Petr,
Unfortunately, I do not have SPNEGO setup. We only have a single authn flow.
Ray
On Thu, 2023-08-03 at 08:58 -0700, Petr Bodnár wrote:
Notice: This message was sent from outside the University of Victoria email
system. Please be cautious with links and sensitive information.
Ray,
the
Ray,
the problem is I know all of that and have throttling correctly setup and
working, *except this one scenario*.
Do you think you could test this yourself? Or maybe you have done so
already and failed to reproduce? I'm setting ** in log4j2.xml to see every request details in the CAS log.
Petr,
Check your throttling settings,
https://apereo.github.io/cas/6.5.x/authentication/Configuring-Authentication-Throttling.html#configuration
It, cas.authn.throttle.failure.*, is a range per second (even when set to
multiple seconds). If set, it should be more than 2 attempts per second.
When turning on SPNEGO (typically for Kerberos SSO), together with CAS
mixed authentication turned on (i.e. showing login form when SPNEGO fails),
CAS login failure throttling seems to be broken.
Reproduction (tested with the 6.x CAS series, but probably manifests also
in other versions):