Re: [cas-user] RE: Odd mfa-duo behavior

[Eugene Willis]

May need to update webflo and tgc keys for version 7 cas . Comment the old keys out to get the new ones.  Sent from my iPhone On Feb 5, 2025, at 7:51 PM, Wickham, Jeremy <jeremy.wick...@msstate.edu> wrote:  I added some more classes into my log4j2.xml file and it is now printing a bit more information other than null  –   2025-02-05 10:55:56,226 TRACE [org.apereo.cas.adaptors.duo.web.flow.action.DuoSecurityUniversalPromptValidateLoginAction] - <Received Duo Security state [REDACTED]> 2025-02-05 10:55:56,226 WARN [org.apereo.cas.adaptors.duo.web.flow.action.DuoSecurityUniversalPromptValidateLoginAction] - <java.lang.IllegalArgumentException: org.jooq.lambda.UncheckedException: org.jose4j.lang.JoseException: A JWS Compact Serialization must have exactly 3 parts separated by period ('.') characters> org.apereo.cas.util.crypto.DecryptionException: java.lang.IllegalArgumentException: org.jooq.lambda.UncheckedException: org.jose4j.lang.JoseException: A JWS Compact Serialization must have exactly 3 parts separated by period ('.') characters         at org.apereo.cas.util.cipher.BaseBinaryCipherExecutor.decode(BaseBinaryCipherExecutor.java:96) ~[cas-server-core-util-api-7.0.9.jar:7.0.9]         at org.apereo.cas.util.cipher.BaseBinaryCipherExecutor.decode(BaseBinaryCipherExecutor.java:36) ~[cas-server-core-util-api-7.0.9.jar:7.0.9]         at org.apereo.cas.util.serialization.SerializationUtils.decodeAndDeserializeObject(SerializationUtils.java:140) ~[cas-server-core-util-api-7.0.9.jar:7.0.9]         at org.apereo.cas.util.serialization.SerializationUtils.decodeAndDeserializeObject(SerializationUtils.java:156) ~[cas-server-core-util-api-7.0.9.jar:7.0.9]         at org.apereo.cas.pac4j.BrowserWebStorageSessionStore.buildFromTrackableSession(BrowserWebStorageSessionStore.java:68) ~[cas-server-support-pac4j-api-7.0.9.jar:7.0.9]         at org.apereo.cas.adaptors.duo.web.flow.action.DuoSecurityUniversalPromptValidateLoginAction.handleDuoSecurityUniversalPromptResponse(DuoSecurityUniversalPromptValidateLoginAction.java:96) ~[cas-server-support-duo-core-7.0.9.jar:7.0.9]         at org.apereo.cas.adaptors.duo.web.flow.action.DuoSecurityUniversalPromptValidateLoginAction.doExecuteInternal(DuoSecurityUniversalPromptValidateLoginAction.java:72) ~[cas-server-support-duo-core-7.0.9.jar:7.0.9]   Would appreciate any insight anyone might have.   Thanks,  -Jeremy   From: cas-user@apereo.org <cas-user@apereo.org> On Behalf Of Wickham, Jeremy Sent: Tuesday, February 4, 2025 5:04 PM To: cas-user@apereo.org Subject: [cas-user] Odd mfa-duo behavior   Here for the past week or so I have had quite a few users receive the MFA Unavailable screen after they Duo Authenticate. Duo shows a successful authentication, but when it is returned back to CAS, it appears to throw a DecryptionException. I cannot recreate this behavior myself, but I do have one coworker who can. I have turned on trace on quite a few packages to attempt to, I have found the following stacktrace, Any idea how I can diagnose this?   2025-02-04 15:09:52,977 TRACE [org.apereo.cas.adaptors.duo.web.flow.action.DuoSecurityUniversalPromptValidateLoginAction] - <Received Duo Security state [XXXXXXXXXXXXXXXXXXXXXXXXX]> 2025-02-04 15:09:52,977 WARN [org.apereo.cas.adaptors.duo.web.flow.action.DuoSecurityUniversalPromptValidateLoginAction] - <DecryptionException> org.apereo.cas.util.crypto.DecryptionException: null         at org.apereo.cas.util.cipher.BaseBinaryCipherExecutor.decode(BaseBinaryCipherExecutor.java:96) ~[cas-server-core-util-api-7.0.9.jar:7.0.9]         at org.apereo.cas.util.cipher.BaseBinaryCipherExecutor.decode(BaseBinaryCipherExecutor.java:36) ~[cas-server-core-util-api-7.0.9.jar:7.0.9]         at org.apereo.cas.util.serialization.SerializationUtils.decodeAndDeserializeObject(SerializationUtils.java:140) ~[cas-server-core-util-api-7.0.9.jar:7.0.9]         at org.apereo.cas.util.serialization.SerializationUtils.decodeAndDeserializeObject(SerializationUtils.java:156) ~[cas-server-core-util-api-7.0.9.jar:7.0.9]         at org.apereo.cas.pac4j.BrowserWebStorageSessionStore.buildFromTrackableSession(BrowserWebStorageSessionStore.java:68) ~[cas-server-support-pac4j-api-7.0.9.jar:7.0.9]         at org.apereo.cas.adaptors.duo.web.flow.action.DuoSecurityUniversalPromptValidateLoginAction.handleDuoSecurityUniversalPromptResponse(DuoSecurityUniversalPromptValidateLoginAction.java:96) ~[cas-server-support-duo-core-7.0.9.jar:7.0.9]   Thanks,  -Jeremy   ________________________ Jeremy Wickham Mississippi State University jeremy.wick...@msstate.edu Webex Personal Room: https://msstate.webex.com/meet/jrw16   -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CYYPR01MB83129872901186AC0E8E0E2899F42%40CYYPR01MB8312.prod.exchangelabs.com. -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CYYPR01MB831236C71C686D9D13257A6B99F72%40CYYPR01MB8312.prod.exchangelabs.com. -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/AA9FE9F7-D1CC-4143-AC35-64A74173564A%40gmail.com.