...
Below are some gotchas spotted by Phil Sladen that will hopefully help if you're trying to deploy the CAS ISAPI filter.
- The filter will not work for an initial authentication request with request parameters. The presence of request parameters yields a horrible infinite loop of login validation failures. (Validation fails to properly consider the request parameters, and then its failure modality is to retry obtaining a service ticket. Ticket acquisition and validation do not agree on handling of the parameters and so inifinite loop of failure.
- I believe security has been tightened on this platform so that validation of the ticket now fails unless the quality of the HTTPS connection appears to be 100%. This means that if using a self-signed certificate, the certificate must be imported into the root authority keystore of the client that is trying to do the validation (for IIS, you have to run 'mmc' and import the certificate into the 'Trusted root certification authority' folder under the certificate tree. For Java (Tomcat), you need to import the certificate into it's 'cacerts' keystore). Also, this way means you don't need to add code to the Java side to accept a poorer quality connection
...