Cas - Unauthorized

852 views
Skip to first unread message

Ramakrishna G

unread,
Jan 23, 2018, 8:52:19 AM1/23/18
to CAS Community

Unauthorized

This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.


Ticket is generated but says the above error. I am using mod_auth_cas in Apache server.

Ramakrishna G

unread,
Jan 23, 2018, 8:52:41 AM1/23/18
to CAS Community
How do I solve it

David Hawes

unread,
Jan 25, 2018, 12:15:56 PM1/25/18
to CAS Community
Set:

LogLevel debug
CASDebug On

and check your error logs. You should have information as to why you
get this error.

Ramakrishna G

unread,
Jan 30, 2018, 5:19:19 AM1/30/18
to cas-...@apereo.org
Hi David,

As suggested I enabled Debug Mode. Error what I got to..


[Thu Jan 25 17:53:01.512443 2018] [ssl:info] [pid 28180] SSL Library Error: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request -- speaking HTTP to HTTPS port!?

[Thu Jan 25 17:53:01.940036 2018] [ssl:info] [pid 28181] [client 192.168.111.84:62057] AH01964: Connection to child 1 established (server 192.168.111.12:443)

[Thu Jan 25 17:53:01.940406 2018] [ssl:info] [pid 28181] [client 192.168.111.84:62057] AH01996: SSL handshake failed: HTTP spoken on HTTPS port; trying to send HTML error page

[Thu Jan 25 17:53:01.940458 2018] [ssl:info] [pid 28181] SSL Library Error: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request -- speaking HTTP to HTTPS port!?

[Thu Jan 25 17:53:13.796431 2018] [ssl:info] [pid 28182] [client 192.168.111.84:62058] AH01964: Connection to child 2 established (server 192.168.111.12:443)

[Thu Jan 25 17:53:13.796782 2018] [ssl:debug] [pid 28182] ssl_engine_io.c(1202): (70014)End of file found: [client 192.168.111.84:62058] AH02007: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!]

[Thu Jan 25 17:53:13.796815 2018] [ssl:info] [pid 28182] [client 192.168.111.84:62058] AH01998: Connection closed to child 2 with abortive shutdown (server 192.168.111.12:443)

~                                                      


LoadModule auth_cas_module modules/mod_auth_cas.so

CASCookiePath /var/cache/mod_auth_cas/

CASCertificatePath  /etc/ssl/certs/

CASLoginURL https://192.168.111.12:9443/cas/login

CASRootProxiedAs https://192.168.111.12

CASValidateURL https://192.168.111.12:9443/cas/serviceValidate

#CASProxyValidateURL https://192.168.111.12:9443/cas/proxyValidate

CASDebug On

LogLevel debug

CASValidateSAML On

CASVersion 2

#CASValidateServer off

#CASAllowWildcardCert off

CASTimeout 86400

CASIdleTimeout 7200

CASSSOEnabled On

#LogLevel debug


<VirtualHost *:80>

    DocumentRoot "/var/www/html/"

    ServerName 192.168.111.12

    CASValidateSAML On

    LogLevel debug

    ErrorLog /var/log/cas_error_log

    CustomLog /var/log/cas_access_log combined

    # Other directives here

    #AuthType CAS

    #require valid-user

</VirtualHost>


<directory /var/www/html>

     AllowOverride

     Order allow,deny

     Allow from all

     Authtype CAS

     require valid-user

     Allow from env=no_cas_use

     #Satisfy Any

   # require cas-attribute edupersonaffiliation:staff

</directory>


What am I missing?


Thankyou

Ramakrishna




--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAgu-wCcoYC-Sg4V3dE6hOxi-0QqiaJWm44xo9PuDhAt%2Br8wxA%40mail.gmail.com.

Ramakrishna G

unread,
Jan 30, 2018, 5:19:19 AM1/30/18
to cas-...@apereo.org
Hi , 

Now I think I resolved certificate issue. But I am getting this error

[Fri Jan 26 16:22:24.270308 2018] [authz_core:debug] [pid 19878] mod_authz_core.c(809): [client 192.168.111.118:62974] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)

[Fri Jan 26 16:22:24.270359 2018] [authz_core:debug] [pid 19878] mod_authz_core.c(809): [client 192.168.111.118:62974] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)

[Fri Jan 26 16:22:24.270390 2018] [auth_cas:debug] [pid 19878] mod_auth_cas.c(2076): [client 192.168.111.118:62974] Entering cas_authenticate()

[Fri Jan 26 16:22:24.270415 2018] [auth_cas:debug] [pid 19878] mod_auth_cas.c(656): [client 192.168.111.118:62974] Modified r->args (now 'ticket=ST-61-Ax_G3kwIznjFqCiNkoMeUy4y1Gk-client&ticket=ST-62-Kf3DaPe_Vlv9cOH5VQYhiIz_tWg-client')

[Fri Jan 26 16:22:24.270486 2018] [auth_cas:debug] [pid 19878] mod_auth_cas.c(1779): [client 192.168.111.118:62974] entering getResponseFromServer()

[Fri Jan 26 16:22:24.270617 2018] [auth_cas:debug] [pid 19878] mod_auth_cas.c(584): [client 192.168.111.118:62974] CAS Service 'https%3a%2f%2f192.168.111.118%3a8443%2f%3fticket%3dST-61-Ax_G3kwIznjFqCiNkoMeUy4y1Gk-client%26ticket%3dST-62-Kf3DaPe_Vlv9cOH5VQYhiIz_tWg-client'

[Fri Jan 26 16:22:24.479223 2018] [auth_cas:debug] [pid 19878] mod_auth_cas.c(1856): [client 192.168.111.118:62974] Validation response: <!doctype html><html lang="en"><head><title>HTTP Status 406 \xe2\x80\x93 Not Acceptable</title><style type="text/css">h1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} h2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} h3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} body {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} b {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} p {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;} a {color:black;} a.name {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 406 \xe2\x80\x93 Not Acceptable</h1><hr class="line" /><p><b>Type</b> Status Report</p><p><b>Description</b> The target resource does not have a current representation that would be acceptable to the user agent, according to the proactive negotiation header fields received in the request, and the server is unwilling to supply a default representation.</p><hr class="line" /><h3>Apache Tomcat/8.5.24</h3></body></html>

[Fri Jan 26 16:22:24.479448 2018] [auth_cas:debug] [pid 19878] mod_auth_cas.c(1440): [client 192.168.111.118:62974] entering isValidCASTicket()

[Fri Jan 26 16:22:24.479470 2018] [auth_cas:debug] [pid 19878] mod_auth_cas.c(1446): [client 192.168.111.118:62974] MOD_AUTH_CAS: response = <!doctype html><html lang="en"><head><title>HTTP Status 406 \xe2\x80\x93 Not Acceptable</title><style type="text/css">h1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} h2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} h3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} body {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} b {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} p {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;} a {color:black;} a.name {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 406 \xe2\x80\x93 Not Acceptable</h1><hr class="line" /><p><b>Type</b> Status Report</p><p><b>Description</b> The target resource does not have a current representation that would be acceptable to the user agent, according to the proactive negotiation header fields received in the request, and the server is unwilling to supply a default representation.</p><hr class="line" /><h3>Apache Tomcat/8.5.24</h3></body></html>

[Fri Jan 26 16:22:24.479581 2018] [auth_cas:error] [pid 19878] [client 192.168.111.118:62974] MOD_AUTH_CAS: error parsing CASv2 response: XML parser error code: syntax error (2)

[Fri Jan 26 16:22:24.523966 2018] [authz_core:debug] [pid 19205] mod_authz_core.c(809): [client 192.168.111.118:62976] AH01626: authorization result of Require valid-user : denied (no authenticated user yet), referer: https://192.168.111.118:8443/?ticket=ST-61-Ax_G3kwIznjFqCiNkoMeUy4y1Gk-client&ticket=ST-62-Kf3DaPe_Vlv9cOH5VQYhiIz_tWg-client&ticket=ST-63-9XuUCVFW1N7KHvmkSzAf31rObMA-client

[Fri Jan 26 16:22:24.524008 2018] [authz_core:debug] [pid 19205] mod_authz_core.c(809): [client 192.168.111.118:62976] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet), referer: https://192.168.111.118:8443/?ticket=ST-61-Ax_G3kwIznjFqCiNkoMeUy4y1Gk-client&ticket=ST-62-Kf3DaPe_Vlv9cOH5VQYhiIz_tWg-client&ticket=ST-63-9XuUCVFW1N7KHvmkSzAf31rObMA-client

[Fri Jan 26 16:22:24.524022 2018] [auth_cas:debug] [pid 19205] mod_auth_cas.c(2076): [client 192.168.111.118:62976] Entering cas_authenticate(), referer: https://192.168.111.118:8443/?ticket=ST-61-Ax_G3kwIznjFqCiNkoMeUy4y1Gk-client&ticket=ST-62-Kf3DaPe_Vlv9cOH5VQYhiIz_tWg-client&ticket=ST-63-9XuUCVFW1N7KHvmkSzAf31rObMA-client

[Fri Jan 26 16:22:24.524042 2018] [auth_cas:debug] [pid 19205] mod_auth_cas.c(584): [client 192.168.111.118:62976] CAS Service 'https%3a%2f%2f192.168.111.118%3a8443%2ffavicon.ico', referer: https://192.168.111.118:8443/?ticket=ST-61-Ax_G3kwIznjFqCiNkoMeUy4y1Gk-client&ticket=ST-62-Kf3DaPe_Vlv9cOH5VQYhiIz_tWg-client&ticket=ST-63-9XuUCVFW1N7KHvmkSzAf31rObMA-client

[Fri Jan 26 16:22:24.524049 2018] [auth_cas:debug] [pid 19205] mod_auth_cas.c(532): [client 192.168.111.118:62976] entering getCASLoginURL(), referer: https://192.168.111.118:8443/?ticket=ST-61-Ax_G3kwIznjFqCiNkoMeUy4y1Gk-client&ticket=ST-62-Kf3DaPe_Vlv9cOH5VQYhiIz_tWg-client&ticket=ST-63-9XuUCVFW1N7KHvmkSzAf31rObMA-client

[Fri Jan 26 16:22:24.524058 2018] [auth_cas:debug] [pid 19205] mod_auth_cas.c(509): [client 192.168.111.118:62976] entering getCASGateway(), referer: https://192.168.111.118:8443/?ticket=ST-61-Ax_G3kwIznjFqCiNkoMeUy4y1Gk-client&ticket=ST-62-Kf3DaPe_Vlv9cOH5VQYhiIz_tWg-client&ticket=ST-63-9XuUCVFW1N7KHvmkSzAf31rObMA-client

[Fri Jan 26 16:22:24.524065 2018] [auth_cas:debug] [pid 19205] mod_auth_cas.c(599): [client 192.168.111.118:62976] entering redirectRequest(), referer: https://192.168.111.118:8443/?ticket=ST-61-Ax_G3kwIznjFqCiNkoMeUy4y1Gk-client&ticket=ST-62-Kf3DaPe_Vlv9cOH5VQYhiIz_tWg-client&ticket=ST-63-9XuUCVFW1N7KHvmkSzAf31rObMA-client

[Fri Jan 26 16:22:24.524072 2018] [auth_cas:debug] [pid 19205] mod_auth_cas.c(611): [client 192.168.111.118:62976] Adding outgoing header: Location: https://192.168.111.118:8443/cas/login?service=https%3a%2f%2f192.168.111.118%3a8443%2ffavicon.ico, referer: https://192.168.111.118:8443/?ticket=ST-61-Ax_G3kwIznjFqCiNkoMeUy4y1Gk-client&ticket=ST-62-Kf3DaPe_Vlv9cOH5VQYhiIz_tWg-client&ticket=ST-63-9XuUCVFW1N7KHvmkSzAf31rObMA-client

[Fri Jan 26 16:22:24.565945 2018] [authz_core:debug] [pid 19201] mod_authz_core.c(809): [client 192.168.111.118:62978] AH01626: authorization result of Require valid-user : denied (no authenticated user yet), referer: https://192.168.111.118:8443/?ticket=ST-61-Ax_G3kwIznjFqCiNkoMeUy4y1Gk-client&ticket=ST-62-Kf3DaPe_Vlv9cOH5VQYhiIz_tWg-client&ticket=ST-63-9XuUCVFW1N7KHvmkSzAf31rObMA-client

[Fri Jan 26 16:22:24.565996 2018] [authz_core:debug] [pid 19201] mod_authz_core.c(809): [client 192.168.111.118:62978] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet), referer: https://192.168.111.118:8443/?ticket=ST-61-Ax_G3kwIznjFqCiNkoMeUy4y1Gk-client&ticket=ST-62-Kf3DaPe_Vlv9cOH5VQYhiIz_tWg-client&ticket=ST-63-9XuUCVFW1N7KHvmkSzAf31rObMA-client

[Fri Jan 26 16:22:24.566012 2018] [auth_cas:debug] [pid 19201] mod_auth_cas.c(2076): [client 192.168.111.118:62978] Entering cas_authenticate(), referer: https://192.168.111.118:8443/?ticket=ST-61-Ax_G3kwIznjFqCiNkoMeUy4y1Gk-client&ticket=ST-62-Kf3DaPe_Vlv9cOH5VQYhiIz_tWg-client&ticket=ST-63-9XuUCVFW1N7KHvmkSzAf31rObMA-client

[Fri Jan 26 16:22:24.566026 2018] [auth_cas:debug] [pid 19201] mod_auth_cas.c(656): [client 192.168.111.118:62978] Modified r->args (now ''), referer: https://192.168.111.118:8443/?ticket=ST-61-Ax_G3kwIznjFqCiNkoMeUy4y1Gk-client&ticket=ST-62-Kf3DaPe_Vlv9cOH5VQYhiIz_tWg-client&ticket=ST-63-9XuUCVFW1N7KHvmkSzAf31rObMA-client

[Fri Jan 26 16:22:24.566104 2018] [auth_cas:debug] [pid 19201] mod_auth_cas.c(1779): [client 192.168.111.118:62978] entering getResponseFromServer(), referer: https://192.168.111.118:8443/?ticket=ST-61-Ax_G3kwIznjFqCiNkoMeUy4y1Gk-client&ticket=ST-62-Kf3DaPe_Vlv9cOH5VQYhiIz_tWg-client&ticket=ST-63-9XuUCVFW1N7KHvmkSzAf31rObMA-client

[Fri Jan 26 16:22:24.566245 2018] [auth_cas:debug] [pid 19201] mod_auth_cas.c(584): [client 192.168.111.118:62978] CAS Service 'https%3a%2f%2f192.168.111.118%3a8443%2ffavicon.ico', referer: https://192.168.111.118:8443/?ticket=ST-61-Ax_G3kwIznjFqCiNkoMeUy4y1Gk-client&ticket=ST-62-Kf3DaPe_Vlv9cOH5VQYhiIz_tWg-client&ticket=ST-63-9XuUCVFW1N7KHvmkSzAf31rObMA-client

[Fri Jan 26 16:22:24.731155 2018] [auth_cas:debug] [pid 19201] mod_auth_cas.c(1856): [client 192.168.111.118:62978] Validation response: <!doctype html><html lang="en"><head><title>HTTP Status 406 \xe2\x80\x93 Not Acceptable</title><style type="text/css">h1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} h2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} h3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} body {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} b {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} p {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;} a {color:black;} a.name {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 406 \xe2\x80\x93 Not Acceptable</h1><hr class="line" /><p><b>Type</b> Status Report</p><p><b>Description</b> The target resource does not have a current representation that would be acceptable to the user agent, according to the proactive negotiation header fields received in the request, and the server is unwilling to supply a default representation.</p><hr class="line" /><h3>Apache Tomcat/8.5.24</h3></body></html>, referer: https://192.168.111.118:8443/?ticket=ST-61-Ax_G3kwIznjFqCiNkoMeUy4y1Gk-client&ticket=ST-62-Kf3DaPe_Vlv9cOH5VQYhiIz_tWg-client&ticket=ST-63-9XuUCVFW1N7KHvmkSzAf31rObMA-client

[Fri Jan 26 16:22:24.731389 2018] [auth_cas:debug] [pid 19201] mod_auth_cas.c(1440): [client 192.168.111.118:62978] entering isValidCASTicket(), referer: https://192.168.111.118:8443/?ticket=ST-61-Ax_G3kwIznjFqCiNkoMeUy4y1Gk-client&ticket=ST-62-Kf3DaPe_Vlv9cOH5VQYhiIz_tWg-client&ticket=ST-63-9XuUCVFW1N7KHvmkSzAf31rObMA-client

[Fri Jan 26 16:22:24.731411 2018] [auth_cas:debug] [pid 19201] mod_auth_cas.c(1446): [client 192.168.111.118:62978] MOD_AUTH_CAS: response = <!doctype html><html lang="en"><head><title>HTTP Status 406 \xe2\x80\x93 Not Acceptable</title><style type="text/css">h1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} h2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} h3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} body {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} b {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} p {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;} a {color:black;} a.name {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 406 \xe2\x80\x93 Not Acceptable</h1><hr class="line" /><p><b>Type</b> Status Report</p><p><b>Description</b> The target resource does not have a current representation that would be acceptable to the user agent, according to the proactive negotiation header fields received in the request, and the server is unwilling to supply a default representation.</p><hr class="line" /><h3>Apache Tomcat/8.5.24</h3></body></html>, referer: https://192.168.111.118:8443/?ticket=ST-61-Ax_G3kwIznjFqCiNkoMeUy4y1Gk-client&ticket=ST-62-Kf3DaPe_Vlv9cOH5VQYhiIz_tWg-client&ticket=ST-63-9XuUCVFW1N7KHvmkSzAf31rObMA-client

[Fri Jan 26 16:22:24.731538 2018] [auth_cas:error] [pid 19201] [client 192.168.111.118:62978] MOD_AUTH_CAS: error parsing CASv2 response: XML parser error code: syntax error (2), referer: https://192.168.111.118:8443/?ticket=ST-61-Ax_G3kwIznjFqCiNkoMeUy4y1Gk-client&ticket=ST-62-Kf3DaPe_Vlv9cOH5VQYhiIz_tWg-client&ticket=ST-63-9XuUCVFW1N7KHvmkSzAf31rObMA-client


Can you pls help.


To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

David Hawes

unread,
Jan 30, 2018, 10:23:37 AM1/30/18
to CAS Community
It looks like you're using a serviceValidate endpoint with SAML
validation. Comment out the CASValidateSAML lines and try again.

Alternatively, keep the setting on and use a samlValidate endpoint.
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAGST5P8RVBDrHjwNwMcTb2NaSt_xZL4HHWB%3D6upvDW21%3DrHTeg%40mail.gmail.com.

Ray Bon

unread,
Jan 30, 2018, 12:22:23 PM1/30/18
to cas-...@apereo.org
Ramakrishna,

Perhaps there is something not right with your client application config? Is it running on https://192.168.111.118:8443 or is that CAS?

Multiple service tickets in the URL suggests that the request is being redirected to CAS multiple times.

Ray
-- 
Ray Bon
Programmer analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca

Mukunthini Jeyakumar

unread,
Feb 5, 2018, 1:51:52 PM2/5/18
to CAS Community

Hi Ramakrishna,


have you find the way to resolve the issue? I'm having the same

Thanks
Thini
Other recipients:

Ramakrishna G

unread,
Feb 6, 2018, 12:42:00 AM2/6/18
to cas-...@apereo.org
Hi Mukunthini Jeyakumar,

To resolve this error you need have a valid SSL certificate signed by CA. If you don't have you can just disable SSL in cas.properties file.

server.ssl.enabled= false

cas.serviceRegistry.initFromJson=true
cas.serviceRegistry.config.location: file:/etc/cas/services

in somename.json inside /etc/cas/services folder

{
  "@class": "org.apereo.cas.services.RegexRegisteredService",
  "serviceId": "^(http|https|imaps)://.*",
  "name": "HTTPS/IMAPS wildcard",
  "id": 20170905111650,
  "evaluationOrder": 99999
}
and enable http in services. Also comment all CASValidateSAML in client side. Now you are good to access over http which will solve the problem.

Thanks
Ramakrishna

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/cf0f4046-95d5-40a1-870e-492fca9db3fd%40apereo.org.

Man H

unread,
Feb 6, 2018, 8:06:39 AM2/6/18
to cas-...@apereo.org
There is a potential security risk in doing this . 
CA's needs SSL in order to function safely with SSO.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.

Ramakrishna G

unread,
Feb 6, 2018, 8:51:32 AM2/6/18
to cas-...@apereo.org
Yes. I am just using at my development server. When releasing to production I'll get a valid SSL Certificate.

Thanks
Ramakrishna G

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.

Ramakrishna G

unread,
Feb 8, 2018, 4:42:33 AM2/8/18
to cas-...@apereo.org
Hello,

I am using CAS on development server and soon I'll be shifting to production. I am using mod_auth_cas as client and I am running CAS server and CAS Client in same machine. Should I create certificates for both tomcat(CAS Server) and apache(CAS Client) or only tomcat(keystore) is fine?

In mod_auth_cas which certificates does this CASCertificatePath refer to?

How do I create self signed certificates for both CAS Server and CAS Client?

It would be helpful if someone clarify me on this.

 

Man H

unread,
Feb 8, 2018, 6:05:17 AM2/8/18
to cas-...@apereo.org
You will have to install it in both but this is not a CA's issue you will find more information in stack overflow etc about SSL tomcat apache configuration.

If you install self signed certificate browser will challenge user to accept that as insecure.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAGST5P9D_p5PrA7NhcKctm59tDdf0adnMQuHGWxH%3DF4wrm4TYw%40mail.gmail.com.

Ramakrishna G

unread,
Feb 8, 2018, 6:16:02 AM2/8/18
to cas-...@apereo.org
Hello Man H, 

I am planning to use NGINX Load balancer over https. The load balancer takes care of redirecting to CAS Server and CAS client in http. Do you recommend this approach? If yes then how do I enable SSO over http?   

For outside world it would be https but internally I am planning to communicate in http.

Thanks
Ramakrishna G

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.

Man H

unread,
Feb 8, 2018, 6:19:22 AM2/8/18
to cas-...@apereo.org
Its not possible CA's won't work in SSO if it's over http

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.

Man H

unread,
Feb 8, 2018, 6:21:16 AM2/8/18
to cas-...@apereo.org
You could do that in previous versions < 4.1 o 4.2 I am not sure

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAGST5P929UB15Y28aM7s09yM7%2BYCm64%2BZStrBSuWEo2R1uvuQA%40mail.gmail.com.

SCHILENS, JEREMIAH

unread,
Feb 8, 2018, 12:08:42 PM2/8/18
to cas-...@apereo.org

Hello,

 

I have a similar setup, though I’m using an F5 load balancer for ssl offload and using my own tomcat install instead of the embedded to serve the war file. These are the options I’ve found I needed, your mileage may vary:

cas.server.http.secure=ture

cas.server.httpProxy.enabled=true

cas.server.httpProxy.secure=true

cas.server.httpProxy.protocol=HTTP/1.1

cas.server.httpProxy.scheme=https

server.contextPath=/cas

server.port=8080

server.ssl.enabled=false

 

Jeremiah

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

Mukunthini Jeyakumar

unread,
Feb 8, 2018, 12:56:50 PM2/8/18
to CAS Community, r...@tts.in

Hi,

I'm getting the error only if I turn on CASValidateSAML and using the CASValidateURL with samilValidate endpoint.

Authorization Required

This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.


Thanks
Thini


Reply all
Reply to author
Forward
0 new messages