Logs not being generated

[cflasrado18]

Hi,

I am getting a redirect issue after logging in through the CAS server. To diagnose and troubleshoot the issue I added the tracing part to my webconfig but no logs are being generated. I made sure I have given the appropriate privileges to modify and write to the signed in user but still no logs. I am adding my webconfig below. Please let me know if I am doing anything wrong. Thank you.

[webconfig.txt](https://github.com/apereo/dotnet-cas-client/files/2306987/webconfig.txt)

[TheHokieCoder]

What do you mean, exactly, by "signed in user"? As far as the permissions to write the log file go, there isn't a concept of a signed in user. .NET application pools run under pseudo-identities that aren't real accounts on the machine (see https://docs.microsoft.com/en-us/iis/manage/configuring-security/application-pool-identities for more details). So you should be giving permissions to an identity that is something like IIS AppPool\MyApplicationPool, where MyApplicationPool is the name of the application pool you are running your application in. That, too, all assumes you are using IIS 7.5 or greater.

I just took a quick glance at your web.config and the fact that you are writing the log to C:\inetpub\logs\LogFiles is a red flag to me, only because that IIS logs folder has some pretty locked down permissions. One thing I would try, first, is creating a folder like C:\AppLogs, setting the permissions to read/write for Everyone, and try configuring your app to write the log there. If that works, you know you have a permissions problem with writing to the IIS logs folder. If it doesn't work, report back and we can help dig further into your tracing config.

[cflasrado18]

@TheHokieCoder thank you for your response. I tried what you suggested and configured my application to write logs to C:\AppLogs with giving read/write permissions to everyone but still nothing. Just to clarify I am running this application on Windows Server 2016 with IIS 10. The logs were being written for a while to the original location at C:\inetpub\logs\LogFiles but then they stopped updating as I was trying to fix the redirect loop problem. I don't know how I could have broken it. It's difficult to diagnose what's going wrong without logs. Please let me know if you need more information from me to figure out what is wrong. Thank you.

[TheHokieCoder]

OK, good to know we've ruled out file permissions as a problem. I'll look over your config file in more detail when I get a chance and see if I can find why the tracing isn't working.

[TheHokieCoder]

@cflasrado18 So I couldn't find any misconfiguration in your web.config. In fact, I even copied it into two CAS-enabled applications that I have and both were able to generate the log file once appropriate permissions were given to the log directory. I don't have access to a Server 2016/IIS10 machine to test, so I don't know if anything is the culprit there. Unfortunately I don't know a whole lot about the .NET tracing mechanism used nor if there are any differences between versions of IIS, so I am unable to provide any further guidance.

Have you tried creating a new, blank application (on the same web server), add DotNetCasClient, configure it to trace to the log file, and see if that works? That could help rule out a misconfiguration in your current app vs something in IIS preventing the logging from occurring.

Sorry I can't be of more help! Perhaps one of the other devs will be able to chime in.

[cflasrado18]

@TheHokieCoder thank you for your help. I will try to do what you asked and create a blank application and see if the tracing works there. Just out of curiosity, when you copied my web.config to your CAS enabled applications, did you get a redirect loop problem?

[TheHokieCoder]

I didn't copy your entire web.config, just the system.diagnostics section, which is where the logging is configured. Usually when I get redirect loop problems, it is because of an issue with the ticketTimeTolerance value set in the casClientConfig section. Try changing that value from 5000 up to something like 30000 (which I believe is the new default value). If your web server's time gets out of sync from your CAS server's time, then that can cause loops because the ticket supplied by the CAS server is never valid to the application, so it keeps going back to the CAS server to get a new one.

[cflasrado18]

@TheHokieCoder So I created a new blank application and tried to see if tracing works but no luck. However the redirect loop stopped and now it does go to my website but it throws a 404 error with the ticket appended to the URL. Any ideas on how to solve this? I'm guessing that maybe changing the ticketTimeTolerance to 30000 helped. Thanks.

[cflasrado18]

So I finally got tracing to work. I don't know how but it started working. The error I am getting is below:

DotNetCasClient.Protocol Information: 3237 : Ticket validation failed: System.Net.WebException: The remote server returned an error: (403) Forbidden. at System.Net.HttpWebRequest.GetResponse() at DotNetCasClient.Utils.HttpUtil.PerformHttpGet(String url, Boolean requireHttp200) at DotNetCasClient.Validation.TicketValidator.AbstractUrlTicketValidator.Validate(String ticket) DateTime=2018-08-24T14:48:15.7505221Z DotNetCasClient.Protocol Error: 3237 : Ticket validation error: DotNetCasClient.Validation.TicketValidationException: CAS server ticket validation threw an Exception ---> System.Net.WebException: The remote server returned an error: (403) Forbidden. at System.Net.HttpWebRequest.GetResponse() at DotNetCasClient.Utils.HttpUtil.PerformHttpGet(String url, Boolean requireHttp200) at DotNetCasClient.Validation.TicketValidator.AbstractUrlTicketValidator.Validate(String ticket) --- End of inner exception stack trace ---

Is this another permissions issue or something else?

[cflasrado18]

Hi,

So a quick question, would the dotnetcasclient work on a Windows server that is configured to accept connections only from accounts with Windows credentials?

[cflasrado18]

So the issue was that the CAS server that I was connecting to had port 443 blocked, so it was not able to communicate with my server even though I was able to connect to it. Once the port was opened up CAS started working.

[TheHokieCoder]

Good find, @cflasrado18! If you still want an answer about your questions about Windows accounts, please open up another issue and ask there.