Redirect Loop After Validation
Description
Environment
Activity
I integrated log4net inside DotNetCasClient and added log statements to try to capture the source of the issue. After doing that I finally found the issue, and the issue was not related to DotNetCasClient I was getting a ticket validation error inside the CasAuthentication.ProcessTicketValidation(). The error message was: "This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms." The solution was to add the following line after the <syste.web> tag:
<system.web>
<machineKey validationKey="AutoGenerate,IsolateApps" decryptionKey="AutoGenerate,IsolateApps" validation="3DES" decryption="3DES"/>
In my web.config I had this line but I didn't have the validation="3DES". After adding it I was able to access the secure area of my web application, and I was able to get proxy tickets for my c# web services. The use of DotNetCasClient works like a charm when using certificates generated based on IP addresses.
Thanks very much Scott Holodadk for your excellence guidance.
The Java side of things isn't my area of expertise by any stretch of the imagination. However, I believe the SSL verification problems are typically caused by the CAS server not trusting your web application. I'm not 100% on this, but there may be other keystores at play besides the CAS keystore. For instance, I've typically installed Java on Tomcat. Depending on your configuration, you either need to install the certificate to the JRE keystore (for the JRE running your CAS server), or an OpenSSL keystore.
Is your .NET app pool running in Integrated Mode or Classic Mode? There could be a bug in one of the HttpModules that only materializes itself in classic mode. I don't know the extent of testing in classic mode.
Have you tried using the client as a project reference and stepping through the code?
I tried the ServicePointManager.ServerCertificateValidationCallback workaround inside my Default.aspx's page_load with no success. I tried also by disabling the cas proxy, removing the path from the authentication form, and no luck either. One thing I noticed is that no cookies are stored in the IE or Firefox browsers. I'm going to start adding log statements inside the CasAuthentication.cs class (ProcessTicketValidation) to see if I can capture the source of the problem. I'm able to replicate the issue in debug mode if I type the wrong path inside the forms authentication:
<forms loginUrl="https://55.255.255.101:8443/cas/login" timeout="90" defaultUrl="~/Widget.htm" cookieless="UseCookies" slidingExpiration="true" path="CassifiedWidgetWrongPath/" enableCrossAppRedirects="true" />
</authentication>
so the problem in production could be related to the correct path (https://IP or full host name/) not being validated for the case of self signed certificates.
Amanda B,
Take a look to my previous massage. Inside the web.config I do the following to CAS enable the secure folder:
<location path="secure" >
<system.web>
<authorization>
<allow roles="ROLE_ADMINISTRATOR,ROLE_USER" />
<deny users="*" />
</authorization>
</system.web>
</location>
To secure the root do as follows:
<authorization>
<allow roles="Users,Administrators" />
<deny users="*" />
</authorization>
and make sure you reset the browser cache.When the cookies are in the cache, the browser (CAS) is not going to challenge you for the user name and password.
Scott Holodadk,
I have a requirement that is forcing me to use IP addresses for our intranet web applications. I also need to use CAS proxies for my c# web services. The use of IP addresses works very well when using a java CAS client to enable widgets implemented in java and deployed inside Tomcat. I'm using an IP addreess when generating the certificates for the CAS, and IIS server. Everything works well when running in debug mode in my development machine. As soon as I deploy the application in my production server the issue of the looping requesting a new ticket is present. I checked the errors in the cas log and there are no errors. The IP of my IIS server is 55.255.255.119 and for the CAS server is 55.255.255.101.The only changes I had to make to my web.config in my production server was the adding of the following line to solve the decryption issue:
<machineKey validationKey="AutoGenerate,IsolateApps" decryptionKey="AutoGenerate,IsolateApps" validation="3DES"/>
All the certificates are imported into their respective locations in IIS trusted root certification authorities (under local Computer, Current User), and CAS keystore.
I tried any combination as you adviced but no luck so far. I also tried using self signed certificates generated by using the host names with its full domain name but I had the same issue. Should I assume after all my testings that applications implemented using dotNetCasClient and deployed in the production IIS server requires the use of signed certificates (not self signed certificates)?
The last lines in the log are (Please see my web.config at the end of this message):
org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler successfully authenticated the user which provided the following credentials: [callbackUrl: https://55.255.255.119/CassifiedWidget/secure/Widget.aspx?proxyResponse=true]
2012-04-02 13:22:21,340 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - Resolved principal https://55.255.255.119/CassifiedWidget/secure/Widget.aspx?proxyResponse=true
2012-04-02 13:22:21,340 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - Principal found: https://55.255.255.119/CassifiedWidget/secure/Widget.aspx?proxyResponse=true
2012-04-02 13:22:21,340 DEBUG [org.jasig.cas.authentication.AuthenticationManagerImpl] - Attribute map for https://55.255.255.119/CassifiedWidget/secure/Widget.aspx?proxyResponse=true: {}
2012-04-02 13:22:21,340 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Attempting to retrieve ticket [ST-85-2fjrxU6mntCyA3EbbIWC-cas]
2012-04-02 13:22:21,340 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Ticket [ST-85-2fjrxU6mntCyA3EbbIWC-cas] found in registry.
2012-04-02 13:22:21,340 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Added ticket [TGT-89-whrb4106j7SL2nOo7sqxcCZidRdXyIltm5eCOUfI3erB5XvFqV-cas] to registry.
2012-04-02 13:22:21,341 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Attempting to retrieve ticket [ST-85-2fjrxU6mntCyA3EbbIWC-cas]
2012-04-02 13:22:21,341 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Ticket [ST-85-2fjrxU6mntCyA3EbbIWC-cas] found in registry.
2012-04-02 13:22:21,341 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Removing ticket [ST-85-2fjrxU6mntCyA3EbbIWC-cas] from registry
2012-04-02 13:22:21,844 DEBUG [org.jasig.cas.util.HttpClient] - Response code from server matched 200.
2012-04-02 13:22:21,844 DEBUG [org.jasig.cas.ticket.proxy.support.Cas20ProxyHandler] - Sent ProxyIou of PGTIOU-78-seqhPTrtcjkYCMNvMZ9P-cas for service: [callbackUrl: https://55.255.255.119/CassifiedWidget/secure/Widget.aspx?proxyResponse=true]
2012-04-02 13:22:21,845 DEBUG [org.jasig.cas.web.ServiceValidateController] - Successfully validated service ticket: ST-85-2fjrxU6mntCyA3EbbIWC-cas
2012-04-02 13:22:21,899 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - Extractor generated service for: https://55.255.255.119/CassifiedWidget/secure/Widget.aspx
2012-04-02 13:22:21,899 DEBUG [org.jasig.cas.web.flow.InitialFlowSetupAction] - Placing service in FlowScope: https://55.255.255.119/CassifiedWidget/secure/Widget.aspx
2012-04-02 13:22:21,899 DEBUG [org.jasig.cas.web.flow.InitialFlowSetupAction] - Placing service in FlowScope: https://55.255.255.119/CassifiedWidget/secure/Widget.aspx
2012-04-02 13:22:21,900 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Attempting to retrieve ticket [TGT-84-ahoYPZ2Ecgrc5efLDtEBG9dIgxLCWCujdHcbETr1fuClH6mjKu-cas]
2012-04-02 13:22:21,900 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Ticket [TGT-84-ahoYPZ2Ecgrc5efLDtEBG9dIgxLCWCujdHcbETr1fuClH6mjKu-cas] found in registry.
2012-04-02 13:22:21,900 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Added ticket [ST-86-wezK4jZ420LT4BL6BKHF-cas] to registry.
2012-04-02 13:22:21,901 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service ticket [ST-86-wezK4jZ420LT4BL6BKHF-cas] for service https://55.255.255.119/CassifiedWidget/secure/Widget.aspx for user [alberto.acevedo]
2012-04-02 13:22:21,910 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - Extractor generated service for: https://55.255.255.119/CassifiedWidget/secure/Widget.aspx
2012-04-02 13:22:21,910 DEBUG [org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler] - Attempting to resolve credentials for [callbackUrl: https://55.255.255.119/CassifiedWidget/secure/Widget.aspx?proxyResponse=true]
2012-04-02 13:22:21,931 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - Extractor generated service for: https://55.255.255.119/CassifiedWidget/secure/Widget.aspx?proxyResponse=true
2012-04-02 13:22:21,931 DEBUG [org.jasig.cas.web.flow.InitialFlowSetupAction] - Placing service in FlowScope: https://55.255.255.119/CassifiedWidget/secure/Widget.aspx?proxyResponse=true
2012-04-02 13:22:21,931 DEBUG [org.jasig.cas.web.flow.InitialFlowSetupAction] - Placing service in FlowScope: https://55.255.255.119/CassifiedWidget/secure/Widget.aspx?proxyResponse=true
2012-04-02 13:22:21,932 DEBUG [org.jasig.cas.web.flow.GenerateLoginTicketAction] - Generated login ticket LT-101-kcNYtVLDCNeXh6PULGx9ccBuXMlfgl
2012-04-02 13:22:21,932 DEBUG [org.jasig.cas.web.flow.GenerateLoginTicketAction] - Generated login ticket LT-101-kcNYtVLDCNeXh6PULGx9ccBuXMlfgl
2012-04-02 13:22:21,945 DEBUG [org.jasig.cas.util.HttpClient] - Response code from server matched 200.
2012-04-02 13:22:21,947 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - AuthenticationHandler: org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler successfully authenticated the user which provided the following credentials: [callbackUrl: https://55.255.255.119/CassifiedWidget/secure/Widget.aspx?proxyResponse=true]
2012-04-02 13:22:21,947 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - Resolved principal https://55.255.255.119/CassifiedWidget/secure/Widget.aspx?proxyResponse=true
2012-04-02 13:22:21,947 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - Principal found: https://55.255.255.119/CassifiedWidget/secure/Widget.aspx?proxyResponse=true
2012-04-02 13:22:21,947 DEBUG [org.jasig.cas.authentication.AuthenticationManagerImpl] - Attribute map for https://55.255.255.119/CassifiedWidget/secure/Widget.aspx?proxyResponse=true: {}
2012-04-02 13:22:21,947 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Attempting to retrieve ticket [ST-86-wezK4jZ420LT4BL6BKHF-cas]
2012-04-02 13:22:21,947 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Ticket [ST-86-wezK4jZ420LT4BL6BKHF-cas] found in registry.
2012-04-02 13:22:21,947 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Added ticket [TGT-90-2uTVD1nNxYHO9dgeMednnyyyVfZqytjvixp5qKa9tAgc7aBN3m-cas] to registry.
2012-04-02 13:22:21,948 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Attempting to retrieve ticket [ST-86-wezK4jZ420LT4BL6BKHF-cas]
2012-04-02 13:22:21,948 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Ticket [ST-86-wezK4jZ420LT4BL6BKHF-cas] found in registry.
2012-04-02 13:22:21,948 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Removing ticket [ST-86-wezK4jZ420LT4BL6BKHF-cas] from registry
2012-04-02 13:22:21,958 DEBUG [org.jasig.cas.util.HttpClient] - Response code from server matched 200.
2012-04-02 13:22:21,958 DEBUG [org.jasig.cas.ticket.proxy.support.Cas20ProxyHandler] - Sent ProxyIou of PGTIOU-79-Y4WJPaZqWCS7NczJUQlf-cas for service: [callbackUrl: https://22.210.226.119/CassifiedWidget/secure/Widget.aspx?proxyResponse=true]
2012-04-02 13:22:21,959 DEBUG [org.jasig.cas.web.ServiceValidateController] - Successfully validated service ticket: ST-86-wezK4jZ420LT4BL6BKHF-cas
2012-04-02 13:22:21,972 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - Extractor generated service for: https://55.255.255.119/CassifiedWidget/secure/Widget.aspx
2012-04-02 13:22:21,972 DEBUG [org.jasig.cas.web.flow.InitialFlowSetupAction] - Placing service in FlowScope: https://55.255.255.119/CassifiedWidget/secure/Widget.aspx
2012-04-02 13:22:21,972 DEBUG [org.jasig.cas.web.flow.InitialFlowSetupAction] - Placing service in FlowScope: https://55.255.255.119/CassifiedWidget/secure/Widget.aspx
2012-04-02 13:22:21,974 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Attempting to retrieve ticket [TGT-84-ahoYPZ2Ecgrc5efLDtEBG9dIgxLCWCujdHcbETr1fuClH6mjKu-cas]
2012-04-02 13:22:21,974 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Ticket [TGT-84-ahoYPZ2Ecgrc5efLDtEBG9dIgxLCWCujdHcbETr1fuClH6mjKu-cas] found in registry.
2012-04-02 13:22:21,974 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Added ticket [ST-87-aETrMbgeQx7Em6I5eNSc-cas] to registry.
2012-04-02 13:22:21,974 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service ticket [ST-87-aETrMbgeQx7Em6I5eNSc-cas] for service https://55.255.255.119/CassifiedWidget/secure/Widget.aspx for user [alberto.acevedo]
2012-04-02 13:22:21,982 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - Extractor generated service for: https://55.255.255.119/CassifiedWidget/secure/Widget.aspx
2012-04-02 13:22:21,983 DEBUG [org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler] - Attempting to resolve credentials for [callbackUrl: https://55.255.255.119/CassifiedWidget/secure/Widget.aspx?proxyResponse=true]
2012-04-02 13:22:22,005 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - Extractor generated service for: https://55.255.255.119/CassifiedWidget/secure/Widget.aspx?proxyResponse=true
2012-04-02 13:22:22,005 DEBUG [org.jasig.cas.web.flow.InitialFlowSetupAction] - Placing service in FlowScope: https://55.255.255.119/CassifiedWidget/secure/Widget.aspx?proxyResponse=true
2012-04-02 13:22:22,005 DEBUG [org.jasig.cas.web.flow.InitialFlowSetupAction] - Placing service in FlowScope: https://55.255.255.119/CassifiedWidget/secure/Widget.aspx?proxyResponse=true
2012-04-02 13:22:22,007 DEBUG [org.jasig.cas.web.flow.GenerateLoginTicketAction] - Generated login ticket LT-102-gBdY21h3xecucUUTvNqpOFea1zt4nI
2012-04-02 13:22:22,007 DEBUG [org.jasig.cas.web.flow.GenerateLoginTicketAction] - Generated login ticket LT-102-gBdY21h3xecucUUTvNqpOFea1zt4nI
2012-04-02 13:22:22,019 DEBUG [org.jasig.cas.util.HttpClient] - Response code from server matched 200.
2012-04-02 13:22:22,021 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - AuthenticationHandler: org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler successfully authenticated the user which provided the following credentials: [callbackUrl: https://55.255.255.119/CassifiedWidget/secure/Widget.aspx?proxyResponse=true]
2012-04-02 13:22:22,021 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - Resolved principal https://55.255.255.119/CassifiedWidget/secure/Widget.aspx?proxyResponse=true
2012-04-02 13:22:22,022 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - Principal found: https://55.255.255.119/CassifiedWidget/secure/Widget.aspx?proxyResponse=true
2012-04-02 13:22:22,022 DEBUG [org.jasig.cas.authentication.AuthenticationManagerImpl] - Attribute map for https://55.255.255.119/CassifiedWidget/secure/Widget.aspx?proxyResponse=true: {}
2012-04-02 13:22:22,022 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Attempting to retrieve ticket [ST-87-aETrMbgeQx7Em6I5eNSc-cas]
2012-04-02 13:22:22,022 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Ticket [ST-87-aETrMbgeQx7Em6I5eNSc-cas] found in registry.
2012-04-02 13:22:22,022 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Added ticket [TGT-91-hc41ciChVvRu0ntEvesLzszTeQfBcdq0MbQBUWrJEd1TW25Z6w-cas] to registry.
2012-04-02 13:22:22,022 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Attempting to retrieve ticket [ST-87-aETrMbgeQx7Em6I5eNSc-cas]
2012-04-02 13:22:22,022 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Ticket [ST-87-aETrMbgeQx7Em6I5eNSc-cas] found in registry.
2012-04-02 13:22:22,023 DEBUG [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - Removing ticket [ST-87-aETrMbgeQx7Em6I5eNSc-cas] from registry
2012-04-02 13:22:22,034 DEBUG [org.jasig.cas.util.HttpClient] - Response code from server matched 200.
2012-04-02 13:22:22,034 DEBUG [org.jasig.cas.ticket.proxy.support.Cas20ProxyHandler] - Sent ProxyIou of PGTIOU-80-ONLtpk9o0hKGrxCxZRk3-cas for service: [callbackUrl: https://55.255.255.119/CassifiedWidget/secure/Widget.aspx?proxyResponse=true]
2012-04-02 13:22:22,034 DEBUG [org.jasig.cas.web.ServiceValidateController] - Successfully validated service ticket: ST-87-aETrMbgeQx7Em6I5eNSc-cas
and this is my web.config:
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to Jasig under one or more contributor license
agreements. See the NOTICE file distributed with this work
for additional information regarding copyright ownership.
Jasig licenses this file to you under the Apache License,
Version 2.0 (the "License"); you may not use this file
except in compliance with the License. You may obtain a
copy of the License at:
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on
an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
<!--
############################################################
NOTE:
Use this file as a template to create a Web.config file
suitable for your environment.
Sections marked REQUIRED MUST be configured.
Sections marked OPTIONAL MAY be configured as needed.
############################################################
-->
<configuration>
<configSections>
<section name="casClientConfig" type="DotNetCasClient.Configuration.CasClientConfiguration, DotNetCasClient" />
<sectionGroup name="applicationSettings" type="System.Configuration.ApplicationSettingsGroup, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" >
<section name="CassifiedWidget.Properties.Settings" type="System.Configuration.ClientSettingsSection, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" requirePermission="false" />
</sectionGroup>
</configSections>
<appSettings />
<connectionStrings />
<!--
*======================
Core configuration
REQUIRED
*======================
Required Attributes:
casServerLoginUrl
URL of CAS login form.
serverName
Host name of the server hosting this application. This is used to generate URLs
that will be sent to the CAS server for redirection. The CAS server must be able
to resolve this host name. If your web application is behind a load balancer, SSL
offloader, or any other type of device that accepts incoming requests on behalf of
the web application, you will generally need to supply the public facing host name
unless your CAS server is in the same private network as the application server.
The protocol prefix is optional (http:// or https://). If you are using a non-
standard port number, be sure to include it (i.e., server.school.edu:8443 or
https://cas.example.com:8443). Do not include the trailing backslash.
casServerUrlPrefix
URL to root of CAS server application.
ticketValidatorName
Supported values: Cas10, Cas20, and Saml11.
Name of ticket validator that validates CAS tickets using a particular protocol.
Optional Attributes:
gateway (default false)
Enable CAS gateway feature, see http://www.jasig.org/cas/protocol section 2.1.1.
renew (default true)
Force user to reauthenticate to CAS before accessing this application.
This provides additional security at the cost of usability since it effectively
disables SSO for this application.
singleSignOut (default true)
Enables this application to receive CAS single sign-out messages sent when the
user's SSO session ends. This will cause the user's session in this application
to be destroyed.
ticketTimeTolerance
SAML ticket validator property to allow at most the given time difference in ms
between artifact (ticket) timestamp and CAS server system time. Increasing this
may have negative security consequences; we recommend fixing sources of clock drift
rather than increasing this value.
notAuthorizedUrl
The URL to redirect to when the request has a valid CAS ticket but the user is
not authorized to access the URL or resource. If this option is set, users will
be redirected to this URL. If it is not set, the user will be redirected to the
CAS login screen with a Renew option in the URL (to force for alternate credential
collection).
serviceTicketManager
Supported values: CacheTicketManager.
The service ticket manager to use to store tickets returned by the CAS server for
validation, revocation, and single sign out support.
Omit this attribute to disable state management based on stored CAS assertion.
proxyTicketManager
Supported values: CacheProxyTicketManager.
The proxy ticket manager to use to maintain state during proxy ticket requests.
Omit this attribute to disable proxy support.
gatewayStatusCookieName (default "cas_gateway_status")
The name of the cookie used to store the Gateway status (NotAttempted, Success, Failed).
This cookie is used to prevent the client from attempting to gateway authenticate every request.
cookiesRequiredUrl
The URL to redirect to when the client is not accepting session cookies. This
condition is detected only when gateway is enabled. This will lock the users onto
a specific page. Otherwise, every request will cause a silent round-trip to the
CAS server, adding a parameter to the URL.
gatewayParameterName (default "gatewayResponse")
The URL parameter to append to outbound CAS request's ServiceName when initiating
an automatic CAS Gateway request. This parameter plays a role in detecting whether
or not the client has cookies enabled.
Define this attribute only if the default parameter name has a meaning elsewhere
in your application.
-->
<casClientConfig casServerLoginUrl="https://55.255.255.101:8443/cas/login" casServerUrlPrefix="https://55.255.255.101:8443/cas/" serverName="https://55.255.255.119" notAuthorizedUrl="/NotAuthorized.aspx" cookiesRequiredUrl="/CookiesRequired.aspx" redirectAfterValidation="true" gateway="false" renew="false" singleSignOut="true" ticketTimeTolerance="5000" ticketValidatorName="Cas20"
proxyTicketManager="CacheProxyTicketManager"
serviceTicketManager="CacheServiceTicketManager" gatewayStatusCookieName="CasGatewayStatus" />
<system.web>
<machineKey validationKey="AutoGenerate,IsolateApps" decryptionKey="AutoGenerate,IsolateApps" validation="3DES"/>
<!--
*======================
Forms Authentication
REQUIRED
*======================
IMPORTANT: Set the 'path' attribute to an appropriate path on your server
below which the resulting ticket should be applicable. Other
.NET applications configured for Forms or CAS authentication below
this path should be authenticated automatically using the ticket.
-->
<authentication mode="Forms">
<forms loginUrl="https://55.255.255.101:8443/cas/login" timeout="90" defaultUrl="~/Widget.htm" cookieless="UseCookies" slidingExpiration="true" path="CassifiedWidget/" enableCrossAppRedirects="true" />
</authentication>
<!--
*======================
Authorization
OPTIONAL
*======================
Define the authorization for resources in your application. You
will generally use configuration/system.web/authorization to specify
the default state for your entire application. In this section, you
will want to define the default state for your application. You can
make exceptions in configuration/location/system.web/authorization
or in separate, minimal web.config files in the subdirectories to be
excluded.
The most common scenarios are:
Allow all users (authenticated and unauthenticated) to access your
entire application by default and explicitly restrict anonymous
access to specific pages or subdirectories.
<authorization>
<allow users="*" />
</authorization>
Deny anonymous access to your entire application by default and
optionally exclude pages or subdirectories from the rule.
<authorization>
<deny users="?" />
</authorization>
-->
<!--authorization>
<allow users="*" />
</authorization-->
<!--authorization>
<allow roles="Users,Administrators" />
<deny users="*" />
</authorization-->
<!--authorization>
<deny users="?" />
</authorization-->
<!-- authorizing based on flat file-->
<roleManager enabled="true" defaultProvider="AspNetReadOnlyXmlRoleProvider">
<providers>
<add name="AspNetReadOnlyXmlRoleProvider" type="CassifiedWidget.tbc.roleProvider.ReadOnlyXmlRoleProvider" xmlFileName="~/App_Data/UserRoles.xml" />
</providers>
</roleManager>
<siteMap enabled="true">
<providers>
<clear />
<add siteMapFile="Web.sitemap" name="AspNetXmlSiteMapProvider" type="System.Web.XmlSiteMapProvider" />
</providers>
</siteMap>
<compilation debug="false">
</compilation>
<pages>
<controls>
<add tagPrefix="cas" tagName="CookieViewer" src="~/Controls/CookieViewer.ascx" />
<add tagPrefix="cas" tagName="TicketManager" src="~/Controls/TicketManager.ascx" />
</controls>
</pages>
<httpModules>
<add name="DotNetCasClient" type="DotNetCasClient.CasAuthenticationModule,DotNetCasClient" />
</httpModules>
<!--webServices>
<soapExtensionTypes>
<add type="CassifiedWidget.CasProxySoapExtension,CassifiedWidget" priority="1" group="Low"/>
</soapExtensionTypes>
</webServices-->
</system.web>
<location path="secure" >
<system.web>
<authorization>
<allow roles="ROLE_ADMINISTRATOR,ROLE_USER" />
<deny users="*" />
</authorization>
</system.web>
</location>
<system.webServer>
<validation validateIntegratedModeConfiguration="false" />
<modules>
<remove name="DotNetCasClient" />
<add name="DotNetCasClient" type="DotNetCasClient.CasAuthenticationModule,DotNetCasClient" />
</modules>
<directoryBrowse enabled="true" />
</system.webServer>
<!--
*======================
Trace configuration
OPTIONAL
*======================
The following section describes how to configure CasAuthenticationModule to produce trace output
for troubleshooting purposes. The most important aspect of the following configuration is
the set of four well-defined trace switches.
-->
<system.diagnostics>
<trace autoflush="true" useGlobalLock="false" />
<sharedListeners>
<!--
Writing trace output to a log file is recommended.
IMPORTANT:
The user account under which the containing application pool runs
must have privileges to create and modify the trace log file.
-->
<add name="TraceFile" type="System.Diagnostics.TextWriterTraceListener" initializeData="C:\inetpub\logs\LogFiles\DotNetCasClient.Log" traceOutputOptions="DateTime" />
</sharedListeners>
<sources>
<!-- Provides diagnostic information on module configuration parameters. -->
<source name="DotNetCasClient.Config" switchName="Config" switchType="System.Diagnostics.SourceSwitch">
<listeners>
<add name="TraceFile" />
</listeners>
</source>
<!-- Traces IHttpModule lifecycle events and meaningful operations performed therein. -->
<source name="DotNetCasClient.HttpModule" switchName="HttpModule" switchType="System.Diagnostics.SourceSwitch">
<listeners>
<add name="TraceFile" />
</listeners>
</source>
<!-- Provides protocol message and routing information. -->
<source name="DotNetCasClient.Protocol" switchName="Protocol" switchType="System.Diagnostics.SourceSwitch">
<listeners>
<add name="TraceFile" />
</listeners>
</source>
<!-- Provides details on security operations and notable security conditions. -->
<source name="DotNetCasClient.Security" switchName="Security" switchType="System.Diagnostics.SourceSwitch">
<listeners>
<add name="TraceFile" />
</listeners>
</source>
</sources>
<switches>
<!--
Set trace switches to appropriate logging level. Recommended values in order of increasing verbosity:
Off
Error
Warning
Information
Verbose
-->
<!--
Config category displays detailed information about CasAuthenticationModule configuration.
The output of this category is only displayed when the module is initialized, which happens
for the first request following application/server startup.
-->
<add name="Config" value="Information" />
<!--
Set this category to Verbose to trace HttpModule lifecycle events in CasAuthenticationModule.
This category produces voluminous output in Verbose mode and should be avoided except for
limited periods of time troubleshooting vexing integration problems.
-->
<add name="HttpModule" value="Verbose" />
<!--
Set to Verbose to display protocol messages between the client and server.
This category is very helpful for troubleshooting integration problems.
-->
<add name="Protocol" value="Information" />
<!--
Displays important security-related information.
-->
<add name="Security" value="Information" />
</switches>
</system.diagnostics>
<applicationSettings>
<CassifiedWidget.Properties.Settings>
<setting name="CassifiedWidget_mil_army_us_abs_absddev5848h_Service1"
serializeAs="String">
<value>https://absddev5848h.abs.us.army.mil/CassifiedWebService/Service1.asmx</value>
</setting>
</CassifiedWidget.Properties.Settings>
</applicationSettings>
</configuration>
Thanks for your reply!
I have implemented the DotNetCasClient under SharePoint 2010 which is running on IIS7.5 on Windows 2008 using DotNetCasClient.dll library deployed into the GAC. My CAS application is running on tomcat-5.5 and I am redirecting the .net application to the CAS application following the procedure as described in the link "https://wiki.jasig.org/display/CASC/.Net+Cas+Client".
It redirects properly to the CAS Login Page, but after entering valid credentials it ends up in a Redirect Loop
I have addressed all SSL issues, verified proper certificate path acceptance on the client and server, expanded the debugging information in the DotNetCasClient by adding debug statements to the code and rebuilding the assembly. The following log shows the client looping behavior, on the server there is no unusual behavior and other applications are processing normally.
The following Log entries show the loop behavior, I have removed timestamps for clarity
-------------------
DotNetCasClient.Config Information: 3237 : casServerUrlPrefix = https://sls32.sct.com:6788/cas-web/
DotNetCasClient.Config Information: 3237 : casServerLoginUrl = https://sls32.sct.com:6788/cas-web/login
DotNetCasClient.Config Information: 3237 : ticketValidatorName = Cas20
DotNetCasClient.Config Information: 3237 : ticketTimeTolerance = 10000
DotNetCasClient.Config Information: 3237 : serverName = https://sls31.sct.com
DotNetCasClient.Config Information: 3237 : renew = False
DotNetCasClient.Config Information: 3237 : gateway = False
DotNetCasClient.Config Information: 3237 : gatewayStatusCookieName = cas_gateway_status
DotNetCasClient.Config Information: 3237 : redirectAfterValidation = True
DotNetCasClient.Config Information: 3237 : singleSignOut = True
DotNetCasClient.Config Information: 3237 : serviceTicketManagerProvider = CacheServiceTicketManager
DotNetCasClient.Config Information: 3237 : proxyTicketManagerProvider =
DotNetCasClient.Config Information: 3237 : notAuthorizedUrl = ~/NotAuthorized.aspx
DotNetCasClient.Config Information: 3237 : cookiesRequiredUrl = ~/CookiesRequired.aspx
DotNetCasClient.Config Information: 3237 : gatewayParameterName = gatewayResponse
DotNetCasClient.Config Information: 3237 : proxyCallbackParameterName = proxyResponse
DotNetCasClient.HttpModule Information: 3237 : Redirecting to CAS Login Page
DotNetCasClient.Protocol Information: 3237 : Redirecting to https://sls32.sct.com:6788/cas-web/login?service=https%3a%2f%2fsls31.sct.com%2f
DotNetCasClient.HttpModule Information: 3237 : Processing Proxy Callback request
DotNetCasClient.Protocol Verbose: 3237 : Constructed validation URL https://sls32.sct.com:6788/cas-web/serviceValidate?service=https%3a%2f%2fsls31.sct.com%2f&ticket=ST-22197-OBxToWNIgKOVg3Wv7uZz-sls32.sct.com
DotNetCasClient.Protocol Verbose: 3237 : Ticket validation response:
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
<cas:authenticationSuccess>
<cas:user>admin</cas:user>
</cas:authenticationSuccess>
</cas:serviceResponse>
DotNetCasClient.Protocol Verbose: 3237 : Creating FormsAuthenticationTicket for ST-22197-OBxToWNIgKOVg3Wv7uZz-sls32.sct.com
DotNetCasClient.Protocol Verbose: 3237 : FormsAuthenticationTicket ticket returned Name admin
DotNetCasClient.Protocol Verbose: 3237 : FormsAuthenticationTicket ticket returned Userdata ST-22197-OBxToWNIgKOVg3Wv7uZz-sls32.sct.com
DotNetCasClient.Protocol Verbose: 3237 : FormsAuthenticationTicket ticket returned cookie /*
DotNetCasClient.Protocol Verbose: 3237 : formsAuthenticationTicket is: System.Web.Security.FormsAuthenticationTicket
DotNetCasClient.Protocol Verbose: 3237 : CAS Principal: admin
DotNetCasClient.Protocol Verbose: 3237 : Prinicpal user on current thread: admin
DotNetCasClient.Protocol Verbose: 3237 : Prinicpal user on current thread is authd : True
DotNetCasClient.HttpModule Information: 3237 : Redirecting from login callback
DotNetCasClient.HttpModule Information: 3237 : Redirecting to CAS Login Page
DotNetCasClient.Protocol Information: 3237 : Redirecting to https://sls32.sct.com:6788/cas-web/login?service=https%3a%2f%2fsls31.sct.com%2f
DotNetCasClient.HttpModule Information: 3237 : Processing Proxy Callback request
DotNetCasClient.Protocol Verbose: 3237 : Constructed validation URL https://sls32.sct.com:6788/cas-web/serviceValidate?service=https%3a%2f%2fsls31.sct.com%2f&ticket=ST-22198-sfJb72QQSbsyp3Ij3OHh-sls32.sct.com
DotNetCasClient.Protocol Verbose: 3237 : Ticket validation response:
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
<cas:authenticationSuccess>
<cas:user>admin</cas:user>
</cas:authenticationSuccess>
</cas:serviceResponse>
DotNetCasClient.Protocol Verbose: 3237 : Creating FormsAuthenticationTicket for ST-22198-sfJb72QQSbsyp3Ij3OHh-sls32.sct.com
DotNetCasClient.Protocol Verbose: 3237 : FormsAuthenticationTicket ticket returned Name admin
DotNetCasClient.Protocol Verbose: 3237 : FormsAuthenticationTicket ticket returned Userdata ST-22198-sfJb72QQSbsyp3Ij3OHh-sls32.sct.com