Cannot access CAS page (cas management IP), IP add for web agent displays HTTP 400 Bad Request

Unanswered Question
Nov 23rd, 2009

Hi All,

     Can you help me on this?  Web Agent is needed to download the CCA isn't it?  I cannot access my CAS Web Agent through my CAS's management IP.  The webpage cannot be found displays on the screen and shows HTTP 400 Bad Request error.

     All user roles' traffic are enabled.  Please help.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Faisal Sehbai Mon, 11/23/2009 - 20:21


Web agent isn't needed for downloading the CCA Agent.

Give more details about your setup.

L2 adjacent or L3 hops away?

Virtual Gateway or Real-IP?

OOB or IB?

Any SSO configured?


rc.castillo Mon, 11/23/2009 - 21:09

My network is L2 adjacent, operating in Virtual Gateway, OOB mode, running on ADSSO on multiple servers.

I already accessed CAS page, I configured ports on unauthenticated role.  My problem still is in the ADSSO on multiple servers.  When the CCA shows that it is performing Windows automatic login, the CCA then pops up with the windows that asks for username and password and authentication provider.  Than when I use my local account, my Login Fails and detail shows: Clean Access Server internal error: 400

Faisal, I need your help badly...


Faisal Sehbai Mon, 11/23/2009 - 21:11


Please post a list of the ports you have open in your unauthenticated/temporary roles. Are they open to all your DC's?

Secondly, please confirm that you have defined at least one login page for your users.



rc.castillo Mon, 11/23/2009 - 21:34

Here is the list of ports

TCP - 88,135,139,389,636,1025,1026

UDP - 88,123,137,389,636

I removed the all trafic on unauthorized role.  I don't use any login pages yet.  My problem is still with the SSO, but when I enter a local account on the CCA, i can log successfuly.  It happened when I removed the All trafic on the unauthenticated role.


Faisal Sehbai Mon, 11/23/2009 - 21:37


Define at least one login page on your CAS. Even the default is fine, but you need at least one login page!

As for your list of ports, they look fine, but add IP FRAGMENTS and ICMP to all your DCs in the list.

Give that a shot and let me know how it flies.


Faisal Sehbai Mon, 11/23/2009 - 21:38


Also add TCP 445 in the list. All these ports should be open to ALL your DCs!


rc.castillo Mon, 11/23/2009 - 22:09

I added all icmp, ip fragments and port 445.  still the SSO doesn't work.. Also, the kerbtray doesn't show the needed kerb tickets



This Discussion