Closed toddharvey closed 3 years ago
I inspected the DLL with jet brains and in order to ensure it was the latest DotNetCas client, removed the reference, reinstalled the package. To confirm:
packages.config(5):
and improved error log (in case it showed an out of date dll before:) DotNetCasClient.HttpModule Information: 3237 : Redirecting to CAS Login Page DateTime=2021-03-25T18:37:43.1697543Z DotNetCasClient.Protocol Information: 3237 : Redirecting to https://casseed.*******/cas/login?TARGET=https%3a%2f%2f****.***.***%2fOIT%2fOurWebSite%2fPublic%2fLogin DateTime=2021-03-25T18:37:43.1697543Z DotNetCasClient.HttpModule Verbose: 3237 : Ending EndRequest for /OIT/OurWebSite/Public/Login DateTime=2021-03-25T18:37:43.1697543Z DotNetCasClient.HttpModule Verbose: 3237 : Starting BeginRequest for /OIT/OurWebSite/Public/Login?SAMLart=ST-AAHvUXXVg3ne9s117Q90h4a8h0TghZzihLD%2F7JUvby%2BoohY672f2vtqO DateTime=2021-03-25T18:37:43.2322625Z DotNetCasClient.HttpModule Verbose: 3237 : Ending BeginRequest for /OIT/OurWebSite/Public/Login?SAMLart=ST-AAHvUXXVg3ne9s117Q90h4a8h0TghZzihLD%2F7JUvby%2BoohY672f2vtqO DateTime=2021-03-25T18:37:43.2322625Z DotNetCasClient.HttpModule Information: 3237 : Processing Proxy Callback request DateTime=2021-03-25T18:37:43.2322625Z DotNetCasClient.Protocol Verbose: 3237 : Constructed validation URL https://casseed.*******/cas/samlValidate?TARGET=https%3a%2f%2f****.***.***%2fOIT%2fOurWebSite%2fPublic%2fLogin&SAMLart=ST-AAHvUXXVg3ne9s117Q90h4a8h0TghZzihLD%2f7JUvby%2boohY672f2vtqO DateTime=2021-03-25T18:37:43.2322625Z DotNetCasClient.Protocol Verbose: 3237 : Constructed SAML request:
Are both your app server and the server CAS is running on both communicating over the same TLS version?
This happens A LOT when some people have one server restricted to one version that the other server doesn't support. E.g. one server is using TLS 1.0 and the other is using a minimum of TLS 1.2.
Basically, the behavior you are seeing is this:
It's indicative of a infinite cyclical redirect problem. You just have to figure out what is causing it.
thanks PhantomTypist - I'll confirm the TLS versions with my admin, but I'm very sure the two servers are communicating correctly, because I see what seems to be interchange between servers in the log. In the log I believe it fails at 4, the ticket is not generated because it couldn't create a secure channel to fetch the ticket. (I missed your replies earlier because I didn't know my github was connected to my personal email. I'll watch it closer.)
What do you mean "failed at 4"? If you're getting an error that says "couldn't create a secure channel" that means your servers can't connect to the CAS server. Secure channel means TLS.
Here's some good documentation on TLS stuff as well: https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls
My sysadmin fixed this issue. I had dotnet runtime set to 4.5. something, which didn't support TLS 1.2 apparently.
This is the correction in web config (add brackets as appropriate): httpRuntime targetFramework="4.7.2" maxRequestLength="17000000" enable="true" executionTimeout="18000"
.NET 4.5 does support TLS 1.2, but to get it to work you have to set it in code using:
System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
You can actually enable it in .NET 4.0 as well, but the enum isn't there so you have to set it like so:
System.Net.ServicePointManager.SecurityProtocol = 3072;
DotNet 4.7.2 DotNetCasClient 1.3.2
Web.Config (url's stripped) <casClientConfig xdt:Transform="Replace" casServerLoginUrl="" casServerUrlPrefix="" ticketTimeTolerance="10000" serverName="***" ticketValidatorName="Saml11" redirectAfterValidation="true" singleSignOut="true" serviceTicketManager="CacheServiceTicketManager" />
Trace log output (some of it) DotNetCasClient.HttpModule Verbose: 3237 : Starting BeginRequest for /OIT/OurWebSite/Public/Login?SAMLart=ST-AAHvUXXVg3ne9s117Q90h4a8h0Tghcu7BLjLgJH8xPrWLksGTpFMEcoB DateTime=2021-03-25T17:41:13.6035810Z DotNetCasClient.HttpModule Verbose: 3237 : Ending BeginRequest for /OIT/OurWebSite/Public/Login?SAMLart=ST-AAHvUXXVg3ne9s117Q90h4a8h0Tghcu7BLjLgJH8xPrWLksGTpFMEcoB DateTime=2021-03-25T17:41:13.6035810Z DotNetCasClient.HttpModule Information: 3237 : Processing Proxy Callback request DateTime=2021-03-25T17:41:13.6035810Z DotNetCasClient.Protocol Verbose: 3237 : Constructed validation URL https://casseed.*********/cas/samlValidate?TARGET=https%3a%2f%2fwebappsdev.*********%2fOIT%2fOurWebSite%2fPublic%2fLogin&SAMLart=ST-AAHvUXXVg3ne9s117Q90h4a8h0Tghcu7BLjLgJH8xPrWLksGTpFMEcoB DateTime=2021-03-25T17:41:13.6191998Z DotNetCasClient.Protocol Verbose: 3237 : Constructed SAML request: