What's the time sensitivity of the .Net client and/or your implementation? I know that somewhere in my Java stack (might be in Apache Shiro) the sensitivity for time skew is only a couple of seconds. If you aren't running NTP (like on a default install of Ubuntu on a desktop), eventually you hit a skew large enough to cause issues. You log into CAS, it sends you back to the web app, it tries to back channel validate, but rejects because of time skew, redirects you back to CAS, SSO on CAS kicks you in, sends you over with a new ticket, which that still is rejected because of skew, SSO, repeat until the browser finally gives up.
________________________________________ From: [email protected] <[email protected]> on behalf of Roger Spears <[email protected]> Sent: Friday, June 24, 2016 2:59:09 PM To: [email protected] Subject: [cas-user] .Net client and redirect issue Hello, Using the example and instructions located at: https://github.com/UniconLabs/cas-sample-dotnet-webapp We deployed the .Net client to a Windows Server 2012 running IIS 8. The .Net app is pointing at our CAS installation (version 3.5.2.1). Our CAS works with other applications, but none of them are .Net applications. When we load the .Net app in a browser, we are sent to the CAS login page. After providing our login credentials, we eventually see a message that states "The page isn't redirecting properly" in the browser. When the message appears, the URL in the URL bar of the browser is: https://<fqdn>/Public/Default.aspx At this point, the browser has 2 cookies for CAS. There is a JSESSIONID cookie and a CASTGC cookie. Both are set to the /cas/ path. The CASTGC cookie has a value that begins with TGT. We set the logs to DEBUG. In the log(s) I can see the authentication is working against our AD, complete with attributes. If we adjust the web.config file so the redirectAfterValidation="false", we do see the default CAS login page and after entering valid credentials we see the "You have successfully logged in" message on the CAS login page...but we are never sent back to the .Net application. Things we tried that didn't make a difference: 1. Setting the defaultURL in the <forms> section of the web.config to be: https://<fqdn>/Public/Default.aspx 2. Setting the path in the <forms> section to "/" What's in the log that is questionable: 1. CAS and catalina log: Error getting service from flow state / no active flowsession to access; this FlowExecution has ended. I don't know enough to tell if this is the cause or a result of the cause. 2. localhost log for Tomcat lists the following entries: CASSERVER -- POST -- /cas/login;jsessionid=97fbdsdddd?service=https://<fqdn>/Public/Default.aspx -- 302 NETAPPLICATION -- GET -- /validate?service=https://<fqdn>/Public/Default.aspx&ticket=ST-1-ingfsdJKdklam -- 404 CASSERVER -- GET -- /cas/login?service=https://<fqdn>/Public/Default.aspx -- 302 NETAPPLICATION -- GET -- /validate?service=https://<fqdn>/Public/Default.aspx&ticket=ST-2-Bsdjklwe39fdsm -- 404 These repeat and the ST increases all the way to ST-7 Any hints on what might be mis-configured? Thanks, Roger -- Roger Spears Northwest State Community College 22600 State Route 34 Archbold, Ohio 43502 P: 419-267-1304 F: 419-267-3891 *********************************** This message and any attachment are confidential, intended solely for the use of the individual or entity to whom it is addressed and may be protected under FERPA ( http://www2.ed.gov/policy/gen/reg/ferpa/index.html ). If you have received it by mistake, or are not the named recipient(s), please immediately notify the sender and delete the message. You are hereby notified that any unauthorized use, copying or dissemination of any or all information contained in this message is prohibited. Northwest State Community College and/or any part thereof shall not be liable for the message if altered, falsified, or in case of error in the recipient. -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To post to this group, send email to [email protected]<mailto:[email protected]>. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFHJ8H2zR5jPXnN9-xatGAEy0QO8BF4CJqBZbsE2vTmKf5f3ww%40mail.gmail.com<https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFHJ8H2zR5jPXnN9-xatGAEy0QO8BF4CJqBZbsE2vTmKf5f3ww%40mail.gmail.com?utm_medium=email&utm_source=footer>. For more options, visit https://groups.google.com/a/apereo.org/d/optout. -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CY1PR01MB13599E304BF298B9016BB1338B210%40CY1PR01MB1359.prod.exchangelabs.com. For more options, visit https://groups.google.com/a/apereo.org/d/optout.
