How to Troubleshoot CAS Token Size Error "Authentication failed. CAS (SAML) token has been exceeded"

How to Troubleshoot CAS Token Size Error "Authentication failed. CAS (SAML) token has been exceeded"

14294
Created On 08/17/22 23:09 PM - Last Modified 01/05/24 03:20 AM


Objective


  • Windows machines have a set limit of 2048 byte size limit for token.
  • If the CAS token exceeds this limit, error message is displayed and windows will not process this token.
  • The token size must be set lower than this value of 2048 bytes
  • The article provides steps on how to identify this issue with possible work arounds.

Environment


  • Prisma Access Mobile Users
  • Cloud Identity Engine
  • Cloud Authentication Service
  • GlobalProtect 6.0+
  • Panorama 10.1+
  • Windows 10

Procedure


Follow prerequisites:

  1. Make sure default browser for SAML Authentication is set to "yes"
    GUI: Network >GlobalProtect >Portals> "PORTALCONFIG"> Agent > "AGENTCONFIG" > App

image.png
  1. Make sure Globalprotect agent itself is predeployed with DEFAULTBROWSER="yes" msi switch.
  • Full Command: msiexec.exe -i <GlobalProtectMSIFileName> DEFAULTBROWSER="yes"
  • Refer Documentation on deploying app settings with msiexec installer for GlobalProtect:
  1. Enable Dump Level logging on GlobalProtect agent
  2. Enable Developer Tools on your browser and navigate to the Network tab to create a har file. Refer Documentation on how to create a har file for different browsers:

image.png
  1. Once the issue has been recreated, save the har file and navigate to https://toolbox.googleapps.com/apps/har_analyzer/
  2. Identify your Token, CAS Token will can be found in https://<portalname>.gpcloudservice.com/SAML20/SP/ACS
image.png
  • In the above example, you can see our POST method ACS link on the left and the Post Data byte count on the right
  • The screenshot displays a working scenario
  • If the Post Data count is above 2048 bytes, this is when you will see the error "authentication failed. CAS (SAML) token has been exceeded" and thus not be able to log into GlobalProtect.
 

Additional Information


  • Since windows has this set limit of 2048 bytes for tokens, we can attempt to decrease the number of bytes by removing unused or un-needed attributes and claims from the iDP assertion message e.g. groups, sirnames, etc.
  • When doing so this could reduce the byte count to be within limits as to what Windows can allow
  • Information on SAML
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000CrELCA0&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language