@emily.dragowsky and I worked on this more today. After doing some troubleshooting we discovered that our CAS implementation was not configured correctly in OOD. Turns out we missed the declaration “CASScope /” in ood_portal.yml file or our Apache configuration. This sets the scope for which a mod_auth_cas cookie is valid. Prior to doing this we would receive a 302 redirect (request for a new CAS cookie) which NoVNC could not understand. Thanks to @pingluo for his post on Yale’s CAS implementation.