phpCAS::isAuthenticated returning false after login in different service

Question

I've configured the CAS login page so that it accepts the username and password as GET parameters and if these are provided, it submits the login form automatically. This looks as the CAS login page is not even touched during authentication from the website.

The website is using phpCAS version 1.3.2 to communicate with CAS. If I log in directly through the form, It works as expected: the browser gets redirected back from CAS correctly and isAuthenticated() returns true. However if I log in to a different service beforehand, isAuthenticated() returns false. If I'm not mistaken this is because I have to do an actual check with CAS if the auth is fine, therefore I've also tried checkAuthentication(), but I get the following errors:

[error] [client 192.168.12.120] PHP Fatal error:  Uncaught exception 'CAS_AuthenticationException' in /home/dev/www/CAS-1.3.2/CAS/Client.php:2248
Stack trace:
#0 /home/dev/www/CAS-1.3.2/CAS/Client.php(1227): CAS_Client->_validatePGT('https://192.168...', '????<cas:servic...', Object(DOMElement))
#1 /home/dev/www/CAS-1.3.2/CAS/Client.php(1131): CAS_Client->isAuthenticated()
#2 /home/dev/www/CAS-1.3.2/CAS.php(1078): CAS_Client->checkAuthentication()
#3 /home/dev/www/redir.php(39): phpCAS::checkAuthentication()
#4 {main}
thrown in /home/dev/www/CAS-1.3.2/CAS/Client.php on line 2248, referer: https://192.168.10.144:8181/cas/login?username=myUser&password=testpassword&auto=true&service=https%3A%2F%2F192.168.12.120%2Fredir.php

CAS server log

phpCAS debug log

PHP Code:

<?php

function pageURL() {
    $PROTOCOL = "http";
    if (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off') {
        $PROTOCOL = "https";
    }
    $url = "$PROTOCOL://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]";
    $url = strtok($url, '?');
    return $url;
}

// Configuration
$phpcas_path = "CAS-1.3.2";

$cas_host = "192.168.10.144";
$cas_port = 8181;
$cas_context = "/cas";

// Load the CAS lib
require_once $phpcas_path . "/CAS.php";

// Enable debugging
phpCAS::setDebug ();

// Initialize phpCAS
phpCAS::proxy ( CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context );

phpCAS::setNoCasServerValidation ();

// check CAS authentication
$auth = phpCAS::checkAuthentication();

// logout if desired
if (isset ( $_REQUEST ['logout'] )) {
    phpCAS::logout ();
}

$serviceUrl = "https://192.168.10.144:8181/accessrights/";
?>

<html>
<head>
<title>CAS form login</title>
</head>
<body>

<?php if ($auth) { 
    phpCAS::serviceWeb($serviceUrl, $err_code, $accessrights); 
?>

    <p>Hello <strong><?php echo phpCAS::getUser(); ?></strong>! You have been authenticated with CAS. Your access rights are: <?php echo $accessrights; ?></p> 

<?php } else { ?>

<h3>User login</h3>
<div>Enter your username and password here in order to log in on the website:</div>
<!-- ###LOGIN_FORM### -->
<form method="GET" action="https://192.168.10.144:8181/cas/">
    <p>Username : <input type="text" name="username" /></p>
    <p>Password : <input type="password" name="password" /></p>
    <p>Remember me : <input type="checkbox" name="rememberMe" value="true" /></p>
    <p><input type="submit" value="Login !" /></p>
    <input type="hidden" name="auto" value="true" />
    <input type="hidden" name="service" value="<?php echo pageURL(); ?>" />
</form>
<!-- ###LOGIN_FORM### -->

<?php } ?>

</body>
</html>

I see that checkAuthentication() fails to retrieve a Proxy Granting Ticket, but I have no clue about the reason. Any ideas? I also have a page with forceAuthentication(), and it works flawlessly.

Answer 1

According to your server's log, CAS is trying to callback your application via "https://xxx.xx.xx.xx/redir.php" but his encounter an SSL issue "TicketCreationException: error.authentication.credentials.bad"