Hi Phil,

I think Richard was on the right track.

When we upgraded to CAS 7.2.x, we had the same problem.
We solved it by updating the `cas.tgc.crypto.encryption.key` to a 512 bit 
key.

If you are not sure, you can delete `cas.tgc.crypto.encryption.key` 
attribute from your configuration, and then CAS will generated a new one 
when you start the app, check the logs, copy the new generated key to the 
config.

And it is strange that the sub domain of the app does not retain the 
authenticated session, I am not sure why it needs to authenticate again.

Best,

Ocean
On Friday, May 30, 2025 at 1:10:27 PM UTC-7 Phil Hale wrote:

> Thanks for the response Richard,
>
> The funny thing is that the same configuration and options do work under 
> CAS 7.0 and stopped working on the upgrade to 7.2. I've also sent the 
> information to the client side admin since it's a very old client 
> application and I feel it might be something they may need to look at.  The 
> CAS service is working just fine for all other clients, including SSO 
> service.
>
> Just hoping someone might have encountered this error and give me some 
> places to look at.
>
> Phil
>
> On Friday, May 30, 2025 at 11:27:22 AM UTC-5 Richard Frovarp wrote:
>
>> You have two different problems.
>>
>> Your CAS IdP needs to have its keys properly configured. There should be 
>> something more in that warning to indicate which key is 256 bit instead of 
>> the 512 bit. Follow documentation once you find that to update the key or 
>> specify the length as 256. This is breaking SSO probably?
>>
>> The second problem is your CAS client isn't configured correctly. Once 
>> you authenticate through the first time, it is up to the application to 
>> maintain session state. The fact that you get an error when clicking on a 
>> different link in the app means that the app doesn't have you logged in, 
>> and is depending on continually using SSO logins, which breaks some HTTP 
>> methods.
>> On 5/30/25 09:44, Phil Hale wrote:
>>
>> I have an older CAS client that is using SAML 1.1 protocol.  I'm able to 
>> get a successful login to the client application initially, but when 
>> navigating to a sub-menu of the app I get a "Couldn't access remote 
>> service" error on the app and in the logs I see the following log error:
>>
>> WARN [org.apereo.cas.util.function.FunctionUtils] - <Invalid key for dir 
>> with A256CBC-HS512, expected a 512 bit key but a 256 bit key was provided.
>>
>> I've done some google searches and not found an answer to this issue. 
>> Anyone have an idea what's causing this and what we might do to resolve it?
>>
>> Thanks,
>>
>> Phil
>>
>> -- 
>> - Website: https://apereo.github.io/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to cas-user+u...@apereo.org.
>> To view this discussion visit 
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/0a464edd-9d87-47b8-aad3-859151f937a2n%40apereo.org
>>  
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/0a464edd-9d87-47b8-aad3-859151f937a2n%40apereo.org?utm_medium=email&utm_source=footer>
>> .
>>
>>

-- 
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/12d1b719-ca95-4d91-8593-f86042353efcn%40apereo.org.

Reply via email to