phpCAS Error

[Andizulfadli]

Please, I need your help about my error in phpCAS client.

iam developing sso solution by CAS Server backend LDAP Server.
I don know where is the problem. please give the solution.

---

Log File :

---

901D .START phpCAS-1.3.3 ****************** [CAS.php:438]
901D .=> phpCAS::client('3.0', '10.0.12.81', 8443, '') [index.php:26]
901D .| => CAS_Client::__construct('3.0', false, '10.0.12.81', 8443, '', true) [CAS.php:340]
901D .| | Starting a new session pgs43b7b91du7aihq0hn9aim37 [Client.php:906]
901D .| <= ''
901D .<= ''
901D .=> phpCAS::setNoCasServerValidation() [index.php:35]
901D .| You have configured no validation of the legitimacy of the cas server. This is not recommended for production use. [CAS.php:1553]
901D .<= ''
901D .=> phpCAS::forceAuthentication() [index.php:38]
901D .| => CAS_Client::forceAuthentication() [CAS.php:1015]
901D .| | => CAS_Client::isAuthenticated() [Client.php:1245]
901D .| | | => CAS_Client::_wasPreviouslyAuthenticated() [Client.php:1356]
901D .| | | | no user found [Client.php:1592]
901D .| | | <= false
901D .| | | no ticket found [Client.php:1453]
901D .| | <= false
901D .| | => CAS_Client::redirectToCas(false) [Client.php:1254]
901D .| | | => CAS_Client::getServerLoginURL(false, false) [Client.php:1613]
901D .| | | | => CAS_Client::getURL() [Client.php:342]
901D .| | | | | Final URI: http://localhost/demo/ta/cas5/ [Client.php:3466]
901D .| | | | <= 'http://localhost/demo/ta/cas5/'
901D .| | | <= 'https://10.0.12.81:8443/login?service=http%3A%2F%2Flocalhost%2Fdemo%2Fta%2Fcas5%2F'
901D .| | | Redirect to : https://10.0.12.81:8443/login?service=http%3A%2F%2Flocalhost%2Fdemo%2Fta%2Fcas5%2F [Client.php:1620]
901D .| | | exit()
901D .| | | -
901D .| | -
901D .| -
DE52 .START phpCAS-1.3.3 ****************** [CAS.php:438]
DE52 .=> phpCAS::client('3.0', '10.0.12.81', 8443, '') [index.php:26]
DE52 .| => CAS_Client::__construct('3.0', false, '10.0.12.81', 8443, '', true) [CAS.php:340]
DE52 .| | Starting a new session pgs43b7b91du7aihq0hn9aim37 [Client.php:906]
DE52 .| | Ticket 'ST-14-ffNOhjDhs4PLBfxLevrL-cas.poliupg.ac.id' found [Client.php:988]
DE52 .| <= ''
DE52 .<= ''
DE52 .=> phpCAS::setNoCasServerValidation() [index.php:35]
DE52 .| You have configured no validation of the legitimacy of the cas server. This is not recommended for production use. [CAS.php:1553]
DE52 .<= ''
DE52 .=> phpCAS::forceAuthentication() [index.php:38]
DE52 .| => CAS_Client::forceAuthentication() [CAS.php:1015]
DE52 .| | => CAS_Client::isAuthenticated() [Client.php:1245]
DE52 .| | | => CAS_Client::_wasPreviouslyAuthenticated() [Client.php:1356]
DE52 .| | | | no user found [Client.php:1592]
DE52 .| | | <= false
DE52 .| | | CAS 3.0 ticket `ST-14-ffNOhjDhs4PLBfxLevrL-cas.poliupg.ac.id' is present [Client.php:1406]
DE52 .| | | => CAS_Client::validateCAS20('', NULL, NULL) [Client.php:1409]
DE52 .| | | | [Client.php:3101]
DE52 .| | | | => CAS_Client::getServerServiceValidateURL() [Client.php:3108]
DE52 .| | | | | => CAS_Client::getURL() [Client.php:453]
DE52 .| | | | | | Final URI: http://localhost/demo/ta/cas5/ [Client.php:3466]
DE52 .| | | | | <= 'http://localhost/demo/ta/cas5/'
DE52 .| | | | <= 'https://10.0.12.81:8443/p3/serviceValidate?service=http%3A%2F%2Flocalhost%2Fdemo%2Fta%2Fcas5%2F'
DE52 .| | | | => CAS_Client::_readURL('https://10.0.12.81:8443/p3/serviceValidate?service=http%3A%2F%2Flocalhost%2Fdemo%2Fta%2Fcas5%2F&ticket=ST-14-ffNOhjDhs4PLBfxLevrL-cas.poliupg.ac.id', NULL, NULL, NULL) [Client.php:3118]
DE52 .| | | | | => CAS_Request_CurlRequest::sendRequest() [AbstractRequest.php:242]
DE52 .| | | | | | curl_exec() failed [CurlRequest.php:77]
DE52 .| | | | | <= false
DE52 .| | | | <= false
DE52 .| | | | could not open URL 'https://10.0.12.81:8443/p3/serviceValidate?service=http%3A%2F%2Flocalhost%2Fdemo%2Fta%2Fcas5%2F&ticket=ST-14-ffNOhjDhs4PLBfxLevrL-cas.poliupg.ac.id' to validate (CURL error #35: error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error) [Client.php:3121]
DE52 .| | | | => CAS_AuthenticationException::__construct(CAS_Client, 'Ticket not validated', 'https://10.0.12.81:8443/p3/serviceValidate?service=http%3A%2F%2Flocalhost%2Fdemo%2Fta%2Fcas5%2F&ticket=ST-14-ffNOhjDhs4PLBfxLevrL-cas.poliupg.ac.id', true) [Client.php:3125]
DE52 .| | | | | => CAS_Client::getURL() [AuthenticationException.php:76]
DE52 .| | | | | <= 'http://localhost/demo/ta/cas5/'
DE52 .| | | | | CAS URL: https://10.0.12.81:8443/p3/serviceValidate?service=http%3A%2F%2Flocalhost%2Fdemo%2Fta%2Fcas5%2F&ticket=ST-14-ffNOhjDhs4PLBfxLevrL-cas.poliupg.ac.id [AuthenticationException.php:79]
DE52 .| | | | | Authentication failure: Ticket not validated [AuthenticationException.php:80]
DE52 .| | | | | Reason: no response from the CAS server [AuthenticationException.php:82]
DE52 .| | | | | exit()
DE52 .| | | | | -
DE52 .| | | | -
DE52 .| | | -
DE52 .| | -
DE52 .| -

---

My phpCAS Client v1.3.3 File :

---

// Load the settings from the central config file
require_once 'config.php';
// Load the CAS lib
require_once $phpcas_path . 'CAS.php';

// Enable debugging
phpCAS::setDebug();

// Initialize phpCAS
phpCAS::client(CAS_VERSION_2_0, '10.0.12.81', 8443, $cas_context);

// For production use set the CA certificate that is the issuer of the cert
// on the CAS server and uncomment the line below
// phpCAS::setCasServerCACert($cas_server_ca_cert_path);

// For quick testing you can disable SSL validation of the CAS server.
// THIS SETTING IS NOT RECOMMENDED FOR PRODUCTION.
// VALIDATING THE CAS SERVER IS CRUCIAL TO THE SECURITY OF THE CAS PROTOCOL!
phpCAS::setNoCasServerValidation();

// force CAS authentication
phpCAS::forceAuthentication();

// at this step, the user has been authenticated by the CAS server
// and the user's login name can be read with phpCAS::getUser().

// logout if desired
if (isset($_REQUEST['logout'])) {
phpCAS::logout();
}

//phpCAS::setDebug('log.txt');

// for this test, simply print that the authentication was successfull
?>

<title>phpCAS simple client</title>

Successfull Authentication!

phpCAS version is .

the user's login is .

Logout

---

phpCAS config.php file :

---

iam using CAS Server v4.0.0.

Thanks for your helping and good response.

[jfritschi]

You have some Kind of SSL/TLS handshake Problem between client and server according to your log:

validate (CURL error #35: error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error) [Client.php:3121]

Error 35 looks like a SSL/TLS protocol error. You may be able to work around that with the curl_setopt() command. Try googling this well know issue.

And your configuration seems to be wrong (Port?:
// Port of your CAS server. Normally for a https server it's 8443 $cas_port = 88443;

[Andizulfadli]

Thank You Very Much Sir jfritschi.

I will try googling about the curl_setopt(). Thank you very much.

next, Iam sorry, i just want to make sure that the problem is not come from my cas server configuration. Please help me to check my configuration.

deployerConfigContext.xml :

---

<bean id="authenticationManager" class="org.jasig.cas.authentication.PolicyBasedAuthenticationManager">
        <constructor-arg>
            <map>
                <entry key-ref="ldapAuthenticationHandler" value-ref="usernamePasswordCredentialsResolver" />
            </map>
        </constructor-arg>
</bean>

<bean id="ldapAuthenticationHandler" 
class="org.jasig.cas.authentication.LdapAuthenticationHandler" p:principalIdAttribute="uid">
        <constructor-arg ref="authenticator" />
        <property name="principalAttributeMap">
            <map>
                <entry key="uid" value="uid" />
            </map>
        </property>
</bean>

<bean id="authenticator" class="org.ldaptive.auth.Authenticator"
      c:resolver-ref="pooledSearchDnResolver"
      c:handler-ref="pooledBindHandler" />

<bean id="connectionConfig" class="org.ldaptive.ConnectionConfig"
      p:ldapUrl="ldap://10.0.12.88:389"
      p:connectTimeout="3000"
      p:useStartTLS="false"
      p:connectionInitializer-ref="bindConnectionInitializer"/>

<bean id="bindConnectionInitializer" 
      class="org.ldaptive.BindConnectionInitializer" 
      p:bindDn="cn=admin,dc=poliupg,dc=ac,dc=id">
        <property name="bindCredential">
            <bean class="org.ldaptive.Credential"  c:password="t3hp4n45" />
        </property>
</bean>

<bean id="ldapPoolConfig" class="org.ldaptive.pool.PoolConfig"
      p:minPoolSize="3"
      p:maxPoolSize="10"
      p:validateOnCheckOut="true"
      p:validatePeriodically="false"
      p:validatePeriod="300" />

<bean id="pruneStrategy" class="org.ldaptive.pool.IdlePruneStrategy"
      p:prunePeriod="300"
      p:idleTime="600" />

<bean id="searchValidator" class="org.ldaptive.pool.SearchValidator" />

<bean id="connectionPool" class="org.ldaptive.pool.BlockingConnectionPool"
      init-method="initialize"
      p:poolConfig-ref="ldapPoolConfig"
      p:blockWaitTime="3000"
      p:validator-ref="searchValidator"
      p:pruneStrategy-ref="pruneStrategy"
      p:connectionFactory-ref="connectionFactory"/>

<bean id="pooledSearchDnResolver" class="org.ldaptive.auth.PooledSearchDnResolver"           p:baseDn="dc=poliupg,dc=ac,dc=id" p:subtreeSearch="true" p:allowMultipleDns="false"           p:connectionFactory-ref="pooledConnectionFactory" p:userFilter="uid={user}" />

<bean id="pooledBindHandler" class="org.ldaptive.auth.PooledBindAuthenticationHandler"           p:connectionFactory-ref="pooledConnectionFactory" />

<bean id="connectionFactory" class="org.ldaptive.DefaultConnectionFactory"           p:connectionConfig-ref="connectionConfig" />

<bean id="pooledConnectionFactory" class="org.ldaptive.pool.PooledConnectionFactory"           p:connectionPool-ref="connectionPool" />

<!--
   | Credential-to-principal resolver beans
   -->

<bean id="usernamePasswordCredentialsResolver" class="org.jasig.cas.authentication.principal.BasicPrincipalResolver" />

<bean id="httpBasedCredentialsResolver" class="org.jasig.cas.authentication.principal.BasicPrincipalResolver" />

<!-- Required for proxy ticket mechanism. -->
<bean id="proxyAuthenticationHandler" class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"    p:httpClient-ref="httpClient" />

<!-- Required for proxy ticket mechanism -->
<bean id="proxyPrincipalResolver" class="org.jasig.cas.authentication.principal.BasicPrincipalResolver" />
<!--
   | Resolves a principal from a credential using an attribute

repository that is configured to resolve
| against a deployer-specific store (e.g. LDAP).
-->

<util:map id="attrRepoBackingMap">
    <entry key="uid" value="uid" />
    <entry key="eduPersonAffiliation" value="eduPersonAffiliation" />
    <entry key="groupMembership" value="groupMembership" />
</util:map>
<!--
Sample, in-memory data store for the ServiceRegistry. A real

implementation
would probably want to replace this with the JPA-backed ServiceRegistry
DAO
The name of this bean should remain "serviceRegistryDao".
+-->

<util:list id="registeredServicesList">
    <bean class="org.jasig.cas.services.RegexRegisteredService" p:id="0" p:name="HTTP and IMAP" p:description="Allows HTTP(S) and IMAP(S) protocols" p:serviceId="^(https?|imaps?)://.*" p:evaluationOrder="10000001" />

    <!--
    Use the following definition instead of the above to further

restrict access
to services within your domain (including sub domains).
Note that example.com must be replaced with the domain you wish to
permit.
This example also demonstrates the configuration of an attribute
filter
that only allows for attributes whose length is 3.
-->
<!--

--> /util:list

<bean id="auditTrailManager" class="com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager" />

<bean id="healthCheckMonitor" class="org.jasig.cas.monitor.HealthCheckMonitor" p:monitors-ref="monitorsList" />

<util:list id="monitorsList">

  <bean class="org.jasig.cas.monitor.MemoryMonitor" p:freeMemoryWarnThreshold="10" />

 <!--
    NOTE
    The following ticket registries support SessionMonitor:
      * DefaultTicketRegistry
      * JpaTicketRegistry
    Remove this monitor if you use an unsupported registry.
  -->

  <bean class="org.jasig.cas.monitor.SessionMonitor" p:ticketRegistry-ref="ticketRegistry"        p:serviceTicketCountWarnThreshold="5000" p:sessionCountWarnThreshold="100000" />

/util:list

<bean id="ticketGrantingTicketCookieGenerator" class="org.jasig.cas.web.support.CookieRetrievingCookieGenerator" 
p:cookieSecure="false" p:cookieMaxAge="-1" p:cookieName="CASTG" p:cookiePath="" /></beans>

---

thank you very much for your good response.

[Andizulfadli]

Iam sorry Sir. i have been disturb you. but please.
I wanna ask you about this function ini phpCAS.

// Initialize phpCAS
"phpCAS::client(CAS_VERSION_2_0, '10.0.12.81', 8443, $cas_context);"

what version that the function above mean? client version or CAS server version?

i am using cas server version 4.0.0. but in my phpCAS client , i configure "CAS_VERSION_2_0".
when i configure the script with CAS_VERSION_4, like this
(phpCAS::client(CAS_VERSION_4_0, '10.0.12.81', 8443, $cas_context);
there is something error. so iam confuse about it.

---

next, can you share the best practice or the good deployerConfigContext.xml configuration (CAS Server with backend LDAP server authentication). i just want to compare with my configuration. and make sure that my deployerConfigContext.xml is good enough like your config.

thank you very much for your help sir.

[jfritschi]

The version is the cas protocol version. This has nothing to do with the cas server release version.

If you need support for the cas server please use the cas mailing lists.

[Andizulfadli]

Thank you very much sir. :D

[Andizulfadli]

Sir jfritschi

I am sorry again, please. i want to ask.

I saw your comment in mailing list about some problem about CAS, and your answer like this,

---

From the error message i guess you are using phpcas. Please have a look
at https://wiki.jasig.org/display/CASC/phpCAS+troubleshooting for
instructions on how to figure out your problem. But from the looks of it
it has nothing to do with phpcas and is an underlying ssl problem.

It might be related to this issue[1] Please try to use this as a
workaround if your CAS server support SSLv3:

phpCAS::setExtraCurlOption(CURLOPT_SSLVERSION,3);

---

based on the comment above, i think ,maybe its can be the solution of my problem.
so, i wanna ask you about :
where is the part that i have to add this function ("phpCAS::setExtraCurlOption(CURLOPT_SSLVERSION,3);") in my configuration.??

i am so sorry if my question is so basic. please, i need your help. :D

Thank you very much.