apereo / dotnet-cas-client

Apereo .NET CAS Client
Apache License 2.0
233 stars 176 forks source link

too many redirects #117

Closed toddharvey closed 3 years ago

toddharvey commented 3 years ago

DotNet 4.7.2 DotNetCasClient 1.3.2

Web.Config (url's stripped) <casClientConfig xdt:Transform="Replace" casServerLoginUrl="" casServerUrlPrefix="" ticketTimeTolerance="10000" serverName="***" ticketValidatorName="Saml11" redirectAfterValidation="true" singleSignOut="true" serviceTicketManager="CacheServiceTicketManager" />

Trace log output (some of it) DotNetCasClient.HttpModule Verbose: 3237 : Starting BeginRequest for /OIT/OurWebSite/Public/Login?SAMLart=ST-AAHvUXXVg3ne9s117Q90h4a8h0Tghcu7BLjLgJH8xPrWLksGTpFMEcoB DateTime=2021-03-25T17:41:13.6035810Z DotNetCasClient.HttpModule Verbose: 3237 : Ending BeginRequest for /OIT/OurWebSite/Public/Login?SAMLart=ST-AAHvUXXVg3ne9s117Q90h4a8h0Tghcu7BLjLgJH8xPrWLksGTpFMEcoB DateTime=2021-03-25T17:41:13.6035810Z DotNetCasClient.HttpModule Information: 3237 : Processing Proxy Callback request DateTime=2021-03-25T17:41:13.6035810Z DotNetCasClient.Protocol Verbose: 3237 : Constructed validation URL https://casseed.*********/cas/samlValidate?TARGET=https%3a%2f%2fwebappsdev.*********%2fOIT%2fOurWebSite%2fPublic%2fLogin&SAMLart=ST-AAHvUXXVg3ne9s117Q90h4a8h0Tghcu7BLjLgJH8xPrWLksGTpFMEcoB DateTime=2021-03-25T17:41:13.6191998Z DotNetCasClient.Protocol Verbose: 3237 : Constructed SAML request:

ST-AAHvUXXVg3ne9s117Q90h4a8h0Tghcu7BLjLgJH8xPrWLksGTpFMEcoB DateTime=2021-03-25T17:41:13.6973256Z DotNetCasClient.Protocol Verbose: 3237 : Request URI: https://casseed.*********/cas/samlValidate?TARGET=https:%2f%2fwebappsdev.*********%2fOIT%2fOurWebSite%2fPublic%2fLogin&SAMLart=ST-AAHvUXXVg3ne9s117Q90h4a8h0Tghcu7BLjLgJH8xPrWLksGTpFMEcoB DateTime=2021-03-25T17:41:13.7129487Z DotNetCasClient.Protocol Verbose: 3237 : Request headers: Content-Type: text/xml SOAPAction: http://www.oasis-open.org/committees/security DateTime=2021-03-25T17:41:13.7129487Z DotNetCasClient.Protocol Information: 3237 : Ticket validation failed: System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel. at System.Net.HttpWebRequest.GetRequestStream(TransportContext& context) at System.Net.HttpWebRequest.GetRequestStream() at DotNetCasClient.Validation.TicketValidator.Saml11TicketValidator.RetrieveResponseFromServer(String validationUrl, String ticket) at DotNetCasClient.Validation.TicketValidator.AbstractUrlTicketValidator.Validate(String ticket) DateTime=2021-03-25T17:41:13.7129487Z DotNetCasClient.Protocol Error: 3237 : Ticket validation error: DotNetCasClient.Validation.TicketValidationException: CAS server ticket validation threw an Exception ---> System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel. at System.Net.HttpWebRequest.GetRequestStream(TransportContext& context) at System.Net.HttpWebRequest.GetRequestStream() at DotNetCasClient.Validation.TicketValidator.Saml11TicketValidator.RetrieveResponseFromServer(String validationUrl, String ticket) at DotNetCasClient.Validation.TicketValidator.AbstractUrlTicketValidator.Validate(String ticket) --- End of inner exception stack trace ---
toddharvey commented 3 years ago

I inspected the DLL with jet brains and in order to ensure it was the latest DotNetCas client, removed the reference, reinstalled the package. To confirm: packages.config(5):

and improved error log (in case it showed an out of date dll before:) DotNetCasClient.HttpModule Information: 3237 : Redirecting to CAS Login Page DateTime=2021-03-25T18:37:43.1697543Z DotNetCasClient.Protocol Information: 3237 : Redirecting to https://casseed.*******/cas/login?TARGET=https%3a%2f%2f****.***.***%2fOIT%2fOurWebSite%2fPublic%2fLogin DateTime=2021-03-25T18:37:43.1697543Z DotNetCasClient.HttpModule Verbose: 3237 : Ending EndRequest for /OIT/OurWebSite/Public/Login DateTime=2021-03-25T18:37:43.1697543Z DotNetCasClient.HttpModule Verbose: 3237 : Starting BeginRequest for /OIT/OurWebSite/Public/Login?SAMLart=ST-AAHvUXXVg3ne9s117Q90h4a8h0TghZzihLD%2F7JUvby%2BoohY672f2vtqO DateTime=2021-03-25T18:37:43.2322625Z DotNetCasClient.HttpModule Verbose: 3237 : Ending BeginRequest for /OIT/OurWebSite/Public/Login?SAMLart=ST-AAHvUXXVg3ne9s117Q90h4a8h0TghZzihLD%2F7JUvby%2BoohY672f2vtqO DateTime=2021-03-25T18:37:43.2322625Z DotNetCasClient.HttpModule Information: 3237 : Processing Proxy Callback request DateTime=2021-03-25T18:37:43.2322625Z DotNetCasClient.Protocol Verbose: 3237 : Constructed validation URL https://casseed.*******/cas/samlValidate?TARGET=https%3a%2f%2f****.***.***%2fOIT%2fOurWebSite%2fPublic%2fLogin&SAMLart=ST-AAHvUXXVg3ne9s117Q90h4a8h0TghZzihLD%2f7JUvby%2boohY672f2vtqO DateTime=2021-03-25T18:37:43.2322625Z DotNetCasClient.Protocol Verbose: 3237 : Constructed SAML request:

ST-AAHvUXXVg3ne9s117Q90h4a8h0TghZzihLD/7JUvby+oohY672f2vtqO DateTime=2021-03-25T18:37:43.3103780Z DotNetCasClient.Protocol Verbose: 3237 : Request URI: https://casseed.*******/cas/samlValidate?TARGET=https:%2f%2f****.***.***%2fOIT%2fOurWebSite%2fPublic%2fLogin&SAMLart=ST-AAHvUXXVg3ne9s117Q90h4a8h0TghZzihLD%2f7JUvby%2boohY672f2vtqO DateTime=2021-03-25T18:37:43.3103780Z DotNetCasClient.Protocol Verbose: 3237 : Request headers: Content-Type: text/xml SOAPAction: http://www.oasis-open.org/committees/security DateTime=2021-03-25T18:37:43.3103780Z DotNetCasClient.Protocol Information: 3237 : Ticket validation failed: System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel. at System.Net.HttpWebRequest.GetRequestStream(TransportContext& context) at System.Net.HttpWebRequest.GetRequestStream() at DotNetCasClient.Validation.TicketValidator.Saml11TicketValidator.RetrieveResponseFromServer(String validationUrl, String ticket) at DotNetCasClient.Validation.TicketValidator.AbstractUrlTicketValidator.Validate(String ticket) DateTime=2021-03-25T18:37:43.3103780Z DotNetCasClient.Protocol Error: 3237 : Ticket validation error: DotNetCasClient.Validation.TicketValidationException: CAS server ticket validation threw an Exception ---> System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel. at System.Net.HttpWebRequest.GetRequestStream(TransportContext& context) at System.Net.HttpWebRequest.GetRequestStream() at DotNetCasClient.Validation.TicketValidator.Saml11TicketValidator.RetrieveResponseFromServer(String validationUrl, String ticket) at DotNetCasClient.Validation.TicketValidator.AbstractUrlTicketValidator.Validate(String ticket) --- End of inner exception stack trace --- at DotNetCasClient.Validation.TicketValidator.AbstractUrlTicketValidator.Validate(String ticket) at DotNetCasClient.CasAuthentication.ProcessTicketValidation() DateTime=2021-03-25T18:37:43.3103780Z DotNetCasClient.HttpModule Verbose: 3237 : Starting AuthenticateRequest for /OIT/OurWebSite/Public/Login?SAMLart=ST-AAHvUXXVg3ne9s117Q90h4a8h0TghZzihLD%2F7JUvby%2BoohY672f2vtqO DateTime=2021-03-25T18:37:43.3103780Z DotNetCasClient.HttpModule Verbose: 3237 : Ending AuthenticateRequest for /OIT/OurWebSite/Public/Login?SAMLart=ST-AAHvUXXVg3ne9s117Q90h4a8h0TghZzihLD%2F7JUvby%2BoohY672f2vtqO DateTime=2021-03-25T18:37:43.3103780Z
phantomtypist commented 3 years ago

Are both your app server and the server CAS is running on both communicating over the same TLS version?

This happens A LOT when some people have one server restricted to one version that the other server doesn't support. E.g. one server is using TLS 1.0 and the other is using a minimum of TLS 1.2.

phantomtypist commented 3 years ago

Basically, the behavior you are seeing is this:

  1. Client requests your web app
  2. Web app server says "you not authenticated bruh"
  3. Web app server redirects client to CAS server
  4. Client completes validation with CAS server (auth ticket sent back to client and also stored in CAS server
  5. Client redirected back to web app server and hands it the auth ticket
  6. Web app server takes the auth ticket and goes and validates it against the CAS server saying "Yo CAS server, bruh, is this auth ticket valid?"
  7. Something goes wrong there and basically the CAS server is like "naw man, haven't seen that person... must be haxor, go away"
  8. Web app server is like "welp, this client isn't really authenticated" and sends redirect to client
  9. Client redirects to CAS server for authentication.
  10. Rinse and repeat 10,000 times and then the browser gives up and is like "bruh, i'm done with this circle circus" and hands the user "too many redirects".

It's indicative of a infinite cyclical redirect problem. You just have to figure out what is causing it.

toddharvey commented 3 years ago

thanks PhantomTypist - I'll confirm the TLS versions with my admin, but I'm very sure the two servers are communicating correctly, because I see what seems to be interchange between servers in the log. In the log I believe it fails at 4, the ticket is not generated because it couldn't create a secure channel to fetch the ticket. (I missed your replies earlier because I didn't know my github was connected to my personal email. I'll watch it closer.)

phantomtypist commented 3 years ago

What do you mean "failed at 4"? If you're getting an error that says "couldn't create a secure channel" that means your servers can't connect to the CAS server. Secure channel means TLS.

phantomtypist commented 3 years ago

Here's some good documentation on TLS stuff as well: https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls

toddharvey commented 3 years ago

My sysadmin fixed this issue. I had dotnet runtime set to 4.5. something, which didn't support TLS 1.2 apparently.

This is the correction in web config (add brackets as appropriate): httpRuntime targetFramework="4.7.2" maxRequestLength="17000000" enable="true" executionTimeout="18000"

phantomtypist commented 3 years ago

.NET 4.5 does support TLS 1.2, but to get it to work you have to set it in code using:

System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;

You can actually enable it in .NET 4.0 as well, but the enum isn't there so you have to set it like so:

System.Net.ServicePointManager.SecurityProtocol = 3072;