(Alfresco 5.1.2) CAS authentication through Apache mod_auth_cas returning Unauthorized

cancel
Showing results for 
Search instead for 
Did you mean: 
mwatkins
Member II

(Alfresco 5.1.2) CAS authentication through Apache mod_auth_cas returning Unauthorized

I am attempting to integrate into our development environment mod_auth_cas (version 1.1 from https://github.com/Jasig/mod_auth_cas) for use in our existing Apache server 2.4 in order to authenticate share and alfresco.

Our CAS Server is compiled via MAVEN from JASIG CAS version 3.5.2., and our Alfresco version is 5.1.2

I am (loosely) following the documentation provided for community 5.0 at Using Alfresco with CAS authentication through Apache mod_auth_cas | Alfresco Documentation, with liberties initially taken to use the latest version of mod_auth_cas itself (a necessary step as it supports Apache 2.4).

Additionally, while our server configuration involves two virtual machines, our CAS server is located in the same tomcat instance that alfresco& share reside in, and not in the same machine hat mod_auth_cas resides in.

Having adapted the steps to the best of my knowledge, I am encountering the following error:
-After posting login information to /cas/login attempting to access /share or /alfresco, I am redirected to the following screen:
Unauthorized

The ssl_error_log provides the following during this process:

[Fri Mar 31 02:57:07.659313 2017] [ssl:info] [pid 1456] [client 172.17.0.1:60166] AH01964: Connection to child 12 established (server localhost:443)
[Fri Mar 31 02:57:07.659448 2017] [ssl:debug] [pid 1456] ssl_engine_kernel.c(2115): [client 172.17.0.1:60166] AH02043: SSL virtual host for servername localhost found
[Fri Mar 31 02:57:07.661136 2017] [ssl:debug] [pid 1456] ssl_engine_kernel.c(2042): [client 172.17.0.1:60166] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
[Fri Mar 31 02:57:07.661172 2017] [ssl:info] [pid 1456] (70014)End of file found: [client 172.17.0.1:60166] AH01991: SSL input filter read failed.
[Fri Mar 31 02:57:07.661225 2017] [ssl:debug] [pid 1456] ssl_engine_io.c(1043): [client 172.17.0.1:60166] AH02001: Connection closed to child 12 with standard shutdown (server localhost:443)
[Fri Mar 31 02:57:07.672373 2017] [ssl:info] [pid 1403] [client 172.17.0.1:60168] AH01964: Connection to child 11 established (server localhost:443)
[Fri Mar 31 02:57:07.672489 2017] [ssl:debug] [pid 1403] ssl_engine_kernel.c(2115): [client 172.17.0.1:60168] AH02043: SSL virtual host for servername localhost found
[Fri Mar 31 02:57:07.673149 2017] [ssl:debug] [pid 1403] ssl_engine_kernel.c(2042): [client 172.17.0.1:60168] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
[Fri Mar 31 02:57:07.673317 2017] [ssl:debug] [pid 1403] ssl_engine_kernel.c(366): [client 172.17.0.1:60168] AH02034: Initial (No.1) HTTPS request received for child 11 (server localhost:443), referer: https://localhost/cas/login?service=https%3a%2f%2flocalhost%2fshare%2f
[Fri Mar 31 02:57:07.673382 2017] [authz_core:debug] [pid 1403] mod_authz_core.c(835): [client 172.17.0.1:60168] AH01628: authorization result: granted (no directives), referer: https://localhost/cas/login?service=https%3a%2f%2flocalhost%2fshare%2f
[Fri Mar 31 02:57:07.932297 2017] [ssl:debug] [pid 1403] ssl_engine_kernel.c(366): [client 172.17.0.1:60168] AH02034: Subsequent (No.2) HTTPS request received forchild 11 (server localhost:443), referer: https://localhost/cas/login?service=https%3a%2f%2flocalhost%2fshare%2f
[Fri Mar 31 02:57:07.932365 2017] [authz_core:debug] [pid 1403] mod_authz_core.c(809): [client 172.17.0.1:60168] AH01626: authorization result of Require valid-user : denied (no authenticated user yet), referer: https://localhost/cas/login?service=https%3a%2f%2flocalhost%2fshare%2f
[Fri Mar 31 02:57:07.932371 2017] [authz_core:debug] [pid 1403] mod_authz_core.c(809): [client 172.17.0.1:60168] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet), referer: https://localhost/cas/login?service=https%3a%2f%2flocalhost%2fshare%2f
[Fri Mar 31 02:57:07.932394 2017] [auth_cas:debug] [pid 1403] mod_auth_cas.c(2076): [client 172.17.0.1:60168] Entering cas_authenticate(), referer: https://localhost/cas/login?service=https%3a%2f%2flocalhost%2fshare%2f
[Fri Mar 31 02:57:07.932399 2017] [auth_cas:debug] [pid 1403] mod_auth_cas.c(656): [client 172.17.0.1:60168] Modified r->args (now ''), referer: https://localhost/cas/login?service=https%3a%2f%2flocalhost%2fshare%2f
[Fri Mar 31 02:57:07.932468 2017] [auth_cas:debug] [pid 1403] mod_auth_cas.c(1779): [client 172.17.0.1:60168] entering getResponseFromServer(), referer: https://localhost/cas/login?service=https%3a%2f%2flocalhost%2fshare%2f
[Fri Mar 31 02:57:07.947072 2017] [auth_cas:debug] [pid 1403] mod_auth_cas.c(584): [client 172.17.0.1:60168] CAS Service 'https%3a%2f%2flocalhost%2fshare%2f', referer: https://localhost/cas/login?service=https%3a%2f%2flocalhost%2fshare%2f
[Fri Mar 31 02:57:08.595629 2017] [ssl:info] [pid 1434] [client ::1:35280] AH01964: Connection to child 2 established (server localhost:443)
[Fri Mar 31 02:57:08.595830 2017] [ssl:debug] [pid 1434] ssl_engine_kernel.c(2115): [client ::1:35280] AH02043: SSL virtual host for servername localhost found
[Fri Mar 31 02:57:08.599817 2017] [auth_cas:debug] [pid 1403] mod_auth_cas.c(1848): [client 172.17.0.1:60168] MOD_AUTH_CAS: curl_easy_perform() failed (Peer's Certificate issuer is not recognized.), referer: https://localhost/cas/login?service=https%3a%2f%2flocalhost%2fshare%2f
[Fri Mar 31 02:57:08.599840 2017] [auth_cas:debug] [pid 1403] mod_auth_cas.c(1440): [client 172.17.0.1:60168] entering isValidCASTicket(), referer: https://localhost/cas/login?service=https%3a%2f%2flocalhost%2fshare%2f
[Fri Mar 31 02:57:08.621355 2017] [ssl:info] [pid 1434] [client ::1:35280] AH02008: SSL library error 1 in handshake (server localhost:443)
[Fri Mar 31 02:57:08.621418 2017] [ssl:info] [pid 1434] SSL Library Error: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (SSL alert number 48)
[Fri Mar 31 02:57:08.621426 2017] [ssl:info] [pid 1434] [client ::1:35280] AH01998: Connection closed to child 2 with abortive shutdown (server localhost:443)
[Fri Mar 31 02:57:08.634433 2017] [ssl:debug] [pid 1403] ssl_engine_kernel.c(366): [client 172.17.0.1:60168] AH02034: Subsequent (No.3) HTTPS request received forchild 11 (server localhost:443), referer: https://localhost/share/?ticket=ST-8-gViyrekgof2baWD1XNee-cas
[Fri Mar 31 02:57:08.689285 2017] [authz_core:debug] [pid 1403] mod_authz_core.c(809): [client 172.17.0.1:60168] AH01626: authorization result of Require all granted: granted, referer: https://localhost/share/?ticket=ST-8-gViyrekgof2baWD1XNee-cas
[Fri Mar 31 02:57:08.689314 2017] [authz_core:debug] [pid 1403] mod_authz_core.c(809): [client 172.17.0.1:60168] AH01626: authorization result of <RequireAny>: granted, referer: https://localhost/share/?ticket=ST-8-gViyrekgof2baWD1XNee-cas
[Fri Mar 31 02:57:08.695774 2017] [core:info] [pid 1403] [client 172.17.0.1:60168] AH00128: File does not exist: /var/www/html/drupal/favicon.ico, referer: https://localhost/share/?ticket=ST-8-gViyrekgof2baWD1XNee-cas
[Fri Mar 31 02:57:08.695872 2017] [authz_core:debug] [pid 1403] mod_authz_core.c(809): [client 172.17.0.1:60168] AH01626: authorization result of Require all granted: granted, referer: https://localhost/share/?ticket=ST-8-gViyrekgof2baWD1XNee-cas
[Fri Mar 31 02:57:08.695878 2017] [authz_core:debug] [pid 1403] mod_authz_core.c(809): [client 172.17.0.1:60168] AH01626: authorization result of <RequireAny>: granted, referer: https://localhost/share/?ticket=ST-8-gViyrekgof2baWD1XNee-cas
[Fri Mar 31 02:57:14.627107 2017] [ssl:debug] [pid 1403] ssl_engine_io.c(1043): [client 172.17.0.1:60168] AH02001: Connection closed to child 11 with standard shutdown (server localhost:443)

When debugging the issue further with openssl s_client -connect localhost:443 -verify_return_error, the Verify return code is 20 (unable to get local issuer certificate).

We are using mod_jk curently to connect to a tomcat instance containing alfresco, share, solr & cas in another virtual instance.
There are other applications on the server that use other CAS clients that can currently successfully logon.

This related to another issue I have posted on ((Alfresco 5.1.1 -&gt; 5.1.2 Upgrade) Continuous 'Authentication Required' popup in Share ), Where our existing CAS client for alfresco & share has stopped working for 5.1.2.

2 Replies
amoae
Customer

Re: (Alfresco 5.1.2) CAS authentication through Apache mod_auth_cas returning Unauthorized

Hi Michael,

It seems you have a SSL certificate validation problem between mod_auth_cas and your CAS server.

[Fri Mar 31 02:57:08.621355 2017] [ssl:info] [pid 1434] [client ::1:35280] AH02008: SSL library error 1 in handshake (server localhost:443)

The mod_auth_cas client must trust the CAS server in order to validate the serviceTicket during a callback request and thus retrieve the identified user login.

You have two solutions :

  • Register the CAS server certificate as trusted for mod_auth_cas
  • Disable certificate validation in the mod_auth_cas configuration with CASValidateServer Off. Be careful, this directive has been removed since the v1.1 version of the module

Regards,

Charles

idwright
Senior Member

Re: (Alfresco 5.1.2) CAS authentication through Apache mod_auth_cas returning Unauthorized

If you would like to use an amp based approach instead of mod_auth_cas then GitHub - wrighting/alfresco-cas: A project designed to show how to integrate Alfresco with CAS singl...  should work with your version.

(You should probably upgrade your CAS...)