accept the attributes
names with spaces. It works fine for attributes names that contain no spaces.
Thanks!
___
Juan Quintanilla
UTS - Enterprise Group
305-348-6573
jquin...@fiu.edu<mailto:jquin...@fiu.edu>
--
You are currently subscribed to
cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> as:
mmoay...@unicon.net<mailto:mmoay...@unicon.net>
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.ja-2Dsig.org_wiki_display_JSG_cas-2Duser&d=AwMFAg&c=1QsCMERiq7JOmEnKpsSyjg&r=NauC5-J1X4CCd25sdSxQCA&m=4J_maQ6u6AiO1ksSbbe5ZsukSdCiX6qwl0lc00i2j50&s=rmPWFIDbCvok9W6R_BLotuyLJ9P4ZoYnR056nm1X0dQ&e=>
--
You are currently subscribed to cas-user@lists.jasig.org as: jquin...@fiu.edu
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to cas-user@lists.jasig.org as:
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] CAS 2.0 Protocol Attribute Release
Hi,
We are using CAS 3.6.0 and we have no problem releasing attributes using saml1,
we attempted to use the cas 2 protocol and it seems to work using the
configuration specified on the wiki but the only problem we are running into is
the when the attribute name has a space, it causes the transaction to fail
with Authentication failure: Ticket not validated . We are testing using
phpcas1.3.2, is there a way to modify the snippet
${fn:escapeXml(attr.value)}
so that the CAS_Client::_readExtraAttributesCas20 can accept the attributes
names with spaces. It works fine for attributes names that contain no spaces.
Thanks!
___
Juan Quintanilla
UTS - Enterprise Group
305-348-6573
jquin...@fiu.edu<mailto:jquin...@fiu.edu>
--
You are currently subscribed to cas-user@lists.jasig.org as:
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Attribute resolved but not released?
Hi,
When using the CAS 2.0 Protocol for attribute release it seems to work we see
the attributes in the debug log on the client side and the user authenticates
it just fails with
Authentication failure: Ticket not validated [AuthenticationException.php:80]
D9AA .|||||Reason: bad response from the CAS server
[AuthenticationException.php:85]
D9AA .|||||CAS response: ^M
Has anyone found a workaround for that, we are using the phpcas client 1.3.2.
We are running CAS 3.6.0 Server.
Thanks!
___
Juan Quintanilla
UTS - Enterprise Group
305-348-6573
jquin...@fiu.edu<mailto:jquin...@fiu.edu>
From: James Winter
Sent: Thursday, September 3, 2015 10:32 PM
To: cas-user@lists.jasig.org
Subject: Re: [cas-user] Attribute resolved but not released?
I had the exact same issue with the CAS 2.0 protocol until I added code in the
protocol success response to pass the attributes in the response. The 3.0
protocol returned attributes fine.
If you compare the 3.0 and 2.0 success responses it's pretty obvious the 2.0
protocol isn't returning attributes.
This is my serviceresponse element
(view/jsp/protocol/2.0/casServiceValidationSuccess.jsp) that works for us:
${fn:escapeXml(assertion.primaryAuthentication.principal.id<https://urldefense.proofpoint.com/v2/url?u=http-3A__assertion.primaryAuthentication.principal.id&d=AwMFaQ&c=1QsCMERiq7JOmEnKpsSyjg&r=NauC5-J1X4CCd25sdSxQCA&m=aLtAyq_vCbaXVxfqZ_KqIEAESkc39ZkoUtCAmlYjcCI&s=4D_XStWZfp51aVQK35Tu7_1wgEtenkHolltrHpIIM5M&e=>)}
${fn:escapeXml(attr.value)}
${pgtIou}
${fn:escapeXml(proxy.principal.id<https://urldefense.proofpoint.com/v2/url?u=http-3A__proxy.principal.id&d=AwMFaQ&c=1QsCMERiq7JOmEnKpsSyjg&r=NauC5-J1X4CCd25sdSxQCA&m=aLtAyq_vCbaXVxfqZ_KqIEAESkc39ZkoUtCAmlYjcCI&s=kxYnvQDqeP2iuk-2DLJ7Fd_TY-UK6GoPM9EkMFoXc2M&e=>)}
On Thu, Sep 3, 2015 at 9:53 PM Misagh Moayyed
mailto:mmoay...@unicon.net>> wrote:
Is your client pointing to the /p3 endpoint? Are attributes configured for
release in your registry? You have so far resolved them.
From: Chris Irwin
[mailto:chris.ir...@sadasystems.com<mailto:chris.ir...@sadasystems.com>]
Sent: Thursday, September 3, 2015 8:54 AM
To: cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org>
Subject: [cas-user] Attribute resolved but not released?
After some reconfigurations I was able to get the attribute map to populate:
2015-09-03 11:34:19,142 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor]
- Extractor generated service for:
https://njcu.awardspring.com/SignIn/CASAuth<https://urldefense.proofpoint.com/v2/url?u=https-3A__njcu.awardspring.com_SignIn_CASAuth&d=AwMFaQ&c=1QsCMERiq7JOmEnKpsSyjg&r=NauC5-J1X4CCd25sdSxQCA&m=aLtAyq_vCbaXVxfqZ_KqIEAESkc39ZkoUtCAmlYjcCI&s=CKHgj2BUSwDH6ziUs54kHIb4zRBvkXktVYTGPDkg8lM&e=>
2015-09-03 11:35:49,483 INFO
[org.jasig.cas.services.DefaultServicesManagerImpl] - Reloading registered
services.
2015-09-03 11:35:49,483 DEBUG
[org.jasig.cas.services.DefaultServicesManagerImpl] - Adding registered service
^(https?|imaps?)://.*
2015-09-03 11:35:49,483 INFO
[org.jasig.cas.services.DefaultServicesManagerImpl] - Loaded 1 services.
2015-09-03 11:36:45,709 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor]
- Extractor generated service for:
https://njcu.awardspring.com/SignIn/CASAuth<https://urldefense.proofpoint.com/v2/url?u=https-3A__njcu.awardspring.com_SignIn_CASAuth&d=AwMFaQ&c=1QsCMERiq7JOmEnKpsSyjg&r=NauC5-J1X4CCd25sdSxQCA&m=aLtAyq_vCbaXVxfqZ_KqIEAESkc39ZkoUtCAmlYjcCI&s=CKHgj2BUSwDH6ziUs54kHIb4zRBvkXktVYTGPDkg8lM&e=>
2015-09-03 11:36:45,709 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor]
- Extractor generated service for:
https://njcu.awardspring.com/SignIn/CASAuth<https://urldefense.proofpoint.com/v2/url?u=https-3A__njcu.awardspring.com_SignIn_CASAuth&d=AwMFaQ&c=1QsCMERiq7JOmEnKpsSyjg&r=NauC5-J1X4CCd25sdSxQCA&m=aLtAyq_vCbaXVxfqZ_KqIEAESkc39ZkoUtCAmlYjcCI&s=CKHgj2BUSwDH6ziUs54kHIb4zRBvkXktVYTGPDkg8lM&e=>
2015-09-03 11:36:56,144 DEBUG
[org.jasig.cas.authentication.LdapAuthenticationHandler] - Attempting LDAP
authentication for 2233445+password
2015-09-03 11:36:56,175 DEBUG
[org.jasig.cas.authentication.LdapAuthenticationHandler] - LDAP response:
[org.ldaptive.auth.AuthenticationResponse@1429278053::authenticationResultCode=AUTHENTICATION_HANDLER_SUCCESS,
ldapEntry=[dn=CN=2233445,OU=PeopleSoft_UGrads,DC=students,dc=root,dc=njcu[[legacyExchangeDN[/o=First
Organization/ou=Exchange Administrative Group
(FYDIBOHF23SPDLT)/cn=Recipients/cn=2233445557]],
[mail[asa...@njcu.edu<mailto:asa...@njcu.edu>]],
[proxyAddresses[SMTP:asa...@njcu.edu, smtp:asa...@live.njcu.edu,
smtp:asa...@exchange.nj
Re: [cas-user] CAS 2 protocol ticket validation issue
Hi,
I have not tried the CAS 3 protocol. I will try that out, the reason for
trying out the CAS 2 protocol it seems more vendors are going towards that
route. What version of CAS server were you using at the time?
Thanks!
___
Juan Quintanilla
UTS - Enterprise Group
305-348-6573
jquin...@fiu.edu
From: Waldbieser, Carl
Sent: Thursday, August 27, 2015 8:01 AM
To: cas-user@lists.jasig.org
Subject: Re: [cas-user] CAS 2 protocol ticket validation issue
I seem to recall having trouble with using phpCAS + CAS 2 protocol to get
attributes.
I just stuck with the SAML1 protocol since it also let me get at the attributes.
Out of curiousity, did you try setting the protocol version to CAS 3 to see if
that works? The CAS /serviceValidate payload format for CAS 2 + attributes and
CAS 3 is basically the same IIRC.
Thanks,
Carl Waldbieser
ITS Systems Programmer
Lafayette College
- Original Message -
From: "Juan Quintanilla"
To: "cas-user"
Sent: Thursday, August 27, 2015 7:36:02 AM
Subject: Re: [cas-user] CAS 2 protocol ticket validation issue
Hi,
So I followed the instructions on the wiki for attribute release on CAS 2
protocol adding the entries below to the casServiceValidationSuccess.jsp
${fn:escapeXml(attr.value)}
It seems to work for the outside vendor but when I try to use it with phpcas
1.3.2 I get a 'Ticket not validated' error. Has anybody encountered this issue
with CAS 2 protocol. I see the attributes being released in the debug log but
it fails authentication because it can't finish validating the ticket. Saml1
works just fine with no problem, I'm trying this on CAS 3.4.7. I have an
install of CAS 3.6.0 but I have not tried it on that installation.
Any help is appreciated.
Thanks!
___
Juan Quintanilla
UTS - Enterprise Group
305-348-6573
jquin...@fiu.edu
________
From: Juan Quintanilla
Sent: Wednesday, August 26, 2015 2:15 PM
To: cas-user@lists.jasig.org
Subject: Re: [cas-user] CAS 2 protocol ticket validation issue
Thanks, we reverted one the files on the cas server back to the default
"casServiceValidationSuccess.jsp" it was modified to pass attributes back to
the client. One of our vendors was requiring cas2 protocol with attributes and
it seemed to work for them but it does not seem to work with the phpcas client.
The changes that I added were:
+
+
+
+
${fn:escapeXml(attr.value)}
+
+
+
When I removed those changes I was able to authenticate again on the phpcas
client. In the logs I see that its passing the attributes but it just fails on
the ticket validation. Has anybody had success with passing attributes using
the CAS 2 protocol?
Thanks!
___
Juan Quintanilla
UTS - Enterprise Group
305-348-6573
jquin...@fiu.edu
From: Waldbieser, Carl
Sent: Wednesday, August 26, 2015 2:09 PM
To: cas-user@lists.jasig.org
Subject: Re: [cas-user] CAS 2 protocol ticket validation issue
I forget whether the PHP CAS client DEBUG mode has a setting where you can see
the raw response. That would be the thing to see.
Otherwise, you make a cURL request with a valid TGC cookie to request an ST.
Once you have it, you can make a second cURL request to validate it and see the
response.
If your ST lifetimes are faily quick, you can do this by having the 2nd command
ready to go in another terminal an quickly pasting in the result.
Alternatively, you can have some kind of script parse the ST from the first
result and immediately execute the 2nd cURL.
Thanks,
Carl Waldbieser
ITS Systems Programmer
Lafayette College
----- Original Message -
From: "Juan Quintanilla"
To: "cas-user"
Sent: Wednesday, August 26, 2015 1:42:10 PM
Subject: [cas-user] CAS 2 protocol ticket validation issue
Hi,
I'm running into an issue with ticketvalidation when using the cas2.0 protocol.
The client is phpcas 1.3.2, when I use the saml1 protocol no problem what so
ever but when I switch to the cas 2.0 protocol I encounter the following error:
4D11 .||||=>
CAS_AuthenticationException::__construct(CAS_Client, 'Ticket not validated',
'https://urldefense.proofpoint.com/v2/url?u=https-3A__hostname_cas_login_serviceValidate-3Fservice-3Dhttp-253A-252F-252Foestest-252Fcastest-252Fsimple-5Flogin.php-26ticket-3DST-2D23-2DAfzljX3nI9TSddUCgISF-2Dhostname&d=AwICAg&c=1QsCMERiq7JOmEnKpsSyjg&r=NauC5-J1X4CCd25sdSxQCA&m=XxkIzjIoqjHkRHVjE1q9LjVtIsLhHDseNg4fNtAR0v8&s=kK2xzLnaaqqcQnLZcGKwJ9LPII9lKu93zyvWlRBbSHg&e=
', false, true, '') [Client.php:2783]
4D11 .|||||=> CAS_Client::getURL()
[AuthenticationException.php:76]
4D11 .|||||<=
'http://oestest.fiu.edu/castest/simple_login.php'
4D11 .|||
Re: [cas-user] CAS 2 protocol ticket validation issue
Hi,
So I followed the instructions on the wiki for attribute release on CAS 2
protocol adding the entries below to the casServiceValidationSuccess.jsp
${fn:escapeXml(attr.value)}
It seems to work for the outside vendor but when I try to use it with phpcas
1.3.2 I get a 'Ticket not validated' error. Has anybody encountered this issue
with CAS 2 protocol. I see the attributes being released in the debug log but
it fails authentication because it can't finish validating the ticket. Saml1
works just fine with no problem, I'm trying this on CAS 3.4.7. I have an
install of CAS 3.6.0 but I have not tried it on that installation.
Any help is appreciated.
Thanks!
_______
Juan Quintanilla
UTS - Enterprise Group
305-348-6573
jquin...@fiu.edu
____
From: Juan Quintanilla
Sent: Wednesday, August 26, 2015 2:15 PM
To: cas-user@lists.jasig.org
Subject: Re: [cas-user] CAS 2 protocol ticket validation issue
Thanks, we reverted one the files on the cas server back to the default
"casServiceValidationSuccess.jsp" it was modified to pass attributes back to
the client. One of our vendors was requiring cas2 protocol with attributes and
it seemed to work for them but it does not seem to work with the phpcas client.
The changes that I added were:
+
+
+
+
${fn:escapeXml(attr.value)}
+
+
+
When I removed those changes I was able to authenticate again on the phpcas
client. In the logs I see that its passing the attributes but it just fails on
the ticket validation. Has anybody had success with passing attributes using
the CAS 2 protocol?
Thanks!
___
Juan Quintanilla
UTS - Enterprise Group
305-348-6573
jquin...@fiu.edu
From: Waldbieser, Carl
Sent: Wednesday, August 26, 2015 2:09 PM
To: cas-user@lists.jasig.org
Subject: Re: [cas-user] CAS 2 protocol ticket validation issue
I forget whether the PHP CAS client DEBUG mode has a setting where you can see
the raw response. That would be the thing to see.
Otherwise, you make a cURL request with a valid TGC cookie to request an ST.
Once you have it, you can make a second cURL request to validate it and see the
response.
If your ST lifetimes are faily quick, you can do this by having the 2nd command
ready to go in another terminal an quickly pasting in the result.
Alternatively, you can have some kind of script parse the ST from the first
result and immediately execute the 2nd cURL.
Thanks,
Carl Waldbieser
ITS Systems Programmer
Lafayette College
- Original Message -
From: "Juan Quintanilla"
To: "cas-user"
Sent: Wednesday, August 26, 2015 1:42:10 PM
Subject: [cas-user] CAS 2 protocol ticket validation issue
Hi,
I'm running into an issue with ticketvalidation when using the cas2.0 protocol.
The client is phpcas 1.3.2, when I use the saml1 protocol no problem what so
ever but when I switch to the cas 2.0 protocol I encounter the following error:
4D11 .||||=>
CAS_AuthenticationException::__construct(CAS_Client, 'Ticket not validated',
'https://urldefense.proofpoint.com/v2/url?u=https-3A__hostname_cas_login_serviceValidate-3Fservice-3Dhttp-253A-252F-252Foestest-252Fcastest-252Fsimple-5Flogin.php-26ticket-3DST-2D23-2DAfzljX3nI9TSddUCgISF-2Dhostname&d=AwICAg&c=1QsCMERiq7JOmEnKpsSyjg&r=NauC5-J1X4CCd25sdSxQCA&m=XxkIzjIoqjHkRHVjE1q9LjVtIsLhHDseNg4fNtAR0v8&s=kK2xzLnaaqqcQnLZcGKwJ9LPII9lKu93zyvWlRBbSHg&e=
', false, true, '') [Client.php:2783]
4D11 .|||||=> CAS_Client::getURL()
[AuthenticationException.php:76]
4D11 .|||||<=
'http://oestest.fiu.edu/castest/simple_login.php'
4D11 .|||||CAS URL:
https://urldefense.proofpoint.com/v2/url?u=https-3A__hostname_cas_login_serviceValidate-3Fservice-3Dhttp-253A-252F-252Foestest-252Fcastest-252Fsimple-5Flogin.php-26ticket-3DST-2D23-2DAfzljX3nI9TSddUCgISF-2Dhostname&d=AwICAg&c=1QsCMERiq7JOmEnKpsSyjg&r=NauC5-J1X4CCd25sdSxQCA&m=XxkIzjIoqjHkRHVjE1q9LjVtIsLhHDseNg4fNtAR0v8&s=kK2xzLnaaqqcQnLZcGKwJ9LPII9lKu93zyvWlRBbSHg&e=
[AuthenticationException.php:79]
4D11 .|||||Authentication failure: Ticket not validated
[AuthenticationException.php:80]
4D11 .|||||Reason: bad response from the CAS server
[AuthenticationException.php:85]
So wondering if anybody has encountered the problem, I'm running cas 3.4.7.
what logs can I enable on the server side to get more details about why it
might be failing validation.
Thanks!
___
Juan Quintanilla
UTS - Enterprise Group
305-348-6573
jquin...@fiu.edu<mailto:jquin...@fiu.edu>
--
You are currently subscribed to cas-user@lists.jasig.org as:
waldb...@lafayette.edu
To unsubscribe, change settings or access archives,
Re: [cas-user] CAS 2 protocol ticket validation issue
Thanks, we reverted one the files on the cas server back to the default
"casServiceValidationSuccess.jsp" it was modified to pass attributes back to
the client. One of our vendors was requiring cas2 protocol with attributes and
it seemed to work for them but it does not seem to work with the phpcas client.
The changes that I added were:
+
+
+
+
${fn:escapeXml(attr.value)}
+
+
+
When I removed those changes I was able to authenticate again on the phpcas
client. In the logs I see that its passing the attributes but it just fails on
the ticket validation. Has anybody had success with passing attributes using
the CAS 2 protocol?
Thanks!
___
Juan Quintanilla
UTS - Enterprise Group
305-348-6573
jquin...@fiu.edu
From: Waldbieser, Carl
Sent: Wednesday, August 26, 2015 2:09 PM
To: cas-user@lists.jasig.org
Subject: Re: [cas-user] CAS 2 protocol ticket validation issue
I forget whether the PHP CAS client DEBUG mode has a setting where you can see
the raw response. That would be the thing to see.
Otherwise, you make a cURL request with a valid TGC cookie to request an ST.
Once you have it, you can make a second cURL request to validate it and see the
response.
If your ST lifetimes are faily quick, you can do this by having the 2nd command
ready to go in another terminal an quickly pasting in the result.
Alternatively, you can have some kind of script parse the ST from the first
result and immediately execute the 2nd cURL.
Thanks,
Carl Waldbieser
ITS Systems Programmer
Lafayette College
- Original Message -----
From: "Juan Quintanilla"
To: "cas-user"
Sent: Wednesday, August 26, 2015 1:42:10 PM
Subject: [cas-user] CAS 2 protocol ticket validation issue
Hi,
I'm running into an issue with ticketvalidation when using the cas2.0 protocol.
The client is phpcas 1.3.2, when I use the saml1 protocol no problem what so
ever but when I switch to the cas 2.0 protocol I encounter the following error:
4D11 .||||=>
CAS_AuthenticationException::__construct(CAS_Client, 'Ticket not validated',
'https://urldefense.proofpoint.com/v2/url?u=https-3A__hostname_cas_login_serviceValidate-3Fservice-3Dhttp-253A-252F-252Foestest-252Fcastest-252Fsimple-5Flogin.php-26ticket-3DST-2D23-2DAfzljX3nI9TSddUCgISF-2Dhostname&d=AwICAg&c=1QsCMERiq7JOmEnKpsSyjg&r=NauC5-J1X4CCd25sdSxQCA&m=XxkIzjIoqjHkRHVjE1q9LjVtIsLhHDseNg4fNtAR0v8&s=kK2xzLnaaqqcQnLZcGKwJ9LPII9lKu93zyvWlRBbSHg&e=
', false, true, '') [Client.php:2783]
4D11 .|||||=> CAS_Client::getURL()
[AuthenticationException.php:76]
4D11 .|||||<=
'http://oestest.fiu.edu/castest/simple_login.php'
4D11 .|||||CAS URL:
https://urldefense.proofpoint.com/v2/url?u=https-3A__hostname_cas_login_serviceValidate-3Fservice-3Dhttp-253A-252F-252Foestest-252Fcastest-252Fsimple-5Flogin.php-26ticket-3DST-2D23-2DAfzljX3nI9TSddUCgISF-2Dhostname&d=AwICAg&c=1QsCMERiq7JOmEnKpsSyjg&r=NauC5-J1X4CCd25sdSxQCA&m=XxkIzjIoqjHkRHVjE1q9LjVtIsLhHDseNg4fNtAR0v8&s=kK2xzLnaaqqcQnLZcGKwJ9LPII9lKu93zyvWlRBbSHg&e=
[AuthenticationException.php:79]
4D11 .|||||Authentication failure: Ticket not validated
[AuthenticationException.php:80]
4D11 .|||||Reason: bad response from the CAS server
[AuthenticationException.php:85]
So wondering if anybody has encountered the problem, I'm running cas 3.4.7.
what logs can I enable on the server side to get more details about why it
might be failing validation.
Thanks!
___
Juan Quintanilla
UTS - Enterprise Group
305-348-6573
jquin...@fiu.edu<mailto:jquin...@fiu.edu>
--
You are currently subscribed to cas-user@lists.jasig.org as:
waldb...@lafayette.edu
To unsubscribe, change settings or access archives, see
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.ja-2Dsig.org_wiki_display_JSG_cas-2Duser&d=AwICAg&c=1QsCMERiq7JOmEnKpsSyjg&r=NauC5-J1X4CCd25sdSxQCA&m=XxkIzjIoqjHkRHVjE1q9LjVtIsLhHDseNg4fNtAR0v8&s=Gv-Kvgv4gBTxKFLdTRQgiazUp-CgbJC2PMJjRMgFF-Y&e=
--
You are currently subscribed to cas-user@lists.jasig.org as: jquin...@fiu.edu
To unsubscribe, change settings or access archives, see
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.ja-2Dsig.org_wiki_display_JSG_cas-2Duser&d=AwICAg&c=1QsCMERiq7JOmEnKpsSyjg&r=NauC5-J1X4CCd25sdSxQCA&m=XxkIzjIoqjHkRHVjE1q9LjVtIsLhHDseNg4fNtAR0v8&s=Gv-Kvgv4gBTxKFLdTRQgiazUp-CgbJC2PMJjRMgFF-Y&e=
--
You are currently subscribed to cas-user@lists.jasig.org as:
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] CAS 2 protocol ticket validation issue
Hi, I'm running into an issue with ticketvalidation when using the cas2.0 protocol. The client is phpcas 1.3.2, when I use the saml1 protocol no problem what so ever but when I switch to the cas 2.0 protocol I encounter the following error: 4D11 .||||=> CAS_AuthenticationException::__construct(CAS_Client, 'Ticket not validated', 'https://hostname/cas/login/serviceValidate?service=http%3A%2F%2Foestest%2Fcastest%2Fsimple_login.php&ticket=ST-23-AfzljX3nI9TSddUCgISF-hostname', false, true, '') [Client.php:2783] 4D11 .|||||=> CAS_Client::getURL() [AuthenticationException.php:76] 4D11 .|||||<= 'http://oestest.fiu.edu/castest/simple_login.php' 4D11 .|||||CAS URL: https://hostname/cas/login/serviceValidate?service=http%3A%2F%2Foestest%2Fcastest%2Fsimple_login.php&ticket=ST-23-AfzljX3nI9TSddUCgISF-hostname [AuthenticationException.php:79] 4D11 .|||||Authentication failure: Ticket not validated [AuthenticationException.php:80] 4D11 .|||||Reason: bad response from the CAS server [AuthenticationException.php:85] So wondering if anybody has encountered the problem, I'm running cas 3.4.7. what logs can I enable on the server side to get more details about why it might be failing validation. Thanks! ___ Juan Quintanilla UTS - Enterprise Group 305-348-6573 jquin...@fiu.edu<mailto:jquin...@fiu.edu> -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] CAS Intermittent login issue
Hi, Want to bring in some more information about what I found regarding the intermittent login issue we are seeing on CAS 3.6.0 with ldap backend, and Oracle Db for ticketing. We enabled more logging and also removed ldap pooling to just remove the possibility that the ldap connections were not the problem. So again this happens intermittently user goes to a Site and attempts to login, they are presented with the login page again and only by closing the browser and clearing the cache are they able to access the page. After enabling the logging I found that information is being posted back to the CAS application and the user is being authenticated but the error I'm seeing is the following: 2015-08-11 17:15:48,838 TRACE [org.jasig.cas.web.flow.TerminateWebSessionListener] - org.jasig.cas.authentication.principal.Response@1b827dd5, 'serviceTicketId' -> 'ST-9927-7JMySenzWiQQodUjhmok-hostname'], attributes = map[[empty]], messageContext = [DefaultMessageContext@1413390f sourceMessages = map[[null] -> list[[empty, flowExecution = [Ended execution of 'login']], [FlowSessionImpl@7a071214 flow = 'login', state = 'redirectView', scope = map['service' -> http://clientsite.fiu.edu/login/cas.php, 'credentials' -> [username: null], 'warnCookieValue' -> false, 'ticketGrantingTicketId' -> 'TGT-6516-qjmXYvQi4XV5ndgE32t3hqQAe9WeKv9qeeOIEbctCaVmargYif-hostname'> 2015-08-11 17:15:48,839 DEBUG [org.jasig.cas.web.flow.TerminateWebSessionListener] - java.lang.IllegalStateException: No active FlowSession to access; this FlowExecution has ended So the user is then stuck on the login page and unable to go anywhere. Now this issue is intermittent I had the user close their browser and they were able to login with no problem. If I revert our envionrment back to 3.4.7 we have no problems what so ever. So it doesn't seem to be anything relating to tomcat, ldap, oracle or even the f5. I saw an earlier thread regarding the error above where they commented out the webflow:flow-execution-listeners from the cas-servlet.xml and it helped resolved the issue. Any thoughts. thanks! ___ Juan Quintanilla UTS - Enterprise Group 305-348-6573 jquin...@fiu.edu From: Juan Quintanilla Sent: Thursday, July 30, 2015 1:23 PM To: cas-user@lists.jasig.org Subject: Re: [cas-user] CAS Intermittent login issue Thanks, so found out some more information regarding our load balancers. The timeout for the current LB configuration is less than the 5 minute CAS session timeout so I thought maybe the previous LB had a longer timeout session and that is why we never saw the issue when CAS 3.4.7 was running there but then we saw that LB had a smaller session time out. So that burst my bubble, I thought that the LB was expiring the session before CAS reached its session timeout. So I would expect to see that more on the old LB since its timeout was 60 Seconds but we never ran into the issue. ___ Juan Quintanilla UTS - Enterprise Group 305-348-6573 jquin...@fiu.edu From: Michael O Holstein Sent: Thursday, July 30, 2015 12:48 PM To: cas-user@lists.jasig.org Subject: Re: [cas-user] CAS Intermittent login issue This is the relevant bits in log4j.xml that I use when trying to sort through stuff .. note that it creates big files in a hurry so change the size on your appender rollover to something like 50mb. You can also create a new appender name for the extra verbose debug stuff and just change the appender-ref entries to whatever you called the extra appender (if you are archiving prod logfiles and don't want to archive the debug stuff with username/password). The value ALL is the lowest possible (below even TRACE .. so literally everything) and the additivity means any child of the logger inherits the same property .. so the above logs all the springframework as well as all of the cas stuff. Depending on how your SSL is configured as long as you have the private key (which you obviously do) you can use Wireshark to decode the SSL traffic and see the underlying HTTP .. so you can tcpdump to a file and examine later. Once you figure out where it craps out you can start Tomcat with the debugger turned on and attach to it so you can set breakpoints in your IDE to examine what data is coming/going .. but that is more of a realtime affair once you find and can reproduce the problem. Michael Holstein Cleveland State University From: Juan Quintanilla Sent: Thursday, July 30, 2015 12:19 PM To: cas-user@lists.jasig.org Subject: Re: [cas-user] CAS Intermittent login issue But I would assume that when the web flow starts over again the jession is lost it should le
Re: [cas-user] CAS SSO login issue
Hi, Regarding the single sign on to multiple applications it seems to work fine initially but then with time it starts to stop working. For example we have 2 CAS web servers using the same database for the tickets which are behind an F5 load balancer. At this moment only 1 is in the loop because were having issues with intermittent login issues but now all of a sudden when a user logs into a CAS application and then tries to go to another application they are forced to login again. So we had our networking team route traffic to our second CAS server which did not seem to show any problems. Currently our first server still seems to show the problem even though the configuration between both should be the same. Should the hostname of the cas server matter when accessing the applications as long as both are using the same database for ticketing? If I try to access the web site that is pointing to the CAS Server directly bypassing the load balancer address and authenticate then try to go to a site which is still pointing to the load balancer address shouldn't single sign should work despite the hostname being different? The only change we did on the server is remove ldap pooling and enable debugging on the log4j configuration. Any help much appreciated. Thanks! ___ Juan Quintanilla UTS - Enterprise Group 305-348-6573 jquin...@fiu.edu<mailto:jquin...@fiu.edu> From: Christopher Myers Sent: Monday, August 10, 2015 4:33 PM To: cas-user@lists.jasig.org Subject: Re: [cas-user] CAS SSO login issue Out of curiosity, is the application set to force a new login? Eg., we have a CRM application that appends "&renew=true" to the end of the login URLs, which forces CAS to make the user log in, even if they just logged into CAS 10 seconds before. Chris >>> Juan Quintanilla 08/10/15 3:29 PM >>> Hi, We recently encountered a new issue where user logs into application using CAS and authenticates then immediately goes to another site using CAS and they are presented with the login page instead of being signed in so they have to login again. We are running CAS 3.6.0 and Tomcat 8 with ldap backend, it seemed to be working before and the only changes that we have made was removing the ldap pooling from the deployer config and they modified the load balancer sticky sessions to longer time. We are wondering what might be causing the application not check if there is a Ticket already for the session. Thanks! ___ Juan Quintanilla UTS - Enterprise Group 305-348-6573 jquin...@fiu.edu<mailto:jquin...@fiu.edu> -- You are currently subscribed to cas-user@lists.jasig.org as: cmy...@mail.millikin.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: jquin...@fiu.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] CAS SSO login issue
Hi, Yes it seems that they are set to force a new login, I switched over to our second server and it seems to working. Now I have to see what might be causing the issue with the ticket not being checked on the first server. ___ Juan Quintanilla UTS - Enterprise Group 305-348-6573 jquin...@fiu.edu<mailto:jquin...@fiu.edu> From: Christopher Myers Sent: Monday, August 10, 2015 4:33 PM To: cas-user@lists.jasig.org Subject: Re: [cas-user] CAS SSO login issue Out of curiosity, is the application set to force a new login? Eg., we have a CRM application that appends "&renew=true" to the end of the login URLs, which forces CAS to make the user log in, even if they just logged into CAS 10 seconds before. Chris >>> Juan Quintanilla 08/10/15 3:29 PM >>> Hi, We recently encountered a new issue where user logs into application using CAS and authenticates then immediately goes to another site using CAS and they are presented with the login page instead of being signed in so they have to login again. We are running CAS 3.6.0 and Tomcat 8 with ldap backend, it seemed to be working before and the only changes that we have made was removing the ldap pooling from the deployer config and they modified the load balancer sticky sessions to longer time. We are wondering what might be causing the application not check if there is a Ticket already for the session. Thanks! ___ Juan Quintanilla UTS - Enterprise Group 305-348-6573 jquin...@fiu.edu<mailto:jquin...@fiu.edu> -- You are currently subscribed to cas-user@lists.jasig.org as: cmy...@mail.millikin.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: jquin...@fiu.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] CAS SSO login issue
Hi, We recently encountered a new issue where user logs into application using CAS and authenticates then immediately goes to another site using CAS and they are presented with the login page instead of being signed in so they have to login again. We are running CAS 3.6.0 and Tomcat 8 with ldap backend, it seemed to be working before and the only changes that we have made was removing the ldap pooling from the deployer config and they modified the load balancer sticky sessions to longer time. We are wondering what might be causing the application not check if there is a Ticket already for the session. Thanks! ___ Juan Quintanilla UTS - Enterprise Group 305-348-6573 jquin...@fiu.edu<mailto:jquin...@fiu.edu> -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] CAS Intermittent login issue
Another question, in case the problem was the session expiring or the session being lost. When the login page refreshes for the user after they enter the credentials in the cas.log or catalina.out file shouldn't I see an error message regarding not being able to validate the ticket or even an attempt made to the ldap for authentication? Or even if the session wasa lost wouldn't the login page display an invalid credential if the user entered bad credentials instead of not seeing anything. Since I see a post I would think something would be showing up in the logs. I apologize in advance for all the questions to the list. Thanks. ___ Juan Quintanilla UTS - Enterprise Group 305-348-6573 jquin...@fiu.edu ____ From: Juan Quintanilla Sent: Thursday, July 30, 2015 1:23 PM To: cas-user@lists.jasig.org Subject: Re: [cas-user] CAS Intermittent login issue Thanks, so found out some more information regarding our load balancers. The timeout for the current LB configuration is less than the 5 minute CAS session timeout so I thought maybe the previous LB had a longer timeout session and that is why we never saw the issue when CAS 3.4.7 was running there but then we saw that LB had a smaller session time out. So that burst my bubble, I thought that the LB was expiring the session before CAS reached its session timeout. So I would expect to see that more on the old LB since its timeout was 60 Seconds but we never ran into the issue. ___ Juan Quintanilla UTS - Enterprise Group 305-348-6573 jquin...@fiu.edu From: Michael O Holstein Sent: Thursday, July 30, 2015 12:48 PM To: cas-user@lists.jasig.org Subject: Re: [cas-user] CAS Intermittent login issue This is the relevant bits in log4j.xml that I use when trying to sort through stuff .. note that it creates big files in a hurry so change the size on your appender rollover to something like 50mb. You can also create a new appender name for the extra verbose debug stuff and just change the appender-ref entries to whatever you called the extra appender (if you are archiving prod logfiles and don't want to archive the debug stuff with username/password). The value ALL is the lowest possible (below even TRACE .. so literally everything) and the additivity means any child of the logger inherits the same property .. so the above logs all the springframework as well as all of the cas stuff. Depending on how your SSL is configured as long as you have the private key (which you obviously do) you can use Wireshark to decode the SSL traffic and see the underlying HTTP .. so you can tcpdump to a file and examine later. Once you figure out where it craps out you can start Tomcat with the debugger turned on and attach to it so you can set breakpoints in your IDE to examine what data is coming/going .. but that is more of a realtime affair once you find and can reproduce the problem. Michael Holstein Cleveland State University ____ From: Juan Quintanilla Sent: Thursday, July 30, 2015 12:19 PM To: cas-user@lists.jasig.org Subject: Re: [cas-user] CAS Intermittent login issue But I would assume that when the web flow starts over again the jession is lost it should let the user in. In our case the user will not be able to login until they clear their cache and close their browser. So even though we see a post in the access logs its not a guarantee that any user information actually reached the server. Would decreasing the cas session timeout from the default 5mins or increasing the timeout help in any way. So in order to see if the user information is reaching the server during the post is it better to enable debugging on: or Thanks! ___ Juan Quintanilla UTS - Enterprise Group 305-348-6573 jquin...@fiu.edu From: Andrew Morgan Sent: Thursday, July 30, 2015 12:03 PM To: cas-user@lists.jasig.org Subject: Re: [cas-user] CAS Intermittent login issue The behavior you describe is exactly what happens when the JSESSION is lost and the login ticket cannot be validated. The web flow starts over when that happens. Andy On Thu, 30 Jul 2015, Juan Quintanilla wrote: > The other interesting part is the fact that I see a post in the Tomcat access > logs but no user information in the cas.log. Would that be an indication > that the user information within the sesison was not properly received or > what logging can I enable to verify that the user info was passed. Usually in > the logs I only see the entries after they have authenticated into ldap so it > never reaches that part. > > > > Thanks! > > > ___ > Juan Quintanilla > UTS - Enterprise Gro
Re: [cas-user] CAS Intermittent login issue
Thanks, so found out some more information regarding our load balancers. The timeout for the current LB configuration is less than the 5 minute CAS session timeout so I thought maybe the previous LB had a longer timeout session and that is why we never saw the issue when CAS 3.4.7 was running there but then we saw that LB had a smaller session time out. So that burst my bubble, I thought that the LB was expiring the session before CAS reached its session timeout. So I would expect to see that more on the old LB since its timeout was 60 Seconds but we never ran into the issue. ___ Juan Quintanilla UTS - Enterprise Group 305-348-6573 jquin...@fiu.edu From: Michael O Holstein Sent: Thursday, July 30, 2015 12:48 PM To: cas-user@lists.jasig.org Subject: Re: [cas-user] CAS Intermittent login issue This is the relevant bits in log4j.xml that I use when trying to sort through stuff .. note that it creates big files in a hurry so change the size on your appender rollover to something like 50mb. You can also create a new appender name for the extra verbose debug stuff and just change the appender-ref entries to whatever you called the extra appender (if you are archiving prod logfiles and don't want to archive the debug stuff with username/password). The value ALL is the lowest possible (below even TRACE .. so literally everything) and the additivity means any child of the logger inherits the same property .. so the above logs all the springframework as well as all of the cas stuff. Depending on how your SSL is configured as long as you have the private key (which you obviously do) you can use Wireshark to decode the SSL traffic and see the underlying HTTP .. so you can tcpdump to a file and examine later. Once you figure out where it craps out you can start Tomcat with the debugger turned on and attach to it so you can set breakpoints in your IDE to examine what data is coming/going .. but that is more of a realtime affair once you find and can reproduce the problem. Michael Holstein Cleveland State University From: Juan Quintanilla Sent: Thursday, July 30, 2015 12:19 PM To: cas-user@lists.jasig.org Subject: Re: [cas-user] CAS Intermittent login issue But I would assume that when the web flow starts over again the jession is lost it should let the user in. In our case the user will not be able to login until they clear their cache and close their browser. So even though we see a post in the access logs its not a guarantee that any user information actually reached the server. Would decreasing the cas session timeout from the default 5mins or increasing the timeout help in any way. So in order to see if the user information is reaching the server during the post is it better to enable debugging on: or Thanks! ___ Juan Quintanilla UTS - Enterprise Group 305-348-6573 jquin...@fiu.edu From: Andrew Morgan Sent: Thursday, July 30, 2015 12:03 PM To: cas-user@lists.jasig.org Subject: Re: [cas-user] CAS Intermittent login issue The behavior you describe is exactly what happens when the JSESSION is lost and the login ticket cannot be validated. The web flow starts over when that happens. Andy On Thu, 30 Jul 2015, Juan Quintanilla wrote: > The other interesting part is the fact that I see a post in the Tomcat access > logs but no user information in the cas.log. Would that be an indication > that the user information within the sesison was not properly received or > what logging can I enable to verify that the user info was passed. Usually in > the logs I only see the entries after they have authenticated into ldap so it > never reaches that part. > > > > Thanks! > > > ___ > Juan Quintanilla > UTS - Enterprise Group > 305-348-6573 > jquin...@fiu.edu<mailto:jquin...@fiu.edu> > > > > From: Juan Quintanilla > Sent: Thursday, July 30, 2015 11:19 AM > To: cas-user@lists.jasig.org > Subject: Re: [cas-user] CAS Intermittent login issue > > > > > > > Prior to having the environment on the F5 we had the users test against the > servers individually and there was no problem but then again the issue does > not always happen. I have tried to reproduce the issue myself but have not > been able to. So we didn't see the problem until we had more users accessing > the system once it was on the F5. Our previous CAS environment 3.4.7 is > running on a Cisco Ace if I'm not mistaken and there were no problems there. > We have sticky sessions enabled based on the ip address. > > > > > ___ > Juan Quintanilla > jquin...@fi
Re: [cas-user] CAS Intermittent login issue
But I would assume that when the web flow starts over again the jession is lost it should let the user in. In our case the user will not be able to login until they clear their cache and close their browser. So even though we see a post in the access logs its not a guarantee that any user information actually reached the server. Would decreasing the cas session timeout from the default 5mins or increasing the timeout help in any way. So in order to see if the user information is reaching the server during the post is it better to enable debugging on: or Thanks! ___ Juan Quintanilla UTS - Enterprise Group 305-348-6573 jquin...@fiu.edu From: Andrew Morgan Sent: Thursday, July 30, 2015 12:03 PM To: cas-user@lists.jasig.org Subject: Re: [cas-user] CAS Intermittent login issue The behavior you describe is exactly what happens when the JSESSION is lost and the login ticket cannot be validated. The web flow starts over when that happens. Andy On Thu, 30 Jul 2015, Juan Quintanilla wrote: > The other interesting part is the fact that I see a post in the Tomcat access > logs but no user information in the cas.log. Would that be an indication > that the user information within the sesison was not properly received or > what logging can I enable to verify that the user info was passed. Usually in > the logs I only see the entries after they have authenticated into ldap so it > never reaches that part. > > > > Thanks! > > > ___ > Juan Quintanilla > UTS - Enterprise Group > 305-348-6573 > jquin...@fiu.edu<mailto:jquin...@fiu.edu> > > > > From: Juan Quintanilla > Sent: Thursday, July 30, 2015 11:19 AM > To: cas-user@lists.jasig.org > Subject: Re: [cas-user] CAS Intermittent login issue > > > > > > > Prior to having the environment on the F5 we had the users test against the > servers individually and there was no problem but then again the issue does > not always happen. I have tried to reproduce the issue myself but have not > been able to. So we didn't see the problem until we had more users accessing > the system once it was on the F5. Our previous CAS environment 3.4.7 is > running on a Cisco Ace if I'm not mistaken and there were no problems there. > We have sticky sessions enabled based on the ip address. > > > > > ___ > Juan Quintanilla > jquin...@fiu.edu<mailto:jquin...@fiu.edu> > > > > From: Michael O Holstein > Sent: Thursday, July 30, 2015 11:00 AM > To: cas-user@lists.jasig.org > Subject: Re: [cas-user] CAS Intermittent login issue > > > I've noticed this as well, but if you use Chrome/Firefox in debug mode you'll > see the JSESSION ID as a cookie in either case so I don't think that matters. > > > Even though you've only got one app server I'd bet the F5 has stickyness > configured (and you will need it) but how exactly it's being done might be > screwing with your app. Have you tried setting up something simple like > cas-sample-java-webapp against the inside address (bypass the F5) and see if > the problem still exists? > > > We ended up forgoing a Cisco ACE in favor of two Nginx boxes and HAProxy/VRRP > as well as load balancing out the back .. for pretty much the same reasons .. > plus it's much easier to troubleshoot when you have control over the whole > path. > > > Michael Holstein > > Cleveland State University > > > > From: Christopher Myers > Sent: Thursday, July 30, 2015 10:38 AM > To: cas-user@lists.jasig.org > Subject: Re: [cas-user] CAS Intermittent login issue > > One thing to check - does the CASified application have the correct IP > address for the CAS server? We had something similar happen when we put our > CAS environment behind our Barracuda, and one of our hosted third-party > applications still had the old DNS entry cached. > > Chris > > > > >>>> Juan Quintanilla 07/30/15 9:29 AM >>> > > Hi, > > > > We are implementing CAS 3.6.0 using ldap authentication, with oracle for the > ticket registry, and tomcat 8. We have the environment running on an F5 load > balancer but currently with only one web server in the loop. I just wanted > to ask if any have encountered intermittent issues with logging into an > application using CAS. > > > > What I'm encountering is a user hits the cas login page after being > redirected by the client application but after they enter their credentials > they are redirected to the
Re: [cas-user] CAS Intermittent login issue
The other interesting part is the fact that I see a post in the Tomcat access logs but no user information in the cas.log. Would that be an indication that the user information within the sesison was not properly received or what logging can I enable to verify that the user info was passed. Usually in the logs I only see the entries after they have authenticated into ldap so it never reaches that part. Thanks! ___ Juan Quintanilla UTS - Enterprise Group 305-348-6573 jquin...@fiu.edu<mailto:jquin...@fiu.edu> From: Juan Quintanilla Sent: Thursday, July 30, 2015 11:19 AM To: cas-user@lists.jasig.org Subject: Re: [cas-user] CAS Intermittent login issue Prior to having the environment on the F5 we had the users test against the servers individually and there was no problem but then again the issue does not always happen. I have tried to reproduce the issue myself but have not been able to. So we didn't see the problem until we had more users accessing the system once it was on the F5. Our previous CAS environment 3.4.7 is running on a Cisco Ace if I'm not mistaken and there were no problems there. We have sticky sessions enabled based on the ip address. ___ Juan Quintanilla jquin...@fiu.edu<mailto:jquin...@fiu.edu> From: Michael O Holstein Sent: Thursday, July 30, 2015 11:00 AM To: cas-user@lists.jasig.org Subject: Re: [cas-user] CAS Intermittent login issue I've noticed this as well, but if you use Chrome/Firefox in debug mode you'll see the JSESSION ID as a cookie in either case so I don't think that matters. Even though you've only got one app server I'd bet the F5 has stickyness configured (and you will need it) but how exactly it's being done might be screwing with your app. Have you tried setting up something simple like cas-sample-java-webapp against the inside address (bypass the F5) and see if the problem still exists? We ended up forgoing a Cisco ACE in favor of two Nginx boxes and HAProxy/VRRP as well as load balancing out the back .. for pretty much the same reasons .. plus it's much easier to troubleshoot when you have control over the whole path. Michael Holstein Cleveland State University From: Christopher Myers Sent: Thursday, July 30, 2015 10:38 AM To: cas-user@lists.jasig.org Subject: Re: [cas-user] CAS Intermittent login issue One thing to check - does the CASified application have the correct IP address for the CAS server? We had something similar happen when we put our CAS environment behind our Barracuda, and one of our hosted third-party applications still had the old DNS entry cached. Chris >>> Juan Quintanilla 07/30/15 9:29 AM >>> Hi, We are implementing CAS 3.6.0 using ldap authentication, with oracle for the ticket registry, and tomcat 8. We have the environment running on an F5 load balancer but currently with only one web server in the loop. I just wanted to ask if any have encountered intermittent issues with logging into an application using CAS. What I'm encountering is a user hits the cas login page after being redirected by the client application but after they enter their credentials they are redirected to the login page with the login information cleared. If they try again logging again the process just repeats, if they enter bad credentials no error message is displayed on the screen or even in the logs. If the user closes their browser and clears their cache they are able to login. In the Tomcat access logs we notice that there is a post during that transaction but we didn't see a jessionid in the url string associated with the post. We are removing ldap pooling and extending the cas session timeout in the web.xml to see if maybe their session is expiring. It does not happen all the time its sporadic so it makes it difficult to troubleshoot. We have talked to our networking team but they don't seem to see any problems on their side, they have just extended the session timeout. Our last resort would be to take the environment off the F5 and see if that helps or place the old environment on the F5 to see if the problem persists on that environment then we can narrow it down the issue being on the F5 load balancer. Since the problem does not always happen we having a hard time determining whether the problem is with the load balancer or some configuration on the CAS/Tomcat side. Has anyone encountered something similar, any suggestions will really help. ___ Juan Quintanilla jquin...@fiu.edu<mailto:jquin...@fiu.edu> -- You are currently subscribed to cas-user@lists.jasig.org as: cmy...@mail.millikin.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently
Re: [cas-user] CAS Intermittent login issue
Prior to having the environment on the F5 we had the users test against the servers individually and there was no problem but then again the issue does not always happen. I have tried to reproduce the issue myself but have not been able to. So we didn't see the problem until we had more users accessing the system once it was on the F5. Our previous CAS environment 3.4.7 is running on a Cisco Ace if I'm not mistaken and there were no problems there. We have sticky sessions enabled based on the ip address. ___ Juan Quintanilla jquin...@fiu.edu<mailto:jquin...@fiu.edu> From: Michael O Holstein Sent: Thursday, July 30, 2015 11:00 AM To: cas-user@lists.jasig.org Subject: Re: [cas-user] CAS Intermittent login issue I've noticed this as well, but if you use Chrome/Firefox in debug mode you'll see the JSESSION ID as a cookie in either case so I don't think that matters. Even though you've only got one app server I'd bet the F5 has stickyness configured (and you will need it) but how exactly it's being done might be screwing with your app. Have you tried setting up something simple like cas-sample-java-webapp against the inside address (bypass the F5) and see if the problem still exists? We ended up forgoing a Cisco ACE in favor of two Nginx boxes and HAProxy/VRRP as well as load balancing out the back .. for pretty much the same reasons .. plus it's much easier to troubleshoot when you have control over the whole path. Michael Holstein Cleveland State University From: Christopher Myers Sent: Thursday, July 30, 2015 10:38 AM To: cas-user@lists.jasig.org Subject: Re: [cas-user] CAS Intermittent login issue One thing to check - does the CASified application have the correct IP address for the CAS server? We had something similar happen when we put our CAS environment behind our Barracuda, and one of our hosted third-party applications still had the old DNS entry cached. Chris >>> Juan Quintanilla 07/30/15 9:29 AM >>> Hi, We are implementing CAS 3.6.0 using ldap authentication, with oracle for the ticket registry, and tomcat 8. We have the environment running on an F5 load balancer but currently with only one web server in the loop. I just wanted to ask if any have encountered intermittent issues with logging into an application using CAS. What I'm encountering is a user hits the cas login page after being redirected by the client application but after they enter their credentials they are redirected to the login page with the login information cleared. If they try again logging again the process just repeats, if they enter bad credentials no error message is displayed on the screen or even in the logs. If the user closes their browser and clears their cache they are able to login. In the Tomcat access logs we notice that there is a post during that transaction but we didn't see a jessionid in the url string associated with the post. We are removing ldap pooling and extending the cas session timeout in the web.xml to see if maybe their session is expiring. It does not happen all the time its sporadic so it makes it difficult to troubleshoot. We have talked to our networking team but they don't seem to see any problems on their side, they have just extended the session timeout. Our last resort would be to take the environment off the F5 and see if that helps or place the old environment on the F5 to see if the problem persists on that environment then we can narrow it down the issue being on the F5 load balancer. Since the problem does not always happen we having a hard time determining whether the problem is with the load balancer or some configuration on the CAS/Tomcat side. Has anyone encountered something similar, any suggestions will really help. ___ Juan Quintanilla jquin...@fiu.edu<mailto:jquin...@fiu.edu> -- You are currently subscribed to cas-user@lists.jasig.org as: cmy...@mail.millikin.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: michael.holst...@csuohio.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: jquin...@fiu.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] CAS Intermittent login issue
Hi, I believe they are using the hostname for the CAS server, but I will double check to make sure. If that was the case I would expect the login issue to happen to everyone and not just random users. ___ Juan Quintanilla UTS - Enterprise Group 305-348-6573 jquin...@fiu.edu<mailto:jquin...@fiu.edu> From: Christopher Myers Sent: Thursday, July 30, 2015 10:38 AM To: Juan Quintanilla; cas-user@lists.jasig.org Subject: Re: [cas-user] CAS Intermittent login issue One thing to check - does the CASified application have the correct IP address for the CAS server? We had something similar happen when we put our CAS environment behind our Barracuda, and one of our hosted third-party applications still had the old DNS entry cached. Chris >>> Juan Quintanilla 07/30/15 9:29 AM >>> Hi, We are implementing CAS 3.6.0 using ldap authentication, with oracle for the ticket registry, and tomcat 8. We have the environment running on an F5 load balancer but currently with only one web server in the loop. I just wanted to ask if any have encountered intermittent issues with logging into an application using CAS. What I'm encountering is a user hits the cas login page after being redirected by the client application but after they enter their credentials they are redirected to the login page with the login information cleared. If they try again logging again the process just repeats, if they enter bad credentials no error message is displayed on the screen or even in the logs. If the user closes their browser and clears their cache they are able to login. In the Tomcat access logs we notice that there is a post during that transaction but we didn't see a jessionid in the url string associated with the post. We are removing ldap pooling and extending the cas session timeout in the web.xml to see if maybe their session is expiring. It does not happen all the time its sporadic so it makes it difficult to troubleshoot. We have talked to our networking team but they don't seem to see any problems on their side, they have just extended the session timeout. Our last resort would be to take the environment off the F5 and see if that helps or place the old environment on the F5 to see if the problem persists on that environment then we can narrow it down the issue being on the F5 load balancer. Since the problem does not always happen we having a hard time determining whether the problem is with the load balancer or some configuration on the CAS/Tomcat side. Has anyone encountered something similar, any suggestions will really help. ___ Juan Quintanilla jquin...@fiu.edu<mailto:jquin...@fiu.edu> -- You are currently subscribed to cas-user@lists.jasig.org as: cmy...@mail.millikin.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] CAS Intermittent login issue
Hi, We are implementing CAS 3.6.0 using ldap authentication, with oracle for the ticket registry, and tomcat 8. We have the environment running on an F5 load balancer but currently with only one web server in the loop. I just wanted to ask if any have encountered intermittent issues with logging into an application using CAS. What I'm encountering is a user hits the cas login page after being redirected by the client application but after they enter their credentials they are redirected to the login page with the login information cleared. If they try again logging again the process just repeats, if they enter bad credentials no error message is displayed on the screen or even in the logs. If the user closes their browser and clears their cache they are able to login. In the Tomcat access logs we notice that there is a post during that transaction but we didn't see a jessionid in the url string associated with the post. We are removing ldap pooling and extending the cas session timeout in the web.xml to see if maybe their session is expiring. It does not happen all the time its sporadic so it makes it difficult to troubleshoot. We have talked to our networking team but they don't seem to see any problems on their side, they have just extended the session timeout. Our last resort would be to take the environment off the F5 and see if that helps or place the old environment on the F5 to see if the problem persists on that environment then we can narrow it down the issue being on the F5 load balancer. Since the problem does not always happen we having a hard time determining whether the problem is with the load balancer or some configuration on the CAS/Tomcat side. Has anyone encountered something similar, any suggestions will really help. ___ Juan Quintanilla jquin...@fiu.edu<mailto:jquin...@fiu.edu> -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] CAS SSO User stuck on Login Page
Hi, So after adding some more logging for tomcat and waiting to here back from users who have encountered the issue we were able to see that within the access logs for tomcat there is a post be made for the user. In this case the user reported that when they tried to access a particular site they encountered the issue of being stuck on the login page. Below is the post from when the user entered their information and then immediately after there is another get for the login page which is consistent with what were seeing. User enters the correct information but is redirected back onto the login page when they hit submit, and when bad credentials are entered no error message is displayed in the logs or for the user. The only thing I did notice is that in the post there was no jsessionid, right below is another session for user which did have a jessionid and everything seemed to go through fine. We are using F5 but currently only one web server is in the loop. Once the browser is closed and cache is cleared they can log in with no problem. - 192.168.150.254 - - [16/Jul/2015:16:34:59 -0400] POST /cas/login?service=https%3A%2F%2Fcasnew.fiu.edu%2Flogin%2F HTTP/1.1 ???>???s - https://CASserver.fiu.edu/cas/login?service=https%3A%2F%2Fcasnew.fiu.edu%2Flogin%2F Mozilla/5.0 (X11; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0 - 192.168.150.254 - - [16/Jul/2015:16:34:59 -0400] GET /cas/login?service=https%3A%2F%2Fcasnew.fiu.edu%2Flogin%2F HTTP/1.1 ???>???s 5115 https://CASserver.fiu.edu/cas/login?service=https%3A%2F%2Fcasnew.fiu.edu%2Flogin%2F Mozilla/5.0 (X11; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0 - 192.168.150.254 - - [16/Jul/2015:16:34:59 -0400] GET /cas/themes/default/images/mbg.png HTTP/1.1 ???>???s - https://CASserver.fiu.edu/cas/themes/default/cas.css Mozilla/5.0 (X11; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0 - 192.168.150.254 - - [16/Jul/2015:16:34:59 -0400] GET /cas/login HTTP/1.1 ???>???s 3433 https://CASserver.fiu.edu/cas/themes/default/cas.css Mozilla/5.0 (X11; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0 - 192.168.150.254 - - [16/Jul/2015:16:35:00 -0400] POST /cas/login;jsessionid=AF457B57EE11EB59AC21D945AE91A03D?service=https://shs-portal.fiu.edu/PyramedPortal/CAS HTTP/1.1 ???>???s - https://CASserver.fiu.edu/cas/login?service=https://shs-portal.fiu.edu/PyramedPortal/CAS Mozilla/5.0 (Linux; Android 5.0; SAMSUNG SM-G900T Build/LRX21T) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/2.1 Chrome/34.0.1847.76 Mobile Safari/537.36 - 192.168.150.254 - - [16/Jul/2015:16:35:00 -0400] GET /cas/serviceValidate?ticket=ST-103981-jhkc23bFgYbXeiIOQ42N-fiusso1.fiu.edu&service=https://shs-portal.fiu.edu/PyramedPortal/CAS HTTP/1.1 ???>???s 190 - - _______ Juan Quintanilla UTS - Enterprise Group 305-348-6573 jquin...@fiu.edu ____ From: Juan Quintanilla Sent: Monday, July 13, 2015 10:40 AM To: cas-user@lists.jasig.org Subject: Re: [cas-user] CAS SSO User stuck on Login Page I'm still working with our network team to verify what they see on their end. ___ Juan Quintanilla UTS - Enterprise Group 305-348-6573 jquin...@fiu.edu From: Mailvaganam, Hari Sent: Saturday, July 11, 2015 1:33 PM To: cas-user@lists.jasig.org Subject: RE: [cas-user] CAS SSO User stuck on Login Page >So now I wondering if its still pertains to the F5 not properly allowing the >traffic back to the application. Anything in the firewall logs? Or/and set F5 to verbose logging? _______ From: Juan Quintanilla [jquin...@fiu.edu] Sent: Friday, July 10, 2015 09:29 To: cas-user@lists.jasig.org Cc: Joseph Wong Subject: Re: [cas-user] CAS SSO User stuck on Login Page Hi, I will be changing the logging for the tomcat access logs so that I can see a little more details. Regarding the ldap logs we checked and it seems that during the time when the user is having this issue on the CAS login page there is no entries in our Ldap logs for an authentication attempt. So it seems that I would probably not find a post in the access logs. The only entry that I found for this particular user was after they closed their browser and tried logging in again which did generate an error on the login page for invalid credentials and once the correct credentials were entered they were able to access the page. So the next check is to see if there is a post being made in the access logs for tomcat. Would there not being enough ldap connections in the pool display an error in the cas.log? Or what could cause the page to go dead between tomcat and CAS. So now I wondering if its still pertains to the F5 not properly allowing the traffic back to the application. We are removing one of the webservers from the loop so that traffic can go to one server but any other tips or suggestions would be greatly appreciated. ___
Re: [cas-user] CAS SSO User stuck on Login Page
I'm still working with our network team to verify what they see on their end. ___ Juan Quintanilla UTS - Enterprise Group 305-348-6573 jquin...@fiu.edu From: Mailvaganam, Hari Sent: Saturday, July 11, 2015 1:33 PM To: cas-user@lists.jasig.org Subject: RE: [cas-user] CAS SSO User stuck on Login Page >So now I wondering if its still pertains to the F5 not properly allowing the >traffic back to the application. Anything in the firewall logs? Or/and set F5 to verbose logging? ___ From: Juan Quintanilla [jquin...@fiu.edu] Sent: Friday, July 10, 2015 09:29 To: cas-user@lists.jasig.org Cc: Joseph Wong Subject: Re: [cas-user] CAS SSO User stuck on Login Page Hi, I will be changing the logging for the tomcat access logs so that I can see a little more details. Regarding the ldap logs we checked and it seems that during the time when the user is having this issue on the CAS login page there is no entries in our Ldap logs for an authentication attempt. So it seems that I would probably not find a post in the access logs. The only entry that I found for this particular user was after they closed their browser and tried logging in again which did generate an error on the login page for invalid credentials and once the correct credentials were entered they were able to access the page. So the next check is to see if there is a post being made in the access logs for tomcat. Would there not being enough ldap connections in the pool display an error in the cas.log? Or what could cause the page to go dead between tomcat and CAS. So now I wondering if its still pertains to the F5 not properly allowing the traffic back to the application. We are removing one of the webservers from the loop so that traffic can go to one server but any other tips or suggestions would be greatly appreciated. ___ Juan Quintanilla UTS - Enterprise Group 305-348-6573 jquin...@fiu.edu From: Waldbieser, Carl Sent: Friday, July 10, 2015 11:38 AM To: cas-user@lists.jasig.org Cc: Joseph Wong Subject: Re: [cas-user] CAS SSO User stuck on Login Page If you crank up the log levels on Tomcat, you should see an HTTP POST in the access logs. That would indicate the credentials are delivered successfully to the CAS application. Do you see any evidence in your LDAP logs that an LDAP connection was dropped mid-stream? Thanks, Carl Waldbieser Lafayette College - Original Message ----- From: "Juan Quintanilla" To: cas-user@lists.jasig.org Cc: "Joseph Wong" Sent: Friday, July 10, 2015 10:54:22 AM Subject: [cas-user] CAS SSO User stuck on Login Page Hi, I reached out the list earlier in the week regarding some issues we were having with some users remaining on the CAS Login page after being redirected by the client application. The user when they enter good credentials are presented with the login page again, if they enter bad credentials no error message is displayed on the login page. The transaction is not even recorded on the catalina.out, or the cas.log. The environment is running CAS 3.6.0 on tomcat 8 with ldap backend for authentication and Oracle Db for ticketing and the web servers are being load balanced on an F5. The issue is sporadic so its not consistent but once the user closes their browser and tries to login again they can access the application. My question, if a connection cannot be pulled from the ldap connection pool would an error be thrown? Our guess is that when the user hits the login page and enters their credentials the connection from the CAS web server on the F5 to the Ldap vip address which is on a different load balancer is being dropped or reset. What debugging on CAS could I enable to see whether that communication login info is even being received on the CAS application, or if the CAS application is seeing when the user enters the information on the login page. ___ Juan Quintanilla UTS - Enterprise Group 305-348-6573 jquin...@fiu.edu<mailto:jquin...@fiu.edu> -- You are currently subscribed to cas-user@lists.jasig.org as: waldb...@lafayette.edu To unsubscribe, change settings or access archives, see https://urldefense.proofpoint.com/v2/url?u=http-3A__www.ja-2Dsig.org_wiki_display_JSG_cas-2Duser&d=AwICAg&c=1QsCMERiq7JOmEnKpsSyjg&r=NauC5-J1X4CCd25sdSxQCA&m=P1Vy6kUPDQHHsV-zmWDbHAMHYMHV6yNx31MZXNU0M1c&s=ZUCT_hNKkfwBdQsctz0SxWt43Yi_j00ohT0mSByu7qE&e= -- You are currently subscribed to cas-user@lists.jasig.org as: jquin...@fiu.edu To unsubscribe, change settings or access archives, see https://urldefense.proofpoint.com/v2/url?u=http-3A__www.ja-2Dsig.org_wiki_display_JSG_cas-2Duser&d=AwICAg&c=1QsCMERiq7JOmEnKpsSyjg&r=NauC5-J1X4CCd25sdSxQCA&m=P1Vy6kUPDQHHsV-zmWDbHAMHYMHV6yNx31MZXNU0M1c&s=ZUCT_hNKkfwBdQsctz0SxWt43Yi_j
Re: [cas-user] CAS SSO User stuck on Login Page
Hi, I will be changing the logging for the tomcat access logs so that I can see a little more details. Regarding the ldap logs we checked and it seems that during the time when the user is having this issue on the CAS login page there is no entries in our Ldap logs for an authentication attempt. So it seems that I would probably not find a post in the access logs. The only entry that I found for this particular user was after they closed their browser and tried logging in again which did generate an error on the login page for invalid credentials and once the correct credentials were entered they were able to access the page. So the next check is to see if there is a post being made in the access logs for tomcat. Would there not being enough ldap connections in the pool display an error in the cas.log? Or what could cause the page to go dead between tomcat and CAS. So now I wondering if its still pertains to the F5 not properly allowing the traffic back to the application. We are removing one of the webservers from the loop so that traffic can go to one server but any other tips or suggestions would be greatly appreciated. ___ Juan Quintanilla UTS - Enterprise Group 305-348-6573 jquin...@fiu.edu From: Waldbieser, Carl Sent: Friday, July 10, 2015 11:38 AM To: cas-user@lists.jasig.org Cc: Joseph Wong Subject: Re: [cas-user] CAS SSO User stuck on Login Page If you crank up the log levels on Tomcat, you should see an HTTP POST in the access logs. That would indicate the credentials are delivered successfully to the CAS application. Do you see any evidence in your LDAP logs that an LDAP connection was dropped mid-stream? Thanks, Carl Waldbieser Lafayette College - Original Message - From: "Juan Quintanilla" To: cas-user@lists.jasig.org Cc: "Joseph Wong" Sent: Friday, July 10, 2015 10:54:22 AM Subject: [cas-user] CAS SSO User stuck on Login Page Hi, I reached out the list earlier in the week regarding some issues we were having with some users remaining on the CAS Login page after being redirected by the client application. The user when they enter good credentials are presented with the login page again, if they enter bad credentials no error message is displayed on the login page. The transaction is not even recorded on the catalina.out, or the cas.log. The environment is running CAS 3.6.0 on tomcat 8 with ldap backend for authentication and Oracle Db for ticketing and the web servers are being load balanced on an F5. The issue is sporadic so its not consistent but once the user closes their browser and tries to login again they can access the application. My question, if a connection cannot be pulled from the ldap connection pool would an error be thrown? Our guess is that when the user hits the login page and enters their credentials the connection from the CAS web server on the F5 to the Ldap vip address which is on a different load balancer is being dropped or reset. What debugging on CAS could I enable to see whether that communication login info is even being received on the CAS application, or if the CAS application is seeing when the user enters the information on the login page. _______ Juan Quintanilla UTS - Enterprise Group 305-348-6573 jquin...@fiu.edu<mailto:jquin...@fiu.edu> -- You are currently subscribed to cas-user@lists.jasig.org as: waldb...@lafayette.edu To unsubscribe, change settings or access archives, see https://urldefense.proofpoint.com/v2/url?u=http-3A__www.ja-2Dsig.org_wiki_display_JSG_cas-2Duser&d=AwICAg&c=1QsCMERiq7JOmEnKpsSyjg&r=NauC5-J1X4CCd25sdSxQCA&m=P1Vy6kUPDQHHsV-zmWDbHAMHYMHV6yNx31MZXNU0M1c&s=ZUCT_hNKkfwBdQsctz0SxWt43Yi_j00ohT0mSByu7qE&e= -- You are currently subscribed to cas-user@lists.jasig.org as: jquin...@fiu.edu To unsubscribe, change settings or access archives, see https://urldefense.proofpoint.com/v2/url?u=http-3A__www.ja-2Dsig.org_wiki_display_JSG_cas-2Duser&d=AwICAg&c=1QsCMERiq7JOmEnKpsSyjg&r=NauC5-J1X4CCd25sdSxQCA&m=P1Vy6kUPDQHHsV-zmWDbHAMHYMHV6yNx31MZXNU0M1c&s=ZUCT_hNKkfwBdQsctz0SxWt43Yi_j00ohT0mSByu7qE&e= -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] CAS SSO User stuck on Login Page
Hi, I reached out the list earlier in the week regarding some issues we were having with some users remaining on the CAS Login page after being redirected by the client application. The user when they enter good credentials are presented with the login page again, if they enter bad credentials no error message is displayed on the login page. The transaction is not even recorded on the catalina.out, or the cas.log. The environment is running CAS 3.6.0 on tomcat 8 with ldap backend for authentication and Oracle Db for ticketing and the web servers are being load balanced on an F5. The issue is sporadic so its not consistent but once the user closes their browser and tries to login again they can access the application. My question, if a connection cannot be pulled from the ldap connection pool would an error be thrown? Our guess is that when the user hits the login page and enters their credentials the connection from the CAS web server on the F5 to the Ldap vip address which is on a different load balancer is being dropped or reset. What debugging on CAS could I enable to see whether that communication login info is even being received on the CAS application, or if the CAS application is seeing when the user enters the information on the login page. ___ Juan Quintanilla UTS - Enterprise Group 305-348-6573 jquin...@fiu.edu<mailto:jquin...@fiu.edu> -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] CAS User remains on login page
Hi, Thanks for that information, I'm thinking its something with the load balancer as well since its not happening for everyone and if it was something with the application I would see it in the logs. Currently our network team had the load balancer idle timeout for 5 min they increased it so maybe that might help out. I just find it strange that there are no transactions recorded in the catalina.out logs at all when the users encounter the issue. Then the user is forced to close the browser in order to authenticate refreshing the page wont help they just get stuck on the login page. ___ Juan Quintanilla UTS - Enterprise Group 305-348-6573 jquin...@fiu.edu<mailto:jquin...@fiu.edu> From: Misagh Moayyed Sent: Wednesday, July 8, 2015 1:14 PM To: cas-user@lists.jasig.org Subject: RE: [cas-user] CAS User remains on login page OK. Two things jumped out at me: 1. “Sporadic” almost always means “load balancer”. So I’d start there. 2. It’s very likely that you are affected by this issue: http://jasig.github.io/cas/development/installation/Troubleshooting-Guide.html#login-form-clearing-credentials-on-submission<https://urldefense.proofpoint.com/v2/url?u=http-3A__jasig.github.io_cas_development_installation_Troubleshooting-2DGuide.html-23login-2Dform-2Dclearing-2Dcredentials-2Don-2Dsubmission&d=AwMFAg&c=1QsCMERiq7JOmEnKpsSyjg&r=NauC5-J1X4CCd25sdSxQCA&m=oVzBpwJXN-YOMqfjuUxNUbymXFB2esAZ-WB4_j3RZXM&s=qDGjhkeCsEq3gm72zI5SE9huTYIM6d6_-pHtKgQcFyY&e=> From: Juan Quintanilla [mailto:jquin...@fiu.edu] Sent: Wednesday, July 8, 2015 10:05 AM To: cas-user@lists.jasig.org Subject: Re: [cas-user] CAS User remains on login page So if the user enters bad credentials they receive no message from the login page about bad credentials nor do I see the transaction in the catalina.out file. If the user enters the right credentials I still do not see the transaction in the catalina.out and the user is redirected back to the login page. If they enter the credentials again and hit enter or login they are redirected back to the login page and there is no transaction for that user in the log. In the url you see the service that they are coming from. Only when the user closes the browser and tries again are they able to access the application, if the user is already logged into an application that is using CAS they don't have a problem. It tends to be new users and its sporadic. Thanks! ___ Juan Quintanilla UTS - Enterprise Group 305-348-6573 jquin...@fiu.edu<mailto:jquin...@fiu.edu> From: Misagh Moayyed mailto:mmoay...@unicon.net>> Sent: Wednesday, July 8, 2015 12:57 PM To: cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> Subject: RE: [cas-user] CAS User remains on login page “If they enter bad credentials no error message is displayed and if they enter the correct credentials they are redirected back to the CAS login page.” What happens if I enter my credentials correctly, get redirected back to the CAS login page, and then again enter my credentials? Are you able to login and get back to the application? From: Juan Quintanilla [mailto:jquin...@fiu.edu] Sent: Wednesday, July 8, 2015 9:53 AM To: cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> Subject: Re:[cas-user] CAS User remains on login page Hi, So we encountered the issue and I was able to check the http headers, it seems to pull the login page and the images but after credentials are entered and the user hits login or enter there are no further http headers recorded. The applications are redirected to the web url which is load balanced on an F5 if that helps. I'm trying to see whether I should be looking towards the CAS application 3.6.0 , tomcat 8, or the F5 to see what may be causing some random users to experience a dead login page. Any other suggestions are welcomed. Thanks! ___ Juan Quintanilla UTS - Enterprise Group 305-348-6573 jquin...@fiu.edu<mailto:jquin...@fiu.edu> From: Mailvaganam, Hari mailto:hari.mailvaga...@ubc.ca>> Sent: Wednesday, July 8, 2015 3:53 AM To: cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> Subject: RE:[cas-user] CAS User remains on login page Trace the HTTP headers - may have a clue there? Sample Firefox plugin:https://addons.mozilla.org/en-us/firefox/addon/live-http-headers/ From: Juan Quintanilla [jquin...@fiu.edu] Sent: Tuesday, July 07, 2015 06:53 To: cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> Subject: [cas-user] CAS User remains on login page Hi, We currently deployed CAS 3.6.0 with backend ldap and oracle Db for ticketing and everything seems to be working great, but on occasion we have had some users who
Re: [cas-user] CAS User remains on login page
So if the user enters bad credentials they receive no message from the login page about bad credentials nor do I see the transaction in the catalina.out file. If the user enters the right credentials I still do not see the transaction in the catalina.out and the user is redirected back to the login page. If they enter the credentials again and hit enter or login they are redirected back to the login page and there is no transaction for that user in the log. In the url you see the service that they are coming from. Only when the user closes the browser and tries again are they able to access the application, if the user is already logged into an application that is using CAS they don't have a problem. It tends to be new users and its sporadic. Thanks! ___ Juan Quintanilla UTS - Enterprise Group 305-348-6573 jquin...@fiu.edu<mailto:jquin...@fiu.edu> From: Misagh Moayyed Sent: Wednesday, July 8, 2015 12:57 PM To: cas-user@lists.jasig.org Subject: RE: [cas-user] CAS User remains on login page “If they enter bad credentials no error message is displayed and if they enter the correct credentials they are redirected back to the CAS login page.” What happens if I enter my credentials correctly, get redirected back to the CAS login page, and then again enter my credentials? Are you able to login and get back to the application? From: Juan Quintanilla [mailto:jquin...@fiu.edu] Sent: Wednesday, July 8, 2015 9:53 AM To: cas-user@lists.jasig.org Subject: Re:[cas-user] CAS User remains on login page Hi, So we encountered the issue and I was able to check the http headers, it seems to pull the login page and the images but after credentials are entered and the user hits login or enter there are no further http headers recorded. The applications are redirected to the web url which is load balanced on an F5 if that helps. I'm trying to see whether I should be looking towards the CAS application 3.6.0 , tomcat 8, or the F5 to see what may be causing some random users to experience a dead login page. Any other suggestions are welcomed. Thanks! ___ Juan Quintanilla UTS - Enterprise Group 305-348-6573 jquin...@fiu.edu<mailto:jquin...@fiu.edu> From: Mailvaganam, Hari mailto:hari.mailvaga...@ubc.ca>> Sent: Wednesday, July 8, 2015 3:53 AM To: cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> Subject: RE:[cas-user] CAS User remains on login page Trace the HTTP headers - may have a clue there? Sample Firefox plugin:https://addons.mozilla.org/en-us/firefox/addon/live-http-headers/ ________ From: Juan Quintanilla [jquin...@fiu.edu] Sent: Tuesday, July 07, 2015 06:53 To: cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> Subject: [cas-user] CAS User remains on login page Hi, We currently deployed CAS 3.6.0 with backend ldap and oracle Db for ticketing and everything seems to be working great, but on occasion we have had some users who have gone to a particular site report that when they are redirected to the CAS Login page from the client application they are not able to login. If they enter bad credentials no error message is displayed and if they enter the correct credentials they are redirected back to the CAS login page. When I check the CAS server logs I do not see any transactions for the user nor do I see failed authentication attempts for Ldap, its as if the communication is not even reaching the server, the tomcat logs don't report any errors for the times when the issue is encountered. It seems to happen sporadically since other users have no problem logging in. Once the user closers their browser or tab and tries again they are able to login. Just wanted to see if anyone has encountered something similar in their environment, I'm thinking it has to be something relating to the networking side. ___ Juan Quintanilla jquin...@fiu.edu<mailto:jquin...@fiu.edu> -- You are currently subscribed to cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> as: hari.mailvaga...@ubc.ca<mailto:hari.mailvaga...@ubc.ca> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.ja-2Dsig.org_wiki_display_JSG_cas-2Duser&d=AwMFAg&c=1QsCMERiq7JOmEnKpsSyjg&r=NauC5-J1X4CCd25sdSxQCA&m=4V-88VYYRdcxsAvjCGL2viYCCcFTZJfN8n4EZJyKGaM&s=LzuDiXOSEkkQInV2XFL8BraMKD8uyfNONsm0tkLwM4U&e=> -- You are currently subscribed to cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> as: jquin...@fiu.edu<mailto:jquin...@fiu.edu> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user<https://urldefense.proofpoint.com/v2/url?u=http
Re:[cas-user] CAS User remains on login page
Hi, So we encountered the issue and I was able to check the http headers, it seems to pull the login page and the images but after credentials are entered and the user hits login or enter there are no further http headers recorded. The applications are redirected to the web url which is load balanced on an F5 if that helps. I'm trying to see whether I should be looking towards the CAS application 3.6.0 , tomcat 8, or the F5 to see what may be causing some random users to experience a dead login page. Any other suggestions are welcomed. Thanks! ___ Juan Quintanilla UTS - Enterprise Group 305-348-6573 jquin...@fiu.edu<mailto:jquin...@fiu.edu> From: Mailvaganam, Hari Sent: Wednesday, July 8, 2015 3:53 AM To: cas-user@lists.jasig.org Subject: RE:[cas-user] CAS User remains on login page Trace the HTTP headers - may have a clue there? Sample Firefox plugin:https://addons.mozilla.org/en-us/firefox/addon/live-http-headers/ From: Juan Quintanilla [jquin...@fiu.edu] Sent: Tuesday, July 07, 2015 06:53 To: cas-user@lists.jasig.org Subject: [cas-user] CAS User remains on login page Hi, We currently deployed CAS 3.6.0 with backend ldap and oracle Db for ticketing and everything seems to be working great, but on occasion we have had some users who have gone to a particular site report that when they are redirected to the CAS Login page from the client application they are not able to login. If they enter bad credentials no error message is displayed and if they enter the correct credentials they are redirected back to the CAS login page. When I check the CAS server logs I do not see any transactions for the user nor do I see failed authentication attempts for Ldap, its as if the communication is not even reaching the server, the tomcat logs don't report any errors for the times when the issue is encountered. It seems to happen sporadically since other users have no problem logging in. Once the user closers their browser or tab and tries again they are able to login. Just wanted to see if anyone has encountered something similar in their environment, I'm thinking it has to be something relating to the networking side. _______ Juan Quintanilla jquin...@fiu.edu<mailto:jquin...@fiu.edu> -- You are currently subscribed to cas-user@lists.jasig.org as: hari.mailvaga...@ubc.ca To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: jquin...@fiu.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re:[cas-user] CAS User remains on login page
Thanks will try that, the tricky part is trying to reproduce the issue since it doesn't happen to often and it tends to be an end user who encounters it. ___ Juan Quintanilla UTS - Enterprise Group 305-348-6573 jquin...@fiu.edu<mailto:jquin...@fiu.edu> From: Mailvaganam, Hari Sent: Wednesday, July 8, 2015 3:53 AM To: cas-user@lists.jasig.org Subject: RE:[cas-user] CAS User remains on login page Trace the HTTP headers - may have a clue there? Sample Firefox plugin:https://addons.mozilla.org/en-us/firefox/addon/live-http-headers/ From: Juan Quintanilla [jquin...@fiu.edu] Sent: Tuesday, July 07, 2015 06:53 To: cas-user@lists.jasig.org Subject: [cas-user] CAS User remains on login page Hi, We currently deployed CAS 3.6.0 with backend ldap and oracle Db for ticketing and everything seems to be working great, but on occasion we have had some users who have gone to a particular site report that when they are redirected to the CAS Login page from the client application they are not able to login. If they enter bad credentials no error message is displayed and if they enter the correct credentials they are redirected back to the CAS login page. When I check the CAS server logs I do not see any transactions for the user nor do I see failed authentication attempts for Ldap, its as if the communication is not even reaching the server, the tomcat logs don't report any errors for the times when the issue is encountered. It seems to happen sporadically since other users have no problem logging in. Once the user closers their browser or tab and tries again they are able to login. Just wanted to see if anyone has encountered something similar in their environment, I'm thinking it has to be something relating to the networking side. _______ Juan Quintanilla jquin...@fiu.edu<mailto:jquin...@fiu.edu> -- You are currently subscribed to cas-user@lists.jasig.org as: hari.mailvaga...@ubc.ca To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: jquin...@fiu.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] CAS User remains on login page
Hi, We currently deployed CAS 3.6.0 with backend ldap and oracle Db for ticketing and everything seems to be working great, but on occasion we have had some users who have gone to a particular site report that when they are redirected to the CAS Login page from the client application they are not able to login. If they enter bad credentials no error message is displayed and if they enter the correct credentials they are redirected back to the CAS login page. When I check the CAS server logs I do not see any transactions for the user nor do I see failed authentication attempts for Ldap, its as if the communication is not even reaching the server, the tomcat logs don't report any errors for the times when the issue is encountered. It seems to happen sporadically since other users have no problem logging in. Once the user closers their browser or tab and tries again they are able to login. Just wanted to see if anyone has encountered something similar in their environment, I'm thinking it has to be something relating to the networking side. ___ Juan Quintanilla jquin...@fiu.edu<mailto:jquin...@fiu.edu> -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] Suppress Error Message Display on Login Screen
Hi, We are implementing CAS 3.5.3 and when we configure authentication for LDAP and there is a communication error the error message is displayed on the Login Screen when a user hits submit after entering their credentials. Example: org.springframework.dao.DataAccessResourceFailureException: Failed to borrow DirContext from pool.; nested exception is org.springframework.ldap.CommunicationException Is there a way to suppress that message or display to the user the CAS Unavailable page instead. On the older version we are running instead of displaying the error to the user they are redirected to the CAS Unavailable Page. Thanks Here is also a snippet of the page source from the html ___ Juan Quintanilla UTS - Enterprise Group 305-348-6573 jquin...@fiu.edu<mailto:jquin...@fiu.edu> -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Re: [cas-user] Trouble with Auditing Configuration
Hi, Thanks that did the trick I forgot to define the p-namespace. ___ Juan Quintanilla jquin...@fiu.edu<mailto:jquin...@fiu.edu> From: Scott Battaglia Sent: Monday, March 2, 2015 9:16 PM To: cas-user@lists.jasig.org Subject: Re: [cas-user] Trouble with Auditing Configuration Did you define the p-namespace? http://docs.spring.io/spring/docs/current/spring-framework-reference/html/beans.html#beans-p-namespace<https://urldefense.proofpoint.com/v2/url?u=http-3A__docs.spring.io_spring_docs_current_spring-2Dframework-2Dreference_html_beans.html-23beans-2Dp-2Dnamespace&d=AwMFaQ&c=1QsCMERiq7JOmEnKpsSyjg&r=NauC5-J1X4CCd25sdSxQCA&m=NLXjHfY-o3jCcBE4JSE-p7ItiYog6EA-2MW74bpGRss&s=be1eoNDEGksY7uXf3SMcgkdpV0d88g71pCUDD7EpND4&e=> Cheers, Scott On Mon, Mar 2, 2015 at 5:33 PM, Juan Quintanilla mailto:jquin...@fiu.edu>> wrote: Hi, Trying to configure auditing for CAS 3.5.3 to an oracle database, I configured the tables and modified the auditTrailContext.xml file to include the necessary lines but when I startup tomcat I encounter the following error: [/WEB-INF/spring-configuration/auditTrailContext.xml] is invalid; nested exception is org.xml.sax.SAXParseException; lineNumber: 164; columnNumber: 110; The prefix "p" for attribute "p:dataSource-ref" associated with an element type "bean" is not bound. I verified that I have the dataSource bean defined in my deployer configuration, so I just wanted to see if someone has encountered a similar error. Below is a snippet of the auditTrailContext.xml file: ___ Juan Quintanilla jquin...@fiu.edu<mailto:jquin...@fiu.edu> You are currently subscribed to cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> as: jquin...@fiu.edu<mailto:jquin...@fiu.edu> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.ja-2Dsig.org_wiki_display_JSG_cas-2Duser&d=AwMFaQ&c=1QsCMERiq7JOmEnKpsSyjg&r=NauC5-J1X4CCd25sdSxQCA&m=NLXjHfY-o3jCcBE4JSE-p7ItiYog6EA-2MW74bpGRss&s=tF6pEhXMtdkbIzaS-45j5xch-hZSjqgDenjJc5e2vZw&e=> -- You are currently subscribed to cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> as: scott.battag...@gmail.com<mailto:scott.battag...@gmail.com> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.ja-2Dsig.org_wiki_display_JSG_cas-2Duser&d=AwMFaQ&c=1QsCMERiq7JOmEnKpsSyjg&r=NauC5-J1X4CCd25sdSxQCA&m=NLXjHfY-o3jCcBE4JSE-p7ItiYog6EA-2MW74bpGRss&s=tF6pEhXMtdkbIzaS-45j5xch-hZSjqgDenjJc5e2vZw&e=> -- You are currently subscribed to cas-user@lists.jasig.org as: jquin...@fiu.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] Trouble with Auditing Configuration
Hi, Trying to configure auditing for CAS 3.5.3 to an oracle database, I configured the tables and modified the auditTrailContext.xml file to include the necessary lines but when I startup tomcat I encounter the following error: [/WEB-INF/spring-configuration/auditTrailContext.xml] is invalid; nested exception is org.xml.sax.SAXParseException; lineNumber: 164; columnNumber: 110; The prefix "p" for attribute "p:dataSource-ref" associated with an element type "bean" is not bound. I verified that I have the dataSource bean defined in my deployer configuration, so I just wanted to see if someone has encountered a similar error. Below is a snippet of the auditTrailContext.xml file: ___ Juan Quintanilla jquin...@fiu.edu<mailto:jquin...@fiu.edu> You are currently subscribed to cas-user@lists.jasig.org as: jquin...@fiu.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE:[cas-user] Question Regarding CAS Theme
Just to add, if I specify the logout url directly it displays the custom theme. Its just when the user hits the logout button on the client application that it displays the default theme instead. ___ Juan Quintanilla UTS - Enterprise Group 305-348-6573 jquin...@fiu.edu<mailto:jquin...@fiu.edu> From: Juan Quintanilla Sent: Monday, March 10, 2014 2:10 PM To: cas-user@lists.jasig.org Subject: [cas-user] Question Regarding CAS Theme Hi, We currently have CAS 3.4.7, we have been using custom themes for login page on different urls for some time without a problem. Just recently I realized that for some reason the logout page does not show the specified theme for the url it will show the default theme. But when the user logs in they see the custom theme. Any ideas as to why this might happen. Thanks! ___ Juan Quintanilla UTS - Enterprise Group 305-348-6573 jquin...@fiu.edu<mailto:jquin...@fiu.edu> -- You are currently subscribed to cas-user@lists.jasig.org as: jquin...@fiu.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] Question Regarding CAS Theme
Hi, We currently have CAS 3.4.7, we have been using custom themes for login page on different urls for some time without a problem. Just recently I realized that for some reason the logout page does not show the specified theme for the url it will show the default theme. But when the user logs in they see the custom theme. Any ideas as to why this might happen. Thanks! ___ Juan Quintanilla UTS - Enterprise Group 305-348-6573 jquin...@fiu.edu<mailto:jquin...@fiu.edu> -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] Question regarding url based authentication
We wanted to know if anyone has implemented BaseUrlAuthenticationManagerImpl or ServiceUrlAuthenticationManagerimpl in order use a different authentication for a registered url? If so is there any documentation on how to implement it? ___ Juan Quintanilla jquin...@fiu.edu<mailto:jquin...@fiu.edu> -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE:[cas-user] CAS with Blackboard
Thank you for your response, the error that a user would see is CAS Unavailable, and when we checked our CAS logs it was because the user could not get a connection from the Oracle Database that CAS is using for tickets. So we have increased our c3p0 connections to avoid this problem but on certain occasions we would see this happen again even though prior days there were heavier loads and no issue. Its as if the connections are not released quick enough for the next user. Thanks! ___ Juan Quintanilla UTS - Enterprise Group 305-348-6573 jquin...@fiu.edu<mailto:jquin...@fiu.edu> From: Biondi, Dan Sent: Wednesday, November 27, 2013 11:50 AM To: cas-user@lists.jasig.org Cc: Liu, Yuan Subject: [cas-user] FW: CAS with Blackboard Hi Juan, I asked our LMS lead if he was aware of this issue. See his response below. Dan Biondi Portal / LMS / CAS Coordinator Information Resources and Technology Sacramento State o: 916.278.7616 From: Liu, Yuan Sent: Wednesday, November 27, 2013 8:43 AM To: Biondi, Dan Cc: Osburn, Andy G Subject: RE: CAS with Blackboard Hi Dan, There's a known issue with current Blackboard Learn CAS authentication building block - CAS authentication causes "Unable to create new native thread" error after login. This due to a bug where java threads are not being cleared after users have successfully authenticated, so the CAS B2 needs to be updated to latest version. If the system using a self-developed or open source CAS authentication module (e.g., CAS Fallback), they might need to open a ticket to Bb Support. More detailed information would be helpful to troubleshoot this issue: 1. Version of Blackboard Learn system 2. Application server and database server OS 3. Jdk version in application server 4. Memory size 5. Load-balanced environment or not Also they can generate an Oracle AWR report to find out something from database side. -Yuan From: Biondi, Dan Sent: Wednesday, November 27, 2013 8:13 AM To: Liu, Yuan Cc: Osburn, Andy G Subject: FW: CAS with Blackboard Yuan: Are you aware of anything helpful that I could pass on? -db From: Juan Quintanilla [mailto:jquin...@fiu.edu] Sent: Monday, November 25, 2013 8:35 AM To: cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> Subject: [cas-user] CAS with Blackboard Hi, Wondering if anyone has seen or currently has CAS configured with Blackboard? We encountered some instances were all of a sudden the number of Busy DB Connections in our C3P0 pool jump up 300 and continue to rise until we get the db connection checkout timeout error in our CAS log. We are thinking that its because the connection with Blackboard during Ticket interaction under heavy traffic is not finishing quick enough and closing the DB connection for the next user. Has anyone had any experience with CAS and C3P0 pooling using oracle? In our situation we are having to increase our DB connections to avoid these spikes? Thanks! ___ Juan Quintanilla jquin...@fiu.edu<mailto:jquin...@fiu.edu> -- You are currently subscribed to cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> as: bion...@csus.edu<mailto:bion...@csus.edu> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: jquin...@fiu.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] CAS with Blackboard
Hi, Wondering if anyone has seen or currently has CAS configured with Blackboard? We encountered some instances were all of a sudden the number of Busy DB Connections in our C3P0 pool jump up 300 and continue to rise until we get the db connection checkout timeout error in our CAS log. We are thinking that its because the connection with Blackboard during Ticket interaction under heavy traffic is not finishing quick enough and closing the DB connection for the next user. Has anyone had any experience with CAS and C3P0 pooling using oracle? In our situation we are having to increase our DB connections to avoid these spikes? Thanks! ___ Juan Quintanilla jquin...@fiu.edu<mailto:jquin...@fiu.edu> -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] CAS oracle db connection timeout error
Hi, We have been experiencing some problems with CAS and our oracle DB. We have 2 CAS 3.4.7 web servers load balanced with oracle for the ticket registry and ldap as the authentication. The problem we run into is that at certain times we find the following errors in the cas log: ERROR [org.hibernate.util.JDBCExceptionReporter] - We have played around with the the C3P0 values and have been fine for some time but we have encountered the issue once again. When I checked the # of successful ldap authentications found in the cas log the number of successful connections for the time in which the error occured was much lower then the maximum connections setup in the C3P0. My assumption is that it only gives a db session after a successful ldap authentication. So I wondering if the connections used by the C3P0 are not being released in a timely manner or released at all. For example issue occurred at 5:55pm there were a total of 491 connections between 5:50 and 5:59. We have the following for our C3P0 settings: p:initialPoolSize="350" p:minPoolSize="350" p:maxPoolSize="400" p:maxIdleTimeExcessConnections="7200" p:checkoutTimeout="2" p:acquireIncrement="5" p:acquireRetryAttempts="5" p:acquireRetryDelay="10" p:idleConnectionTestPeriod="300" p:preferredTestQuery="select 1 from dual" I have been looking into this issue for some time now, so any help would really be appreciated. If anyone can relate their experience with CAS and Oracle using C3P0 ___ Juan Quintanilla UTS - Enterprise Group 305-348-6573 jquin...@fiu.edu<mailto:jquin...@fiu.edu> -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE: [cas-user] Question regarding CAS and db connections
Forgot to include the following: p:idleConnectionTestPeriod="600" p:preferredTestQuery="select 1 from dual" I don't believe that we are validating the checkout. ___ Juan Quintanilla UTS - Enterprise Group 305-348-6573 jquin...@fiu.edu ________ From: Juan Quintanilla Sent: Monday, October 14, 2013 4:14 PM To: cas-user@lists.jasig.org Subject: RE: [cas-user] Question regarding CAS and db connections Hi, Where would I see this validate on checkout was enabled? This tends to happen only when we have a high load which is understandable. For example for the c3p0 settings we used to have: p:initialPoolSize="25" p:minPoolSize="25" p:maxPoolSize="50" p:maxIdleTimeExcessConnections="7200" p:checkoutTimeout="14000" p:acquireIncrement="5" p:acquireRetryAttempts="5" p:acquireRetryDelay="10" p:idleConnectionTestPeriod="300" So when we would have a large amount of concurrent users log in at once (over 25) they would be able to authenticate our ldap but when it would try to connect to the oracle database they would be waiting for a connection to the DB and eventually reach the checkouttimeout and see CAS Unavailable and in the logs we see: ERROR [org.hibernate.util.JDBCExceptionReporter] - Once the extra connections were built to the DB they would be able to login. It was not so much the checkout it was the time taken to create the new connections to the DB. So we have been adjusting the amount of open connections based on the amount of concurrent users we have had. So my question, has anyone else experienced something similar when using oracle and the c3p0 connection pooling? ___ Juan Quintanilla UTS - Enterprise Group 305-348-6573 jquin...@fiu.edu From: Marvin S. Addison Sent: Monday, October 14, 2013 3:35 PM To: cas-user@lists.jasig.org Subject: Re: [cas-user] Question regarding CAS and db connections > It seems that the time it takes to create the new connections and for > the old connection to free up is taking longer than the set time of > 20 seconds for the checkout time limit. That sounds unusual. Do you have "validate on checkout" or similar enabled? What's your validation query? Validation is the only reason I could think of where checkout would take so long. M -- You are currently subscribed to cas-user@lists.jasig.org as: jquin...@fiu.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE: [cas-user] Question regarding CAS and db connections
Hi, Where would I see this validate on checkout was enabled? This tends to happen only when we have a high load which is understandable. For example for the c3p0 settings we used to have: p:initialPoolSize="25" p:minPoolSize="25" p:maxPoolSize="50" p:maxIdleTimeExcessConnections="7200" p:checkoutTimeout="14000" p:acquireIncrement="5" p:acquireRetryAttempts="5" p:acquireRetryDelay="10" p:idleConnectionTestPeriod="300" So when we would have a large amount of concurrent users log in at once (over 25) they would be able to authenticate our ldap but when it would try to connect to the oracle database they would be waiting for a connection to the DB and eventually reach the checkouttimeout and see CAS Unavailable and in the logs we see: ERROR [org.hibernate.util.JDBCExceptionReporter] - Once the extra connections were built to the DB they would be able to login. It was not so much the checkout it was the time taken to create the new connections to the DB. So we have been adjusting the amount of open connections based on the amount of concurrent users we have had. So my question, has anyone else experienced something similar when using oracle and the c3p0 connection pooling? ___ Juan Quintanilla UTS - Enterprise Group 305-348-6573 jquin...@fiu.edu From: Marvin S. Addison Sent: Monday, October 14, 2013 3:35 PM To: cas-user@lists.jasig.org Subject: Re: [cas-user] Question regarding CAS and db connections > It seems that the time it takes to create the new connections and for > the old connection to free up is taking longer than the set time of > 20 seconds for the checkout time limit. That sounds unusual. Do you have "validate on checkout" or similar enabled? What's your validation query? Validation is the only reason I could think of where checkout would take so long. M -- You are currently subscribed to cas-user@lists.jasig.org as: jquin...@fiu.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] Question regarding CAS and db connections
Hi, We use CAS 3.4.7 along with an oracle database using the c3p0 connection pooling. We have run into the situation were we have had to increase the number of minimum connections available to the database to over 100 in order to avoid users encountering the checkout timeout limit. It seems that the time it takes to create the new connections and for the old connection to free up is taking longer than the set time of 20 seconds for the checkout time limit. When the user does reach the time limit they see a CAS unavailable message. So we reach certain times were we have more users try to login than the allocated connections available. Since the number of connections can only be set when the environment is brought down has anyone found any problems with setting the open database connections to a high number and leaving them that way. Has anyone encountered a similar situation. Thanks! ___ Juan Quintanilla jquin...@fiu.edu<mailto:jquin...@fiu.edu> -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] CAS Implement ServiceUrlAuthenticationManagerimpl
Hi, Wanted to know if anyone has any documentation on using ServiceUrlAuthenticationManagerimpl in CAS or has implemented that within their environment. We are using CAS 3.4.7 with an Oracle Database for the service urls. Our backend authentication is ldap. Thanks! ___ Juan Quintanilla jquin...@fiu.edu<mailto:jquin...@fiu.edu> -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] Inconsistent Issue with ldap and CAS
Hi, We are using CAS 3.4.7 and we have recently encountered strange behavior with logging into CAS. We encounter a CAS Unavailable page after logging in. When I look at the logs it shows the following: SEVERE: Servlet.service() for servlet cas threw exception java.net.ConnectException: Connection refused at java.net.PlainSocketImpl.socketConnect(Native Method) at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:351) at java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:213) at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:200) at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:366) at java.net.Socket.connect(Socket.java:529) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:559) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.(SSLSocketImpl.java:360) at com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl.createSocket(SSLSocketFactoryImpl.java:71) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at com.sun.jndi.ldap.Connection.createSocket(Connection.java:317) at com.sun.jndi.ldap.Connection.(Connection.java:187) at com.sun.jndi.ldap.LdapClient.(LdapClient.java:118) at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1580) at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2652) at com.sun.jndi.ldap.LdapCtx.(LdapCtx.java:293) ... We are using Ldap for the authentication and we tested connectivity via telnet and there is no issue. We haven't really had any problems with the setup before, and the strange thing is that after I try a couple of times I can login with no problem. Has anyone encountered a similar issue? Thanks! ___ Juan Quintanilla UTS - Enterprise Group 305-348-6573 jquin...@fiu.edu<mailto:jquin...@fiu.edu> -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE: [cas-user] Question about implementing registerd url based authentication
Hi, The original authentication would be fine. I understand your thoughts, my preference would be for the us to provide an attribute to the client which they can then use on their end to grant access to their application once the user has passed authentication. Our supervisors wanted to explore this option, they would like to have a separate OU in ldap which contains the users that are allowed to access the specific url and then have CAS look at the OU. We thought of adding an additional authentication handler but since CAS checks the authentication handlers in order we would run into the issue of duplicate entries in LDAP. That is why we thought of the trying to implement the BaseUrlAuthenticationManagerImpl or ServiceUrlAuthenticationManagerimpl to avoid running into that issue. ___ Juan Quintanilla UTS - Enterprise Group 305-348-6573 jquin...@fiu.edu<mailto:jquin...@fiu.edu> From: Scott Battaglia Sent: Friday, August 30, 2013 9:23 AM To: cas-user@lists.jasig.org Subject: Re: [cas-user] Question about implementing registerd url based authentication If I am reading your question correctly, that normally doesn't make sense in a centralized environment. What happens when the user comes back to CAS from a different service? Is the original authentication okay or do they need to re-authenticate? On Fri, Aug 30, 2013 at 8:25 AM, Juan Quintanilla mailto:jquin...@fiu.edu>> wrote: Hi, We currently run CAS sso version 3.4.7 with an oracle database for the registered urls and an ldap backend for authentication. We wanted to know if anyone has implemented BaseUrlAuthenticationManagerImpl or ServiceUrlAuthenticationManagerimpl in order use a different authentication for a registered url? If so is there any documentation on how to implement it? Thanks! _______ Juan Quintanilla jquin...@fiu.edu<mailto:jquin...@fiu.edu> -- You are currently subscribed to cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> as: scott.battag...@gmail.com<mailto:scott.battag...@gmail.com> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: jquin...@fiu.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] Question about implementing registerd url based authentication
Hi, We currently run CAS sso version 3.4.7 with an oracle database for the registered urls and an ldap backend for authentication. We wanted to know if anyone has implemented BaseUrlAuthenticationManagerImpl or ServiceUrlAuthenticationManagerimpl in order use a different authentication for a registered url? If so is there any documentation on how to implement it? Thanks! ___ Juan Quintanilla jquin...@fiu.edu<mailto:jquin...@fiu.edu> -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE:[cas-user] CAS Client application not processing Service Ticket
Hi, We increased the service ticket time length to 20 seconds but we still encounter the same result. After passing authentication the user remains with a blank page and the url shows the clients url together with the Service ticket. thanks! ___ Juan Quintanilla jquin...@fiu.edu<mailto:jquin...@fiu.edu> From: Ben Branch Sent: Thursday, August 15, 2013 2:11 PM To: cas-user@lists.jasig.org Subject: RE:[cas-user] CAS Client application not processing Service Ticket Juan, I believe I have seen this before when we were testing a tool to capture the XML response from the CAS. If I recall correctly, when we were stepping the program through line by line post authentication, we would receive the same error message. We found that if we waited longer than 15 seconds to validate the service ticket, that CAS would come back and say that the ticket was invalid. I spoke with our developer about this and he seemed to recall the same thing. I noticed that you said this seems to be happening with sites outside to your University, so there may be some latency in the service validation which is causing the service tickets to time out before they are validated. I hope this helps and good luck. Ben Branch UNIX/Linux Administrator University of Central Oklahoma ITIL Foundation v3, Network+, RHCSA 100 N. University Drive, Box 122 Edmond, OK 73034 D: 405.974.2649 | M: 405.550.6804 | bbranch@uco.<mailto:bbranch@uco.>edu | www.uco.edu<http://www.uco.edu/> “I am wiser than this man, for neither of us appears to know anything great and good; but he fancies he knows something, although he knows nothing; whereas I, as I do not know anything, so I do not fancy I do. In this trifling particular, then, I appear to be wiser than he, because I do not fancy I know what I do not know.” - Socrates From: Juan Quintanilla [mailto:jquin...@fiu.edu] Sent: Thursday, August 15, 2013 10:25 AM To: cas-user@lists.jasig.org Subject: RE:[cas-user] CAS Client application not processing Service Ticket Hi, Wanted to add that this seems to be happening more with sites that are not internal to our University. _______ Juan Quintanilla UTS - Enterprise Group 305-348-6573 jquin...@fiu.edu<mailto:jquin...@fiu.edu> ________ From: Juan Quintanilla Sent: Wednesday, August 14, 2013 2:51 PM To: cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> Subject: CAS Client application not processing Service Ticket Hi, We are running CAS SSO 3.4.7 and we have several client applications that are using are SSO system without a problem. Recently we encountered a problem with 2 Applications were after the user has authenticated they receive blank page and the URL just shows the client application url along with the Service Ticket. One application shows the following message: ticket 'ST-118496-HYwZKjo0zLJ1zEZE1by0-fiusso3.fiu.edu<http://ST-118496-HYwZKjo0zLJ1zEZE1by0-fiusso3.fiu.edu>' not recognized When I set the CAS Server in debug mode I don't see any logs that show it attempting to validate the Service Ticket. When I use CAS to authenticate into an application that is working I see the transactions and the Service Ticket being validated and I gain access to the application. Below are some of the logs, any assistance or suggestions would be greatly appreciated. CAS Client that is not working 2013-08-13 11:17:41,539 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - 2013-08-13 11:17:41,682 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - 2013-08-13 11:17:41,683 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - 2013-08-13 11:17:41,696 TRACE [org.jasig.cas.ticket.registry.JpaTicketRegistry] - 2013-08-13 11:17:41,727 TRACE [org.jasig.cas.ticket.registry.JpaTicketRegistry] - 2013-08-13 11:17:41,757 TRACE [org.jasig.cas.ticket.registry.JpaTicketRegistry] - 2013-08-13 11:17:41,757 TRACE [org.jasig.cas.ticket.registry.JpaTicketRegistry] - 2013-08-13 11:17:41,769 TRACE [org.jasig.cas.ticket.registry.AbstractDistributedTicketRegistry$TicketGrantingTicketDelegator] - 2013-08-13 11:17:41,769 TRACE [org.jasig.cas.ticket.registry.AbstractDistributedTicketRegistry$TicketGrantingTicketDelegator] - 2013-08-13 11:17:41,769 TRACE [org.jasig.cas.ticket.registry.JpaTicketRegistry] - 2013-08-13 11:17:41,769 TRACE [org.jasig.cas.ticket.registry.AbstractDistributedTicketRegistry$TicketGrantingTicketDelegator] - 2013-08-13 11:17:41,770 TRACE [org.jasig.cas.ticket.registry.AbstractDistributedTicketRegistry$TicketGrantingTicketDelegator] - 2013-08-13 11:17:41,770 TRACE [org.jasig.cas.ticket.registry.JpaTicketRegistry] - 2013-08-13 11:17:41,770 TRACE [org.jasig.cas.ticket.registry.AbstractDistributedTicketRegistry$TicketGrantin
RE:[cas-user] CAS Client application not processing Service Ticket
Hi, Thanks currently our service ticket time out is 15 seconds, I will try changing it to see if that helps. ___ Juan Quintanilla UTS - Enterprise Group 305-348-6573 jquin...@fiu.edu<mailto:jquin...@fiu.edu> From: Ben Branch Sent: Thursday, August 15, 2013 2:11 PM To: cas-user@lists.jasig.org Subject: RE:[cas-user] CAS Client application not processing Service Ticket Juan, I believe I have seen this before when we were testing a tool to capture the XML response from the CAS. If I recall correctly, when we were stepping the program through line by line post authentication, we would receive the same error message. We found that if we waited longer than 15 seconds to validate the service ticket, that CAS would come back and say that the ticket was invalid. I spoke with our developer about this and he seemed to recall the same thing. I noticed that you said this seems to be happening with sites outside to your University, so there may be some latency in the service validation which is causing the service tickets to time out before they are validated. I hope this helps and good luck. Ben Branch UNIX/Linux Administrator University of Central Oklahoma ITIL Foundation v3, Network+, RHCSA 100 N. University Drive, Box 122 Edmond, OK 73034 D: 405.974.2649 | M: 405.550.6804 | bbranch@uco.<mailto:bbranch@uco.>edu | www.uco.edu<http://www.uco.edu/> “I am wiser than this man, for neither of us appears to know anything great and good; but he fancies he knows something, although he knows nothing; whereas I, as I do not know anything, so I do not fancy I do. In this trifling particular, then, I appear to be wiser than he, because I do not fancy I know what I do not know.” - Socrates From: Juan Quintanilla [mailto:jquin...@fiu.edu] Sent: Thursday, August 15, 2013 10:25 AM To: cas-user@lists.jasig.org Subject: RE:[cas-user] CAS Client application not processing Service Ticket Hi, Wanted to add that this seems to be happening more with sites that are not internal to our University. _______ Juan Quintanilla UTS - Enterprise Group 305-348-6573 jquin...@fiu.edu<mailto:jquin...@fiu.edu> ________ From: Juan Quintanilla Sent: Wednesday, August 14, 2013 2:51 PM To: cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> Subject: CAS Client application not processing Service Ticket Hi, We are running CAS SSO 3.4.7 and we have several client applications that are using are SSO system without a problem. Recently we encountered a problem with 2 Applications were after the user has authenticated they receive blank page and the URL just shows the client application url along with the Service Ticket. One application shows the following message: ticket 'ST-118496-HYwZKjo0zLJ1zEZE1by0-fiusso3.fiu.edu<http://ST-118496-HYwZKjo0zLJ1zEZE1by0-fiusso3.fiu.edu>' not recognized When I set the CAS Server in debug mode I don't see any logs that show it attempting to validate the Service Ticket. When I use CAS to authenticate into an application that is working I see the transactions and the Service Ticket being validated and I gain access to the application. Below are some of the logs, any assistance or suggestions would be greatly appreciated. CAS Client that is not working 2013-08-13 11:17:41,539 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - 2013-08-13 11:17:41,682 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - 2013-08-13 11:17:41,683 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - 2013-08-13 11:17:41,696 TRACE [org.jasig.cas.ticket.registry.JpaTicketRegistry] - 2013-08-13 11:17:41,727 TRACE [org.jasig.cas.ticket.registry.JpaTicketRegistry] - 2013-08-13 11:17:41,757 TRACE [org.jasig.cas.ticket.registry.JpaTicketRegistry] - 2013-08-13 11:17:41,757 TRACE [org.jasig.cas.ticket.registry.JpaTicketRegistry] - 2013-08-13 11:17:41,769 TRACE [org.jasig.cas.ticket.registry.AbstractDistributedTicketRegistry$TicketGrantingTicketDelegator] - 2013-08-13 11:17:41,769 TRACE [org.jasig.cas.ticket.registry.AbstractDistributedTicketRegistry$TicketGrantingTicketDelegator] - 2013-08-13 11:17:41,769 TRACE [org.jasig.cas.ticket.registry.JpaTicketRegistry] - 2013-08-13 11:17:41,769 TRACE [org.jasig.cas.ticket.registry.AbstractDistributedTicketRegistry$TicketGrantingTicketDelegator] - 2013-08-13 11:17:41,770 TRACE [org.jasig.cas.ticket.registry.AbstractDistributedTicketRegistry$TicketGrantingTicketDelegator] - 2013-08-13 11:17:41,770 TRACE [org.jasig.cas.ticket.registry.JpaTicketRegistry] - 2013-08-13 11:17:41,770 TRACE [org.jasig.cas.ticket.registry.AbstractDistributedTicketRegistry$TicketGrantingTicketDelegator] - 2013-08-13 11:17:41,770 TRACE [org.jasig.cas.ticket.registry.AbstractDistributedTicketRegistry$TicketGrantin
RE:[cas-user] CAS Client application not processing Service Ticket
Hi, Wanted to add that this seems to be happening more with sites that are not internal to our University. ___ Juan Quintanilla UTS - Enterprise Group 305-348-6573 jquin...@fiu.edu<mailto:jquin...@fiu.edu> From: Juan Quintanilla Sent: Wednesday, August 14, 2013 2:51 PM To: cas-user@lists.jasig.org Subject: CAS Client application not processing Service Ticket Hi, We are running CAS SSO 3.4.7 and we have several client applications that are using are SSO system without a problem. Recently we encountered a problem with 2 Applications were after the user has authenticated they receive blank page and the URL just shows the client application url along with the Service Ticket. One application shows the following message: ticket 'ST-118496-HYwZKjo0zLJ1zEZE1by0-fiusso3.fiu.edu<http://ST-118496-HYwZKjo0zLJ1zEZE1by0-fiusso3.fiu.edu>' not recognized When I set the CAS Server in debug mode I don't see any logs that show it attempting to validate the Service Ticket. When I use CAS to authenticate into an application that is working I see the transactions and the Service Ticket being validated and I gain access to the application. Below are some of the logs, any assistance or suggestions would be greatly appreciated. CAS Client that is not working 2013-08-13 11:17:41,539 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - 2013-08-13 11:17:41,682 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - 2013-08-13 11:17:41,683 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - 2013-08-13 11:17:41,696 TRACE [org.jasig.cas.ticket.registry.JpaTicketRegistry] - 2013-08-13 11:17:41,727 TRACE [org.jasig.cas.ticket.registry.JpaTicketRegistry] - 2013-08-13 11:17:41,757 TRACE [org.jasig.cas.ticket.registry.JpaTicketRegistry] - 2013-08-13 11:17:41,757 TRACE [org.jasig.cas.ticket.registry.JpaTicketRegistry] - 2013-08-13 11:17:41,769 TRACE [org.jasig.cas.ticket.registry.AbstractDistributedTicketRegistry$TicketGrantingTicketDelegator] - 2013-08-13 11:17:41,769 TRACE [org.jasig.cas.ticket.registry.AbstractDistributedTicketRegistry$TicketGrantingTicketDelegator] - 2013-08-13 11:17:41,769 TRACE [org.jasig.cas.ticket.registry.JpaTicketRegistry] - 2013-08-13 11:17:41,769 TRACE [org.jasig.cas.ticket.registry.AbstractDistributedTicketRegistry$TicketGrantingTicketDelegator] - 2013-08-13 11:17:41,770 TRACE [org.jasig.cas.ticket.registry.AbstractDistributedTicketRegistry$TicketGrantingTicketDelegator] - 2013-08-13 11:17:41,770 TRACE [org.jasig.cas.ticket.registry.JpaTicketRegistry] - 2013-08-13 11:17:41,770 TRACE [org.jasig.cas.ticket.registry.AbstractDistributedTicketRegistry$TicketGrantingTicketDelegator] - 2013-08-13 11:17:41,770 TRACE [org.jasig.cas.ticket.registry.AbstractDistributedTicketRegistry$TicketGrantingTicketDelegator] - 2013-08-13 11:17:41,777 TRACE [org.jasig.cas.ticket.registry.AbstractDistributedTicketRegistry$TicketGrantingTicketDelegator] - https://sedonaweb.com/public/cas/FIU/, org.jasig.cas.ticket.support.MultiTimeUseOrTimeoutExpirationPolicy@73d74138, false]]> 2013-08-13 11:17:41,780 TRACE [org.jasig.cas.ticket.registry.AbstractDistributedTicketRegistry$TicketGrantingTicketDelegator] - 2013-08-13 11:17:41,780 TRACE [org.jasig.cas.ticket.registry.JpaTicketRegistry] - 2013-08-13 11:17:41,783 TRACE [org.jasig.cas.ticket.registry.JpaTicketRegistry] - 2013-08-13 11:17:41,783 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - https://sedonaweb.com/public/cas/FIU/] for user [taccount5]> 2013-08-13 11:17:41,784 TRACE [org.jasig.cas.ticket.registry.JpaTicketRegistry] - 2013-08-13 11:17:41,784 TRACE [org.jasig.cas.ticket.registry.AbstractDistributedTicketRegistry$TicketGrantingTicketDelegator] - 2013-08-13 11:17:41,784 TRACE [org.jasig.cas.ticket.registry.AbstractDistributedTicketRegistry$TicketGrantingTicketDelegator] - 2013-08-13 11:17:41,784 TRACE [org.jasig.cas.ticket.registry.JpaTicketRegistry] - 2013-08-13 11:17:41,784 TRACE [org.jasig.cas.ticket.registry.AbstractDistributedTicketRegistry$TicketGrantingTicketDelegator] - 2013-08-13 11:17:41,784 TRACE [org.jasig.cas.ticket.registry.AbstractDistributedTicketRegistry$TicketGrantingTicketDelegator] - 2013-08-13 11:17:45,430 INFO [org.jasig.cas.services.DefaultServicesManagerImpl] - 2013-08-13 11:17:45,563 INFO [org.jasig.cas.services.DefaultServicesManagerImpl] - = = Working Local CAS Client 2013-08-13 11:22:34,752 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - 2013-08-13 11:22:34,752 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl]
[cas-user] CAS Client application not processing Service Ticket
g.cas.ticket.registry.JpaTicketRegistry] - 2013-08-13 11:22:35,148 DEBUG [org.jasig.cas.ticket.registry.JpaTicketRegistry] - ST-2-ogVTw7mxJ41usw5Uo9sM-fiussodev.fiu.edu< created: Tue Aug 13 11:22:34 EDT 2013> 2013-08-13 11:22:35,152 TRACE [org.jasig.cas.ticket.registry.JpaTicketRegistry] - 2013-08-13 11:22:35,153 TRACE [org.jasig.cas.ticket.registry.JpaTicketRegistry] - 2013-08-13 11:22:35,153 TRACE [org.jasig.cas.ticket.registry.JpaTicketRegistry] - 2013-08-13 11:22:35,176 DEBUG [org.jasig.cas.web.ServiceValidateController] - ___ Juan Quintanilla jquin...@fiu.edu<mailto:jquin...@fiu.edu> -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] Strange Error in CAS Logs
Hi,
We are running CAS 3.4.7 with an Oracle Database and for the past couple of
days we have encountered the error below for about 2 minutes or so and then
goes away. Users then are unable to login during that time. I wanted to know if
anyone would have any suggestions on the error. It seems to me that during
that time the connections are exhausted and can no longer connect.
Below is the error along with the C3P0 settings:
id="dataSource"
class="com.mchange.v2.c3p0.ComboPooledDataSource"
p:driverClass="oracle.jdbc.driver.OracleDriver"
p:jdbcUrl="xxx"
p:user="xxx"
p:password=""
p:initialPoolSize="25"
p:minPoolSize="0"
p:maxPoolSize="50"
p:maxIdleTimeExcessConnections="1800"
p:checkoutTimeout="900"
p:acquireIncrement="5"
p:acquireRetryAttempts="5"
p:acquireRetryDelay="10"
p:idleConnectionTestPeriod="300"
p:preferredTestQuery="select 1 from dual"
2013-06-21 09:20:08,529 INFO
[org.jasig.cas.services.DefaultServicesManagerImpl] -
2013-06-21 09:20:08,529 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] -
https://fiu.blackboard.com/webapps/bb-auth-provider-cas-BBLEARN/execute/casLogin?cmd=login&authProviderId=_102_1&redirectUrl=https%3A%2F%2Ffiu.blackboard.com%2Fwebapps%2Fportal%2Fframeset.jsp]
for user [eharr006]>
2013-06-21 09:20:09,418 ERROR [org.hibernate.util.JDBCExceptionReporter] -
2013-06-21 09:20:09,422 ERROR [org.hibernate.util.JDBCExceptionReporter] -
Exception in thread "pool-3-thread-166"
org.springframework.transaction.CannotCreateTransactionException: Could not
open JDBC Connection for transaction; nested exception is
java.sql.SQLException: An attempt by a client to checkout a Connection has
timed out.
at
org.springframework.jdbc.datasource.DataSourceTransactionManager.doBegin(DataSourceTransactionManager.java:240)
at
org.springframework.transaction.support.AbstractPlatformTransactionManager.getTransaction(AbstractPlatformTransactionManager.java:371)
at
org.springframework.transaction.support.TransactionTemplate.execute(TransactionTemplate.java:127)
at
com.github.inspektr.audit.support.JdbcAuditTrailManager$LoggingTask.run(JdbcAuditTrailManager.java:142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:662)
Caused by: java.sql.SQLException: An attempt by a client to checkout a
Connection has timed out.
at com.mchange.v2.sql.SqlUtils.toSQLException(SqlUtils.java:106)
at com.mchange.v2.sql.SqlUtils.toSQLException(SqlUtils.java:65)
at
com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool.checkoutPooledConnection(C3P0PooledConnectionPool.java:527)
at
com.mchange.v2.c3p0.impl.AbstractPoolBackedDataSource.getConnection(AbstractPoolBackedDataSource.java:128)
at
org.springframework.jdbc.datasource.DataSourceTransactionManager.doBegin(DataSourceTransactionManager.java:202)
... 6 more
Caused by: com.mchange.v2.resourcepool.TimeoutException: A client timed out
while waiting to acquire a resource from
com.mchange.v2.resourcepool.BasicResourcePool@6e3404f -- timeout at
awaitAvailable()
at
com.mchange.v2.resourcepool.BasicResourcePool.awaitAvailable(BasicResourcePool.java:1317)
at
com.mchange.v2.resourcepool.BasicResourcePool.prelimCheckoutResource(BasicResourcePool.java:557)
at
com.mchange.v2.resourcepool.BasicResourcePool.checkoutResource(BasicResourcePool.java:477)
at
com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool.checkoutPooledConnection(C3P0PooledConnectionPool.java:525)
... 8 more
2013-06-21 09:20:09,430 ERROR [org.hibernate.util.JDBCExceptionReporter] -
2013-06-21 09:20:09,430 ERROR [org.quartz.core.JobRunShell] -
___
Juan Quintanilla
305-348-6573
jquin...@fiu.edu<mailto:jquin...@fiu.edu>
--
You are currently subscribed to cas-user@lists.jasig.org as:
arch...@mail-archive.com
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] JPAticketregistry Deadlock
Hi, I've began seeing some errors in our CAS logs regarding a Deadlock, after checking the Oracle trace logs we see the following error: Information for THIS session: - Current SQL Statement for this session (sql_id=77uxha5hm28qu) - delete from TICKETGRANTINGTICKET where ID=:1 Running CAS 3.4.7 with Oracle 11G. The error seems very similar to the issue mentioned in the following link https://issues.jasig.org/browse/CAS-782?focusedCommentId=20699&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-20699 In the above link Marvin mentioned it could have been caused by unindexed foreign keys. By chance has anyone encountered this problem and how could this be fixed. Thanks! _______ Juan Quintanilla UTS - Enterprise Group 305-348-6573 jquin...@fiu.edu<mailto:jquin...@fiu.edu> -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] Integrating CAS and Salesforce
Hi, In attempting to configure CAS with Salesforce the following 2 options are available for configuration: Delegated authentication is a single sign-on method that uses a Web service call sent from salesforce.com to an endpoint. Federated authentication is a single sign-on method that uses SAML assertions sent to a salesforce.com endpoint. Has anyone been able to configure CAS with the second option "Federated authentication" or can CAS only be configure using the Delegated authentication? The only message that it mentions when using Federated is that my saml response must be bearer and not artifact. Thanks! ___ Juan Quintanilla 305-348-6573 jquin...@fiu.edu -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE: [cas-user] CAS Ldap search return 0 results
Thank you, after checking the logs on the ldap server we discovered that some process was taking out these users from ldap and that is why CAS was saying it could not find them. We have fixed that issue and have not had anymore users report a problem. Thanks! ___ Juan Quintanilla UTS - Enterprise Group 305-348-6573 jquin...@fiu.edu From: Michael Ströder [mich...@stroeder.com] Sent: Wednesday, May 23, 2012 4:46 PM To: cas-user@lists.jasig.org Subject: Re: [cas-user] CAS Ldap search return 0 results Marvin S. Addison wrote: > The logs produced by OpenLDAP, for example, are very helpful in > providing insight into problems like these. Especially 'nentries' reports the number of results found for a particular search. Should be nentries=1 for successful logins. You should see a line SRCH with filter similar to (uid=joesmit) and then watch out for line SEARCH RESULT with same 'conn' number. Ciao, Michael. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE: [cas-user] CAS Ldap search return 0 results
Hi, The directory service is Redhat directory service 8.2 based on the same code as netscape/iplanet ___ Juan Quintanilla UTS - Enterprise Group 305-348-6573 jquin...@fiu.edu From: Marvin S. Addison [marvin.addi...@gmail.com] Sent: Monday, May 21, 2012 1:55 PM To: cas-user@lists.jasig.org Subject: Re: [cas-user] CAS Ldap search return 0 results > Do you mean the directories on ldap? No, I meant directory server software, e.g. OpenSSL, Active Directory, etc. M -- You are currently subscribed to cas-user@lists.jasig.org as: jquin...@fiu.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE: [cas-user] CAS Ldap search return 0 results
Hi, Do you mean the directories on ldap? If that is the case we have an OU called ou=cas_sso in which there are sub OU or directories for staff, student, etc. The directory where we have seen these users fail to return results is uid=joesmit,ou=cas_sso,ou=staff ___ Juan Quintanilla UTS - Enterprise Group 305-348-6573 jquin...@fiu.edu From: Marvin S. Addison [marvin.addi...@gmail.com] Sent: Monday, May 21, 2012 1:41 PM To: cas-user@lists.jasig.org Subject: Re: [cas-user] CAS Ldap search return 0 results > 2012-05-20 13:09:31,486 DEBUG > [org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler] - for uid=joesmit returned 0 results. It would be very odd for a search to return one result yesterday and another today. What directory is this? > I will speak with the ldap administrator > to see we can find anything in the logs. Sounds good. The logs produced by OpenLDAP, for example, are very helpful in providing insight into problems like these. > It's rather strange because > this is only happening to a handful of users not everyone. Sounds like a data or configuration problem in your directory. M -- You are currently subscribed to cas-user@lists.jasig.org as: jquin...@fiu.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE: [cas-user] CAS Ldap search return 0 results
Hi, Thank you Marvin for that information. I have enabled that on the log4j.xml file and see a little more information, but at least on CAS side it is not enough information to let me know why the user is failing those ldap search. We had one user who exists in ldap and was able to login Saturday. The user then attempted to login on sunday and was not able to. When I check the log it just shows me the following during 6 failed attempts: 2012-05-20 13:09:31,486 DEBUG [org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler] - 2012-05-20 13:09:31,486 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - Then today the user was able to login fine. Typically if it was a bad password the search would return a result in ght BindLdapAuthenticationHandler but would fail on the AuthenticationManagerImpl. I will speak with the ldap administrator to see we can find anything in the logs. It's rather strange because this is only happening to a handful of users not everyone. Any input on the problem would be appreciated. Thanks! ___ Juan Quintanilla 305-348-6573 jquin...@fiu.edu From: Marvin S. Addison [marvin.addi...@gmail.com] Sent: Monday, May 21, 2012 9:54 AM To: cas-user@lists.jasig.org Subject: Re: [cas-user] CAS Ldap search return 0 results > What logger name can I set to debug the ldap connections or at least > see why it might be failing when trying to search for these > particular users? org.jasig.cas.adaptors.ldap=DEBUG M -- You are currently subscribed to cas-user@lists.jasig.org as: jquin...@fiu.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE: [cas-user] CAS Ldap search return 0 results
Hi, Thanks for that. I have another question regarding the auditTrailContext.xml file. Currently we have that logging information the an oracle database. In order to disable that would it be a matter of just commenting out the following information from the auditTrailContext.xml? Or can I just move the file out of that directory and into unused-spring-configuration? Would this then redirect the output to one of the logs like cas.log or catalina.out files or disable it completely if moved out of the directory? ___ Juan Quintanilla UTS - Enterprise Group 305-348-6573 jquin...@fiu.edu From: Marvin S. Addison [marvin.addi...@gmail.com] Sent: Monday, May 21, 2012 9:54 AM To: cas-user@lists.jasig.org Subject: Re: [cas-user] CAS Ldap search return 0 results > What logger name can I set to debug the ldap connections or at least > see why it might be failing when trying to search for these > particular users? org.jasig.cas.adaptors.ldap=DEBUG M -- You are currently subscribed to cas-user@lists.jasig.org as: jquin...@fiu.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE: [cas-user] CAS Ldap search return 0 results
Hi, The admin checked the ldap server logs and couldn't find anything and we tested the filter on the server for the user and we were able to obtain results. What logger name can I set to debug the ldap connections or at least see why it might be failing when trying to search for these particular users? Thanks! ___ Juan Quintanilla 305-348-6573 jquin...@fiu.edu From: Michael Ströder [mich...@stroeder.com] Sent: Friday, May 18, 2012 12:18 PM To: cas-user@lists.jasig.org Cc: Juan Quintanilla Subject: Re: [cas-user] CAS Ldap search return 0 results Juan Quintanilla wrote: > We have CAS using ldap for the backend authentication, we ran into the issue > were for some users when they attempt to login through CAS the log shows that > > [org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler] - Search for > uid=bbsmith returned 0 results. > > But the user bob exists in the ldap OU. The user would attempt to login again > and I would see the > same entry in the logs. Then after some time I would see that the user was > able to login. According > to the user they are entering their correct password. > > This does not happen to every user it is just a handful, has anybody run into > a similiar issue before. I'd examine the LDAP server logs and test whether the filter used for finding the problematic user returns some results - especially when searching as the CAS service user. Ciao, Michael. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] CAS Ldap search return 0 results
Hi, We have CAS using ldap for the backend authentication, we ran into the issue were for some users when they attempt to login through CAS the log shows that [org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler] - Search for uid=bbsmith returned 0 results. But the user bob exists in the ldap OU. The user would attempt to login again and I would see the same entry in the logs. Then after some time I would see that the user was able to login. According to the user they are entering their correct password. This does not happen to every user it is just a handful, has anybody run into a similiar issue before. Thanks! ___ Juan Quintanilla 305-348-6573 jquin...@fiu.edu<mailto:jquin...@fiu.edu> -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] Integrating CAS and Salesforce
Hi, Thanks for the assistance I was able to obtain the saml assertion from CAS. Now my question is, in attempting to configure CAS with Salesforce the following 2 options are available for configuration: Delegated authentication is a single sign-on method that uses a Web service call sent from salesforce.com to an endpoint. Federated authentication is a single sign-on method that uses SAML assertions sent to a salesforce.com endpoint. Has anyone been able to configure CAS with the second option "Federated authentication" or can CAS only be configure using the Delegated authentication? When I configured it with the second option after logging in through CAS I am just redirected to the Salesforce login. Thanks! ___ Juan Quintanilla 305-348-6573 jquin...@fiu.edu ____ From: Juan Quintanilla Sent: Tuesday, May 15, 2012 4:01 PM To: cas-user@lists.jasig.org Subject: Integrating CAS and Salesforce Hi, In the configuration for salesforce it requests a saml assertion which it then validates to make sure it meets its requirements. Is there a way to generate a saml 1.1 assertion response from CAS for a particular service in this case being salesforce. Thanks! ___ Juan Quintanilla 305-348-6573 jquin...@fiu.edu From: Marvin S. Addison [marvin.addi...@gmail.com] Sent: Friday, April 27, 2012 9:20 AM To: cas-user@lists.jasig.org Subject: Re: [cas-user] Integrating CAS and Salesforce > Has anybody integrated CAS with Salesforce? I know it's been done; in fact I recall we made some changes at one point to specifically support it. Can you post some logs so we have some more information to pinpoint the problem? M -- You are currently subscribed to cas-user@lists.jasig.org as: jquin...@fiu.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] Integrating CAS and Salesforce
Hi, In the configuration for salesforce it requests a saml assertion which it then validates to make sure it meets its requirements. Is there a way to generate a saml 1.1 assertion response from CAS for a particular service in this case being salesforce. Thanks! ___ Juan Quintanilla 305-348-6573 jquin...@fiu.edu From: Marvin S. Addison [marvin.addi...@gmail.com] Sent: Friday, April 27, 2012 9:20 AM To: cas-user@lists.jasig.org Subject: Re: [cas-user] Integrating CAS and Salesforce > Has anybody integrated CAS with Salesforce? I know it's been done; in fact I recall we made some changes at one point to specifically support it. Can you post some logs so we have some more information to pinpoint the problem? M -- You are currently subscribed to cas-user@lists.jasig.org as: jquin...@fiu.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE: [cas-user] Integrating CAS and Salesforce
There really aren't any logs according to the user who is having the problem. They mentioned that when they hit the login for salesforce they get a blank page. According to the users there are 2 options for configuring CAS to salesforce. 1. Is using the Delegated authentication. 2. Federated single sign-on using SAML 1.1 They were attempting to configure it using the Second option. In the configuration for salesforce it requests a saml assertion which it then validates to make sure it meets its requirements. Is there a way to generate a saml 1.1 assertion response from CAS for a particular service. Here is the configuration they used for the second option: SAML USER ID TYPE: Username SAML USER ID Location: Attribute Attribute Name: Email Attribute URI: urn:oasis:names Thanks! ___ Juan Quintanilla 305-348-6573 jquin...@fiu.edu From: Marvin S. Addison [marvin.addi...@gmail.com] Sent: Friday, April 27, 2012 9:20 AM To: cas-user@lists.jasig.org Subject: Re: [cas-user] Integrating CAS and Salesforce > Has anybody integrated CAS with Salesforce? I know it's been done; in fact I recall we made some changes at one point to specifically support it. Can you post some logs so we have some more information to pinpoint the problem? M -- You are currently subscribed to cas-user@lists.jasig.org as: jquin...@fiu.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] Integrating CAS and Salesforce
Hi, Has anybody integrated CAS with Salesforce? One of our users was trying to configure this and runs into the issue where it requests bearer method and CAS presents artifact. Any help would be very much appreciated. Thanks! ___ Juan Quintanilla jquin...@fiu.edu<mailto:jquin...@fiu.edu> -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] Question Regarding Auditing and Statistics Via Inspektr
Hi, Our environment consists of CAS 3.4.7 using an oracle database and ldap authentication. I had a question regarding the Automatic Audit cleaning snippet, when exactly does it start removing the entries from the com_audit_trail. We are trying to cleanup the com_audit_trail table using this, but have not seen much change. Are there other alternatives on cleaning up this table? ___ Juan Quintanilla 305-348-6573 jquin...@fiu.edu<mailto:jquin...@fiu.edu> -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] Cas Service and Granting Ticket Table
Hi, I saw there was a previous post about some issues with the following error: java.lang.ClassCastException: oracle.sql.TIMESTAMP cannot be cast to java.sql.Timestamp So at the moment it looks like the service tickets are not properly being cleared from the database. Does anyone know of a simple way to clear the tickets in the Service Ticket and Ticket Granting Tables as well as fixing that error message. I've seen some information that if you add -Doracle.jdbc.J2EE13Compliant=true to CATALINA_OPTS value it should correct the problem. Using CAS 3.4.7 with oracle database. ___ Juan Quintanilla UTS - Enterprise Group 305-348-6573 jquin...@fiu.edu<mailto:jquin...@fiu.edu> -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE: [cas-user] CAS slow today
Bryan, So you are performing an alter table to modify the datatype for the expiration_date. Are you just making the change to improve the response time or so that you don't see the nested exception error in the logs. Thanks! ___ Juan Quintanilla UTS - Enterprise Group 305-348-6573 jquin...@fiu.edu From: Bryan E. Wooten [bryan.woo...@utah.edu] Sent: Tuesday, January 10, 2012 10:36 AM To: cas-user@lists.jasig.org Subject: RE: [cas-user] CAS slow today It looks like the doc here (https://wiki.jasig.org/display/CASUM/JpaTicketRegistry) is missing that important piece of information for Oracle Ticket Registries: CREATE TABLE LOCKS ( APPLICATION_ID VARCHAR(50) NOT NULL, UNIQUE_ID VARCHAR(50) NULL, EXPIRATION_DATE TIMESTAMP NULL ); ALTER TABLE LOCKS ADD CONSTRAINT LOCKS_PK PRIMARY KEY (APPLICATION_ID); -Original Message- From: Bryan E. Wooten [mailto:bryan.woo...@utah.edu] Sent: Tuesday, January 10, 2012 8:06 AM To: cas-user@lists.jasig.org Subject: RE: [cas-user] CAS slow today Yep, It looks like my DBAs got the DDL wrong. I did a desc on the locks table and it is a TIMESTAMP and not DATE. Thanks! -Bryan -Original Message- From: Marvin Addison [mailto:marvin.addi...@gmail.com] Sent: Tuesday, January 10, 2012 7:58 AM To: cas-user@lists.jasig.org Subject: Re: [cas-user] CAS slow today > nested exception is java.lang.ClassCastException: oracle.sql.TIMESTAMP > cannot be cast to java.sql.Timestamp Pretty sure your LOCKS table has at least one wrong field datatype for JdbcLockingStrategy. Here's the DDL we used when we ran on Oracle (10g?): CREATE TABLE LOCKS ( APPLICATION_ID VARCHAR2(50) NOT NULL, UNIQUE_ID VARCHAR2(50) NULL, /** Must use DATE instead of TIMESTAMP on Oracle to prevent ClassCastException as discussed in SPR-4886 */ EXPIRATION_DATE DATE NULL ); ALTER TABLE LOCKS ADD CONSTRAINT LOCKS_PK PRIMARY KEY (APPLICATION_ID) ENABLE; I would imagine your EXPIRATION_DATE is a TIMESTAMP column instead of DATE as required on Oracle. M -- You are currently subscribed to cas-user@lists.jasig.org as: bwoo...@acs.utah.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: bwoo...@acs.utah.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: jquin...@fiu.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
RE:[cas-user] Having trouble with CAS 3.4.7 Not releasing attributes
Hi, You can disregard the email message I send earlier, I was able to find the reason why. I was missing certain configurations in the deployerConfigContext.xml Thanks! ___ Juan Quintanilla UTS - Enterprise Group 305-348-6573 jquin...@fiu.edu<mailto:jquin...@fiu.edu> From: Juan Quintanilla [jquin...@fiu.edu] Sent: Friday, December 09, 2011 9:34 AM To: cas-user@lists.jasig.org Subject: [cas-user] Having trouble with CAS 3.4.7 Not releasing attributes Hi, I have CAS 3.4.7 running on RHEL 6 using Tomcat. We are using the same ldap for authentication and for the attributes. We recently ran into some problems were we can authenticate fine but when we check the saml attributes for the attributes they are empty. When I check the catalina logs this is what I find: 2011-12-08 19:08:30,851 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - 2011-12-08 19:08:30,851 DEBUG [org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver] - 2011-12-08 19:08:30,851 DEBUG [org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver] - 2011-12-08 19:08:30,852 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - 2011-12-08 19:08:30,852 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - 2011-12-08 19:08:30,852 DEBUG [org.jasig.cas.authentication.AuthenticationManagerImpl] - Has anybody run into a similar situation? ___ Juan Quintanilla UTS - Enterprise Group 305-348-6573 jquin...@fiu.edu<mailto:jquin...@fiu.edu> -- You are currently subscribed to cas-user@lists.jasig.org as: jquin...@fiu.edu To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] Having trouble with CAS 3.4.7 Not releasing attributes
Hi, I have CAS 3.4.7 running on RHEL 6 using Tomcat. We are using the same ldap for authentication and for the attributes. We recently ran into some problems were we can authenticate fine but when we check the saml attributes for the attributes they are empty. When I check the catalina logs this is what I find: 2011-12-08 19:08:30,851 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - 2011-12-08 19:08:30,851 DEBUG [org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver] - 2011-12-08 19:08:30,851 DEBUG [org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver] - 2011-12-08 19:08:30,852 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - 2011-12-08 19:08:30,852 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - 2011-12-08 19:08:30,852 DEBUG [org.jasig.cas.authentication.AuthenticationManagerImpl] - Has anybody run into a similar situation? ___ Juan Quintanilla UTS - Enterprise Group 305-348-6573 jquin...@fiu.edu<mailto:jquin...@fiu.edu> -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] Question in regards to CAS LDAP with Duplicate users
Hi, I have a question regarding CAS with ldap authentication. We users in different ldap OU were they have the same username, when CAS uses these OU to authenticate the user if it finds the same user in both OU's it will authenticate the user but not return the saml attributes. Has anyone run into this problem before, is there a way to tell cas to just pick one and take its attributes? Our other option is to remove the secondary entry from ldap. Thanks! ___ Juan Quintanilla UTS - Enterprise Group 305-348-6573 jquin...@fiu.edu -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
[cas-user] CAS Theme Control setup
Hi, Wanted to know if anybody has worked with setting up different themes on the CAS service management interface? If so how have you been able to work with putting these themes to the different views and messages, and what information was specified in the theme_name.properties files. I have checked out the the following site https://wiki.jasig.org/display/CASUM/Theme+Control but the information is rather limited. Thanks! ___ Juan Quintanilla jquin...@fiu.edu -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
