CAS/Drupal authentication process failing through TSA, but works through browser

Post Reply
jstoll
Posts: 7
Joined: Fri Sep 05, 2008 1:28 pm

CAS/Drupal authentication process failing through TSA, but works through browser

Post by jstoll »

We have a TSA box that we're trying to setup to crawl a CAS-authenticated Drupal site. This is using a Drupal CAS module that relies on the phpCAS library.

We have phpCAS and the Drupal CAS module setup and working when we go to the site via a browser - we request the Drupal site, we're redirected to CAS, we login and we're then redirected back to Drupal where we're authorized into the Drupal site. This works in IE, Firefox and Safari.

We setup our TSA box with a custom primer page (duplicating the same process that has worked with other CAS-authenticated systems that TSA is successfully authenticating into), but TSA gets into a redirection loop where it hits Drupal the first time, is redirected to CAS, successfully logs into CAS, but then when it is redirected back to Drupal, it doesn't seem to have the necessary cookie, and Drupal sends it back to CAS again, where the process repeats until it hits the max redirect level set on the TSA profile.

I'm just guessing on the cookie at this stage, but it seems to be the most likely culprit in my mind right now.

While I realize that the details of the php debug statements below won't necessarily make much sense, I'm hoping they'll be somewhat illustrative of what's happening. The first one shows a successful login through the Drupal CAS module via a browser. The second one shows the failed attempt via the TSA box.

Thanks for any info/assistance!

Jim

**BROWSER (SUCCESSFUL) LOGIN**
450D .START ****************** [CAS.php:398]
450D .=> phpCAS::client('1.0', 'cas.vbi.vt.edu', 443, '/cas', false) [cas.module:93]
450D .| => CASClient::CASClient('1.0', false, 'cas.vbi.vt.edu', 443, '/cas', false) [CAS.php:299]
450D .| <= ''
450D .<= ''
450D .=> phpCAS::forceAuthentication() [cas.module:123]
450D .| => CASClient::forceAuthentication() [CAS.php:895]
450D .| | => CASClient::isAuthenticated() [client.php:627]
450D .| | | => CASClient::wasPreviouslyAuthenticated() [client.php:730]
450D .| | | | no user found [client.php:834]
450D .| | | <= false
450D .| | | no ticket found [client.php:764]
450D .| | <= false
450D .| | => CASClient::redirectToCas(false) [client.php:634]
450D .| | | => CASClient::getServerLoginURL(false) [client.php:851]
450D .| | | | => CASClient::getURL() [client.php:329]
450D .| | | | <= 'https://insider-dev.vbi.vt.edu:32501/drupal/?q=node'
450D .| | | <= 'https://cas.vbi.vt.edu:443/cas/login?se ... 3Fq%3Dnode'
450D .| | | exit()
450D .| | | -
450D .| | -
450D .| -
6C38 .START ****************** [CAS.php:398]
6C38 .=> phpCAS::client('1.0', 'cas.vbi.vt.edu', 443, '/cas', false) [cas.module:93]
6C38 .| => CASClient::CASClient('1.0', false, 'cas.vbi.vt.edu', 443, '/cas', false) [CAS.php:299]
6C38 .| | ST 'ST-1173-lFGfDledzv7hRfgTetnw-cas' found [client.php:543]
6C38 .| <= ''
6C38 .<= ''
6C38 .=> phpCAS::forceAuthentication() [cas.module:123]
6C38 .| => CASClient::forceAuthentication() [CAS.php:895]
6C38 .| | => CASClient::isAuthenticated() [client.php:627]
6C38 .| | | => CASClient::wasPreviouslyAuthenticated() [client.php:730]
6C38 .| | | | no user found [client.php:834]
6C38 .| | | <= false
6C38 .| | | ST `ST-1173-lFGfDledzv7hRfgTetnw-cas' is present [client.php:738]
6C38 .| | | => CASClient::validateST('', NULL, NULL) [client.php:739]
6C38 .| | | | => CASClient::getURL() [client.php:368]
6C38 .| | | | <= 'https://insider-dev.vbi.vt.edu:32501/drupal/?q=node'
6C38 .| | | | => CASClient::readURL('https://cas.vbi.vt.edu:443/cas/validate ... gTetnw-cas', '', NULL, NULL, NULL) [client.php:968]
6C38 .| | | | <= true
6C38 .| | | <= true
6C38 .| | | ST `ST-1173-lFGfDledzv7hRfgTetnw-cas' was validated [client.php:740]
6C38 .| | <= true
6C38 .| | no need to authenticate [client.php:629]
6C38 .| <= true
6C38 .| no need to authenticate (user `jstoll' is already authenticated) [CAS.php:909]
6C38 .<= ''

**TSA (FAILED) LOGIN**
60A9 .START ****************** [CAS.php:398]
60A9 .=> phpCAS::client('1.0', 'cas.vbi.vt.edu', 443, '/cas', false) [cas.module:93]
60A9 .| => CASClient::CASClient('1.0', false, 'cas.vbi.vt.edu', 443, '/cas', false) [CAS.php:299]
60A9 .| <= ''
60A9 .<= ''
60A9 .=> phpCAS::forceAuthentication() [cas.module:123]
60A9 .| => CASClient::forceAuthentication() [CAS.php:895]
60A9 .| | => CASClient::isAuthenticated() [client.php:627]
60A9 .| | | => CASClient::wasPreviouslyAuthenticated() [client.php:730]
60A9 .| | | | no user found [client.php:834]
60A9 .| | | <= false
60A9 .| | | no ticket found [client.php:764]
60A9 .| | <= false
60A9 .| | => CASClient::redirectToCas(false) [client.php:634]
60A9 .| | | => CASClient::getServerLoginURL(false) [client.php:851]
60A9 .| | | | => CASClient::getURL() [client.php:329]
60A9 .| | | | <= 'https://insider-dev.vbi.vt.edu:32501/drupal/'
60A9 .| | | <= 'https://cas.vbi.vt.edu:443/cas/login?se ... Fdrupal%2F'
60A9 .| | | exit()
60A9 .| | | -
60A9 .| | -
60A9 .| -
694B .START ****************** [CAS.php:398]
694B .=> phpCAS::client('1.0', 'cas.vbi.vt.edu', 443, '/cas', false) [cas.module:93]
694B .| => CASClient::CASClient('1.0', false, 'cas.vbi.vt.edu', 443, '/cas', false) [CAS.php:299]
694B .| | ST 'ST-1170-UOizg9G72xwz5EsbXxcV-cas' found [client.php:543]
694B .| <= ''
694B .<= ''
694B .=> phpCAS::forceAuthentication() [cas.module:123]
694B .| => CASClient::forceAuthentication() [CAS.php:895]
694B .| | => CASClient::isAuthenticated() [client.php:627]
694B .| | | => CASClient::wasPreviouslyAuthenticated() [client.php:730]
694B .| | | | no user found [client.php:834]
694B .| | | <= false
694B .| | | ST `ST-1170-UOizg9G72xwz5EsbXxcV-cas' is present [client.php:738]
694B .| | | => CASClient::validateST('', NULL, NULL) [client.php:739]
694B .| | | | => CASClient::getURL() [client.php:368]
694B .| | | | <= 'https://insider-dev.vbi.vt.edu:32501/drupal/'
694B .| | | | => CASClient::readURL('https://cas.vbi.vt.edu:443/cas/validate ... sbXxcV-cas', '', NULL, NULL, NULL) [client.php:968]
694B .| | | | <= true
694B .| | | <= true
694B .| | | ST `ST-1170-UOizg9G72xwz5EsbXxcV-cas' was validated [client.php:740]
694B .| | <= true
694B .| | no need to authenticate [client.php:629]
694B .| <= true
694B .| no need to authenticate (user `authtest' is already authenticated) [CAS.php:909]
694B .<= ''
2C2F .START ****************** [CAS.php:398]
2C2F .=> phpCAS::client('1.0', 'cas.vbi.vt.edu', 443, '/cas', false) [cas.module:93]
2C2F .| => CASClient::CASClient('1.0', false, 'cas.vbi.vt.edu', 443, '/cas', false) [CAS.php:299]
2C2F .| <= ''
2C2F .<= ''
2C2F .=> phpCAS::forceAuthentication() [cas.module:123]
2C2F .| => CASClient::forceAuthentication() [CAS.php:895]
2C2F .| | => CASClient::isAuthenticated() [client.php:627]
2C2F .| | | => CASClient::wasPreviouslyAuthenticated() [client.php:730]
2C2F .| | | | no user found [client.php:834]
2C2F .| | | <= false
2C2F .| | | no ticket found [client.php:764]
2C2F .| | <= false
2C2F .| | => CASClient::redirectToCas(false) [client.php:634]
2C2F .| | | => CASClient::getServerLoginURL(false) [client.php:851]
2C2F .| | | | => CASClient::getURL() [client.php:329]
2C2F .| | | | <= 'https://insider-dev.vbi.vt.edu:32501/drupal/?q=node'
2C2F .| | | <= 'https://cas.vbi.vt.edu:443/cas/login?se ... 3Fq%3Dnode'
2C2F .| | | exit()
2C2F .| | | -
2C2F .| | -
2C2F .| -
0336 .START ****************** [CAS.php:398]
0336 .=> phpCAS::client('1.0', 'cas.vbi.vt.edu', 443, '/cas', false) [cas.module:93]
0336 .| => CASClient::CASClient('1.0', false, 'cas.vbi.vt.edu', 443, '/cas', false) [CAS.php:299]
0336 .| <= ''
0336 .<= ''
0336 .=> phpCAS::forceAuthentication() [cas.module:123]
0336 .| => CASClient::forceAuthentication() [CAS.php:895]
0336 .| | => CASClient::isAuthenticated() [client.php:627]
0336 .| | | => CASClient::wasPreviouslyAuthenticated() [client.php:730]
0336 .| | | | no user found [client.php:834]
0336 .| | | <= false
0336 .| | | no ticket found [client.php:764]
0336 .| | <= false
0336 .| | => CASClient::redirectToCas(false) [client.php:634]
0336 .| | | => CASClient::getServerLoginURL(false) [client.php:851]
0336 .| | | | => CASClient::getURL() [client.php:329]
0336 .| | | | <= 'https://insider-dev.vbi.vt.edu:32501/drupal/'
0336 .| | | <= 'https://cas.vbi.vt.edu:443/cas/login?se ... Fdrupal%2F'
0336 .| | | exit()
0336 .| | | -
0336 .| | -
0336 .| -
6613 .START ****************** [CAS.php:398]
6613 .=> phpCAS::client('1.0', 'cas.vbi.vt.edu', 443, '/cas', false) [cas.module:93]
6613 .| => CASClient::CASClient('1.0', false, 'cas.vbi.vt.edu', 443, '/cas', false) [CAS.php:299]
6613 .| | ST 'ST-1172-kOzIcE6v2cubFZvKotGa-cas' found [client.php:543]
6613 .| <= ''
6613 .<= ''
6613 .=> phpCAS::forceAuthentication() [cas.module:123]
6613 .| => CASClient::forceAuthentication() [CAS.php:895]
6613 .| | => CASClient::isAuthenticated() [client.php:627]
6613 .| | | => CASClient::wasPreviouslyAuthenticated() [client.php:730]
6613 .| | | | no user found [client.php:834]
6613 .| | | <= false
6613 .| | | ST `ST-1172-kOzIcE6v2cubFZvKotGa-cas' is present [client.php:738]
6613 .| | | => CASClient::validateST('', NULL, NULL) [client.php:739]
6613 .| | | | => CASClient::getURL() [client.php:368]
6613 .| | | | <= 'https://insider-dev.vbi.vt.edu:32501/drupal/'
6613 .| | | | => CASClient::readURL('https://cas.vbi.vt.edu:443/cas/validate ... vKotGa-cas', '', NULL, NULL, NULL) [client.php:968]
6613 .| | | | <= true
6613 .| | | <= true
6613 .| | | ST `ST-1172-kOzIcE6v2cubFZvKotGa-cas' was validated [client.php:740]
6613 .| | <= true
6613 .| | no need to authenticate [client.php:629]
6613 .| <= true
6613 .| no need to authenticate (user `authtest' is already authenticated) [CAS.php:909]
6613 .<= ''
6E5F .START ****************** [CAS.php:398]
6E5F .=> phpCAS::client('1.0', 'cas.vbi.vt.edu', 443, '/cas', false) [cas.module:93]
6E5F .| => CASClient::CASClient('1.0', false, 'cas.vbi.vt.edu', 443, '/cas', false) [CAS.php:299]
6E5F .| <= ''
6E5F .<= ''
6E5F .=> phpCAS::forceAuthentication() [cas.module:123]
6E5F .| => CASClient::forceAuthentication() [CAS.php:895]
6E5F .| | => CASClient::isAuthenticated() [client.php:627]
6E5F .| | | => CASClient::wasPreviouslyAuthenticated() [client.php:730]
6E5F .| | | | no user found [client.php:834]
6E5F .| | | <= false
6E5F .| | | no ticket found [client.php:764]
6E5F .| | <= false
6E5F .| | => CASClient::redirectToCas(false) [client.php:634]
6E5F .| | | => CASClient::getServerLoginURL(false) [client.php:851]
6E5F .| | | | => CASClient::getURL() [client.php:329]
6E5F .| | | | <= 'https://insider-dev.vbi.vt.edu:32501/drupal/?q=node'
6E5F .| | | <= 'https://cas.vbi.vt.edu:443/cas/login?se ... 3Fq%3Dnode'
6E5F .| | | exit()
6E5F .| | | -
6E5F .| | -
6E5F .| -
User avatar
Kai
Site Admin
Posts: 1270
Joined: Tue Apr 25, 2000 1:27 pm

CAS/Drupal authentication process failing through TSA, but works through browser

Post by Kai »

Are you accessing the CAS login host with the same (fully-qualified) hostname from both the browser and the Base URL/Primer on the appliance? Are all cookies sent from the CAS system sent with a domain-wide `Domain' and `Path=/'?
jstoll
Posts: 7
Joined: Fri Sep 05, 2008 1:28 pm

CAS/Drupal authentication process failing through TSA, but works through browser

Post by jstoll »

Yes on #1 - I'm using the same fully-qualified domain name in both cases (ie, browser and TSA). Not sure on #2 - cookie pathing is sort of my personal leading suspicion right now. I'll dig into the php code a bit and see if I can figure that out. Thanks for letting me know where they *should* be going!

Jim
Post Reply