Aaron, Try increasing ldap logging; this property at the beginning of log4j2.xml, ldap.log.level It can produce a lot of output so best if you could replicate the problem in dev or test.
You may have to adjust your ldap settings; for example see notes on pool-passivator Ray ________________________________ From: 'Aaron Chantrill' via CAS Community <cas-user@apereo.org> Sent: May 19, 2025 12:18 To: cas-user@apereo.org <cas-user@apereo.org> Subject: Re: [cas-user] invalid cookie. Required remote address does not match I'm not completely sure which "client" you are referring to. In this case, I am using CAS 7.2 as a client for AzureAD via Pac4j. I'm pretty sure the user is using Google Chrome as the browser. This issue only showed up after migrating from 6.6.12 to 7.2. It did not occur in testing, but occasionally shows up now that it is in production. This is the error the user's see: [image.png] The only line I see in the log is: ERROR [org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction] - <Client AzureB2CClient failed to validate credentials> which does not feel particularly helpful. Sometimes this is preceded by a SocketTimeoutException warning, but it's difficult for me to tell which lines are connected to each other in the log. I don't think the warning I was seeing before about the Invalid cookie is actually related. I have logged in successfully on my test server and seen this warning in the log, so I don't think it actually causes the authentication to fail. The users can always log in if they "try again" a few times, but some of them are getting annoyed about having to type in their password several times in a row in the morning once a week or so. I'm thinking now it may be a communication issue between the server I have CAS running on and AzureAD, although I'm still confused why this would only start happening after upgrading CAS. I've searched the log for the error above, and it seems to occur every occasionally with 5 minutes to 2 hours between instances. From the log I can't tell if particular users are being affected more than others or if only certain users are bothered (ones that type their password in rather than allowing the browser to remember it?). Thank you, Aaron On Mon, May 12, 2025 at 10:10 PM Ray Bon <r...@uvic.ca<mailto:r...@uvic.ca>> wrote: Aaron, What kind of client are you talking about? Describe your setup and why there is a change in port. Include some of the log. Ray ________________________________ From: 'Aaron Chantrill' via CAS Community <cas-user@apereo.org<mailto:cas-user@apereo.org>> Sent: May 12, 2025 12:26 To: cas-user@apereo.org<mailto:cas-user@apereo.org> <cas-user@apereo.org<mailto:cas-user@apereo.org>> Subject: [cas-user] invalid cookie. Required remote address does not match After upgrading from 6.6 to 7.2, my users are occasionally getting an error screen saying "Unauthorized Access" and listing "screen.pac4j.authn.AuthenticationException" as the cause. When I look at the CAS log, I'm seeing the error as listed above, with two full IP addresses with ports. The ip addresses match, but the ports don't. It looks like for some reason, CAS is expecting the same port to be used for the initial request and the authentication request, but the client is changing the port they are talking on. Is there an easy way to either disable this check or set it to only check the ip address and not the port, or do I have to override the obtainValueFromCompoundCookie() method from DefaultCasCookieValueManager, which is where the error appears to be coming from? It looks like I could disable the ip address check completely if I can set the cookieProperties.isGeoLoateClientSession() value to false, but I'm not sure how to do that. I tried setting cas.tgc.geo-locate-client-session to false in my cas.properties file, but I'm not sure if that will work or not and don't have a way to test it. Thank you, -- Aaron Chantrill ID: 000490892 BS Computer Science (1/1/2019) Tom Grant c 304-445-5230 US Eastern Time acha...@wgu.edu<mailto:acha...@wgu.edu> -- - Website: https://apereo.github.io/cas<https://url.us.m.mimecastprotect.com/s/vfAQCG6Xp5UAMkjzOfKfRfBZ24s?domain=apereo.github.io> - List Guidelines: https://goo.gl/1VRrw7<https://url.us.m.mimecastprotect.com/s/xvCiCJ6KvqUKYZ0jAfGhKfy47sO?domain=goo.gl> - Contributions: https://goo.gl/mh7qDG<https://url.us.m.mimecastprotect.com/s/VZS0CKr7wZf4nO3RMU3imf54lqH?domain=goo.gl> --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAJt4T%3DtcTUvzXMOKoZDj%3DDaXsEA9Pso-3A0MK%3DXL3UM21FxQaw%40mail.gmail.com<https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAJt4T%3DtcTUvzXMOKoZDj%3DDaXsEA9Pso-3A0MK%3DXL3UM21FxQaw%40mail.gmail.com?utm_medium=email&utm_source=footer>. -- - Website: https://apereo.github.io/cas<https://url.us.m.mimecastprotect.com/s/vfAQCG6Xp5UAMkjzOfKfRfBZ24s?domain=apereo.github.io> - List Guidelines: https://goo.gl/1VRrw7<https://url.us.m.mimecastprotect.com/s/xvCiCJ6KvqUKYZ0jAfGhKfy47sO?domain=goo.gl> - Contributions: https://goo.gl/mh7qDG<https://url.us.m.mimecastprotect.com/s/VZS0CKr7wZf4nO3RMU3imf54lqH?domain=goo.gl> --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/YQBP288MB0081F1E638D0BE2AF95B6E41CE97A%40YQBP288MB0081.CANP288.PROD.OUTLOOK.COM<https://groups.google.com/a/apereo.org/d/msgid/cas-user/YQBP288MB0081F1E638D0BE2AF95B6E41CE97A%40YQBP288MB0081.CANP288.PROD.OUTLOOK.COM?utm_medium=email&utm_source=footer>. -- Aaron Chantrill ID: 000490892 BS Computer Science (1/1/2019) Tom Grant c 304-445-5230 US Eastern Time acha...@wgu.edu<mailto:acha...@wgu.edu> -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAJt4T%3DuGy_xPr93%2BbuA2sJsvgSr-qk4xhy0rwJPFkNb-4eB4GA%40mail.gmail.com<https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAJt4T%3DuGy_xPr93%2BbuA2sJsvgSr-qk4xhy0rwJPFkNb-4eB4GA%40mail.gmail.com?utm_medium=email&utm_source=footer>. -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/YQBP288MB0081440A9AA0D887C225CB1BCE9FA%40YQBP288MB0081.CANP288.PROD.OUTLOOK.COM.
