Announcement Announcement Module
No announcement yet.
Certificate Exception: No name matching [sso host name] found Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Certificate Exception: No name matching [sso host name] found


    I am trying to login to a secured site via CAS. The request redirects to an error.jsp on providing valid userid & password. The certificate to this server has been installed in cacerts keystore.

    The debug trail shows the following exception when the authentication request is submitted to CAS.

    DEBUG [net.sf.acegisecurity.ui.AbstractProcessingFilter] - <Authentication request failed: net.sf.acegisecurity.AuthenticationServiceExceptio n: No name matching [sso host name] found>
    I can see that the sso host name that the exception trace displays matches with the name displayed from the certificate by 'keytool'. The server is on a domain different from where I am accessing it. I had read in one of the threads in the forum that we should check the domain name but it was not clear where this can be verified.

    Any help would be greatly appreciated.


  • #2
    It sounds like the client does not trust the server. Did you ensure that the certificate you generated has a first and last name that is the value of the host? Are you certain you have added the public certificate to the keystore used by the CAS Service? Have you tried the Jasig SSL troubleshooting guide? While this guide has been superseded, it might also be of assistance. Another good reference on setting up the certificates is the Jasig Demo wiki.

    Is there a reason you are using Acegi as apposed to Spring Security? Acegi is no longer officially supported and unless you build your own copy contains security vulnerabilities that you probably do not want in a production application.


    • #3
      Hi Winch

      Thanks for your response. I got this certificate from the team that is maintaining the CAS server. Is there a way we can check the first and last name from the certificate? The Common Name [CN] displays the sso host name correctly though. I shall go through the Jasig references and let you know if that helped solving the issue.

      The CAS service has been in use for years and users from the same domain as the server have been able to login to it without any problem using this certificate.

      We are just getting started with maintaining this application and are facing this challenge setting up our development environment. It has been in use for years without any upgradation and hence Acegi. We will have to consider migrating to Spring Security but we will have to atleast get the development environment functional to start with.


      • #4
        The first last name prompt when generating the key becomes the CN. Make sure that you are using the host that is in the CN for contacting the CAS server in your CAS Service. Also ensure that the CAS service has the certificate for the CAS Server added to its trust store. The links I sent you should be able to help you troubleshoot this.


        • #5
          PS: You can also checkout the blog entry I wrote about getting the Spring Security CAS sample running against a CAS server.