I am getting the following response when contacting clearPass via the DotNetCasClient
<cas:clearPassResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:clearPassFailure>No authentication information provided.</cas:clearPassFailure> </cas:clearPassResponse> I have attached the associated C# code, web.config, C# logs, webserver logs, and CAS logs below. I used the OWA code as a template for my code. The most interesting error comes from the CAS logs 2010-05-13 14:20:42,724 WARN [org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter] - org.jasig.cas.client.validation.TicketValidationException: ticket 'ST-57-beOjozKFxt5fnukAr2Yf-pcas' does not match supplied service. The original service was 'https://sbolan1.pepperdine.edu/clearpass/Default.aspx' and the supplied service was 'https://cas.pepperdine.edu:8443/cas/clearPass'. The only place CASis called with https://cas.pepeprdine.edu:8443/cas/clearPas is highlighted in the web server logs below. It is also interesting to me that CAS is granting two tickets 'ST-56' and 'ST-57'. Thanks for any help or tips in debugging this issue. ====================================================== web.config =========================================== ====================================================== <casClientConfig casServerLoginUrl="https://cas.pepperdine.edu:8443/cas/login"; serverName="https://sbolan1.pepperdine.edu"; casServerUrlPrefix="https://cas.pepperdine.edu:8443/cas"; redirectAfterValidation="true" gateway="true" renew="false" ticketValidatorName="Cas20" ticketTimeTolerance="5000" singleSignOut="false" proxyTicketManager="CacheProxyTicketManager" serviceTicketManager="CacheServiceTicketManager" gatewayStatusCookieName="CasGatewayStatus" ====================================================== C# code ============================================== ====================================================== protected void Page_Load(object sender, EventArgs e) { if (!Page.IsPostBack) { FormsAuthenticationTicket formsAuthTicket = CasAuthentication.GetFormsAuthenticationTicket(); CasAuthenticationTicket casTicket = CasAuthentication.ServiceTicketManager.GetTicket(formsAuthTicket.UserData); string validateUrl = EnhancedUriBuilder.Combine(CasAuthentication.CasServerUrlPrefix, "proxyValidate"); //Uri url = new UriBuilder(Request.Url.Scheme, Request.Url.DnsSafeHost, Request.Url.Port, ResolveUrl("DotNetCasProxyDemoApp.application")).Uri; Uri url = new Uri(@"https://sbolan1.pepperdine.edu/clearpass/Default.aspx";); string proxyGrantingTicket = casTicket.ProxyGrantingTicket; string proxyUrl = UrlUtil.ConstructProxyTicketRequestUrl(casTicket.ProxyGrantingTicket, url.AbsoluteUri); string ticket; try { ticket = CasAuthentication.GetProxyTicketIdFor(url.AbsoluteUri); } catch (InvalidOperationException ioe) { ticket = "Invalid Request: " + ioe.Message; } catch (TicketValidationException tve) { ticket = "Ticket Exception: " + tve.Message; } string originalTicket = ticket; string clickOnceValidation = validateUrl + "?service=" + Server.UrlEncode(url.AbsoluteUri) + "&proxyTicket=" + ticket; string appUrl = new UriBuilder(Request.Url.Scheme, Request.Url.DnsSafeHost, Request.Url.Port, ResolveUrl("Default.aspx"), "?proxyTicket=" + ticket + "&verifyUrl=" + Server.UrlEncode(validateUrl)).Uri.AbsoluteUri; string clearPassURL = @"https://cas.pepperdine.edu:8443/cas/clearPass?ticket="; + ticket; /*=======================================================*/ /* START OWA CODE */ string ClearPassUrl = "https://cas.pepperdine.edu:8443/cas/clearPass";; string ArtifactParameterName = "ticket"; string proxyTicket = ticket; string ServiceParameterName = "service"; string clearPassRequest = ClearPassUrl + "?" + ArtifactParameterName + "=" + proxyTicket + "&" + ServiceParameterName + "=" + @"https%3a%2f%2fsbolan1.pepperdine.edu%2fclearpass%2fDefault.aspx"; string clearPassResponse; StreamReader reader = null; try { /* start get */ // THIS IS DOING A GET reader = new StreamReader(new WebClient().OpenRead(clearPassRequest)); clearPassResponse = reader.ReadToEnd(); /* end get */ /* start post */ // THIS IS DOING A POST //WebClient client = new WebClient(); //byte[] bret = client.UploadData(clearPassRequest, "POST", System.Text.Encoding.ASCII.GetBytes("")); //string sret = System.Text.Encoding.ASCII.GetString(bret); //clearPassResponse = sret; //client.Dispose(); /* end post */ } catch (Exception ex) { throw new HttpException(500, "Error getting response from clearPass at URL: " + clearPassRequest + ". " + ex.Message, ex); } finally { if (reader != null) { reader.Close(); } } /* END OWA CODE */ /*=======================================================*/ StringBuilder debugText = new StringBuilder(); debugText.AppendLine("originalTicket"); debugText.AppendLine(originalTicket); debugText.AppendLine(); debugText.AppendLine("Your PGT"); debugText.AppendLine(proxyGrantingTicket); debugText.AppendLine(); debugText.AppendLine("Target Service URL"); debugText.AppendLine(url.AbsoluteUri); debugText.AppendLine(); debugText.AppendLine("Proxy Ticket URL"); debugText.AppendLine(proxyUrl); debugText.AppendLine(); debugText.AppendLine("Proxy Ticket"); debugText.AppendLine(ticket); debugText.AppendLine(); debugText.AppendLine("Validate URL"); debugText.AppendLine(validateUrl); debugText.AppendLine(); debugText.AppendLine("ClickOnce URL"); debugText.AppendLine(appUrl); debugText.AppendLine(); debugText.AppendLine("ClickOnce Validation"); debugText.AppendLine(clickOnceValidation); debugText.AppendLine(); debugText.AppendLine("Clearpass URL"); debugText.AppendLine(clearPassURL); debugText.AppendLine(); debugText.AppendLine("clearPassRequest"); debugText.AppendLine(clearPassRequest); debugText.AppendLine(); debugText.AppendLine("clearPassResponse"); debugText.AppendLine(clearPassResponse); debugText.AppendLine(); DebugField.Text = debugText.ToString(); ClickOnceUrl.Text = appUrl; } } ====================================================== C# logs ============================================== ====================================================== 2010-05-13 14:20:35,269 [7] DEBUG CasAuthenticationModule - Starting BeginRequest for /clearpass/Default.aspx 2010-05-13 14:20:35,269 [7] DEBUG CasAuthenticationModule - Ending BeginRequest for /clearpass/Default.aspx 2010-05-13 14:20:35,269 [7] DEBUG CasAuthenticationModule - Starting AuthenticateRequest for /clearpass/Default.aspx 2010-05-13 14:20:35,269 [7] DEBUG CasAuthenticationModule - Ending AuthenticateRequest for /clearpass/Default.aspx 2010-05-13 14:20:35,285 [7] DEBUG CasAuthenticationModule - Starting EndRequest for /clearpass/Default.aspx 2010-05-13 14:20:35,285 [7] DEBUG CasAuthenticationModule - Redirecting to CAS Login Page 2010-05-13 14:20:35,285 [7] DEBUG UrlUtil - ConstructServiceUri:return generated serviceUri: https://sbolan1.pepperdine.edu:443/clearpass/Default.aspx 2010-05-13 14:20:35,300 [7] DEBUG UrlUtil - ConstructLoginRedirectUrl: redirectToUrl=>https://cas.pepperdine.edu:8443/cas/login?service=https%3a%2f%2fsbolan1.pepperdine.edu%3a443%2fclearpass%2fDefault.aspx< 2010-05-13 14:20:35,300 [7] DEBUG CasAuthenticationModule - Ending EndRequest for /clearpass/Default.aspx 2010-05-13 14:20:42,660 [7] DEBUG CasAuthenticationModule - Starting BeginRequest for /clearpass/Default.aspx?ticket=ST-56-enSPfWgYfEaBabxRLLg5-pcas 2010-05-13 14:20:42,660 [7] DEBUG CasAuthenticationModule - Ending BeginRequest for /clearpass/Default.aspx?ticket=ST-56-enSPfWgYfEaBabxRLLg5-pcas 2010-05-13 14:20:42,660 [7] DEBUG CasAuthenticationModule - Processing Proxy Callback request 2010-05-13 14:20:42,675 [7] DEBUG UrlUtil - ConstructServiceUri:return generated serviceUri: https://sbolan1.pepperdine.edu:443/clearpass/Default.aspx 2010-05-13 14:20:42,675 [7] DEBUG AbstractUrlTicketValidator - Validate:Constructed validation url:https://cas.pepperdine.edu:8443/cas/proxyValidate?ticket=ST-56-enSPfWgYfEaBabxRLLg5-pcas&service=https%3a%2f%2fsbolan1.pepperdine.edu%3a443%2fclearpass%2fDefault.aspx&pgtUrl=https%3a%2f%2fsbolan1.pepperdine.edu%3a443%2fclearpass%2fDefault.aspx%3fproxyResponse%3dtrue 2010-05-13 14:20:42,691 [1] DEBUG CasAuthenticationModule - Starting BeginRequest for /clearpass/Default.aspx?proxyResponse=true 2010-05-13 14:20:42,691 [1] DEBUG CasAuthenticationModule - Processing Proxy Callback request 2010-05-13 14:20:42,691 [1] DEBUG CasAuthenticationModule - Starting EndRequest for /clearpass/Default.aspx?proxyResponse=true 2010-05-13 14:20:42,707 [1] DEBUG CasAuthenticationModule - Ending EndRequest for /clearpass/Default.aspx?proxyResponse=true 2010-05-13 14:20:42,707 [1] DEBUG CasAuthenticationModule - Starting BeginRequest for /clearpass/Default.aspx?proxyResponse=true&pgtIou=PGTIOU-23-NXdaF5TLRccbuTkdt5Xv-pcas&pgtId=TGT-45-T05rL3V2vCubkbnMvD9JJdzw2m5Ww1adSG6GLLa27Z7jfmcham-pcas 2010-05-13 14:20:42,722 [1] DEBUG CasAuthenticationModule - Processing Proxy Callback request 2010-05-13 14:20:42,722 [1] DEBUG CasAuthentication - Recieved proxyGrantingTicketId [TGT-45-T05rL3V2vCubkbnMvD9JJdzw2m5Ww1adSG6GLLa27Z7jfmcham-pcas] for proxyGrantingTicketIou [PGTIOU-23-NXdaF5TLRccbuTkdt5Xv-pcas] 2010-05-13 14:20:42,722 [1] DEBUG CasAuthenticationModule - Starting EndRequest for /clearpass/Default.aspx?proxyResponse=true&pgtIou=PGTIOU-23-NXdaF5TLRccbuTkdt5Xv-pcas&pgtId=TGT-45-T05rL3V2vCubkbnMvD9JJdzw2m5Ww1adSG6GLLa27Z7jfmcham-pcas 2010-05-13 14:20:42,738 [1] DEBUG CasAuthenticationModule - Ending EndRequest for /clearpass/Default.aspx?proxyResponse=true&pgtIou=PGTIOU-23-NXdaF5TLRccbuTkdt5Xv-pcas&pgtId=TGT-45-T05rL3V2vCubkbnMvD9JJdzw2m5Ww1adSG6GLLa27Z7jfmcham-pcas 2010-05-13 14:20:42,738 [7] DEBUG AbstractUrlTicketValidator - Validate:Ticket validation server response:><cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationSuccess> <cas:user>sbolan</cas:user> <cas:proxyGrantingTicket>PGTIOU-23-NXdaF5TLRccbuTkdt5Xv-pcas</cas:proxyGrantingTicket> </cas:authenticationSuccess> </cas:serviceResponse>< 2010-05-13 14:20:42,753 [7] DEBUG UrlUtil - RemoveCasArtifactsFromUrl: redirectToUrl=>https://sbolan1.pepperdine.edu:443/clearpass/Default.aspx< 2010-05-13 14:20:42,753 [7] DEBUG CasAuthentication - CreateFormsAuthenticationTicket:Incoming CAS Assertion: ST-56-enSPfWgYfEaBabxRLLg5-pcas 2010-05-13 14:20:42,753 [7] DEBUG CasAuthenticationModule - Starting AuthenticateRequest for /clearpass/Default.aspx?ticket=ST-56-enSPfWgYfEaBabxRLLg5-pcas 2010-05-13 14:20:42,769 [7] DEBUG CasAuthenticationModule - Ending AuthenticateRequest for /clearpass/Default.aspx?ticket=ST-56-enSPfWgYfEaBabxRLLg5-pcas 2010-05-13 14:20:42,769 [7] DEBUG CasAuthenticationModule - Starting EndRequest for /clearpass/Default.aspx?ticket=ST-56-enSPfWgYfEaBabxRLLg5-pcas 2010-05-13 14:20:42,769 [7] DEBUG CasAuthenticationModule - Redirecting from login callback 2010-05-13 14:20:42,785 [7] DEBUG UrlUtil - RemoveCasArtifactsFromUrl: redirectToUrl=>https://sbolan1.pepperdine.edu:443/clearpass/Default.aspx< 2010-05-13 14:20:42,785 [7] DEBUG CasAuthenticationModule - Ending EndRequest for /clearpass/Default.aspx?ticket=ST-56-enSPfWgYfEaBabxRLLg5-pcas 2010-05-13 14:20:42,800 [1] DEBUG CasAuthenticationModule - Starting BeginRequest for /clearpass/Default.aspx 2010-05-13 14:20:42,800 [1] DEBUG CasAuthenticationModule - Ending BeginRequest for /clearpass/Default.aspx 2010-05-13 14:20:42,800 [1] DEBUG CasAuthenticationModule - Starting AuthenticateRequest for /clearpass/Default.aspx 2010-05-13 14:20:42,816 [1] DEBUG CasAuthenticationModule - Ending AuthenticateRequest for /clearpass/Default.aspx 2010-05-13 14:20:42,847 [1] DEBUG UrlUtil - ConstructProxyTicketRequestUrl:return generated proxy ticket request Uri: https://cas.pepperdine.edu:8443/cas/proxy?pgt=TGT-45-T05rL3V2vCubkbnMvD9JJdzw2m5Ww1adSG6GLLa27Z7jfmcham-pcas&targetService=https%3a%2f%2fsbolan1.pepperdine.edu%2fclearpass%2fDefault.aspx 2010-05-13 14:20:42,863 [1] DEBUG UrlUtil - ConstructProxyTicketRequestUrl:return generated proxy ticket request Uri: https://cas.pepperdine.edu:8443/cas/proxy?pgt=TGT-45-T05rL3V2vCubkbnMvD9JJdzw2m5Ww1adSG6GLLa27Z7jfmcham-pcas&targetService=https%3a%2f%2fsbolan1.pepperdine.edu%2fclearpass%2fDefault.aspx 2010-05-13 14:20:42,863 [1] DEBUG CasAuthentication - Proxy success: ST-57-beOjozKFxt5fnukAr2Yf-pcas 2010-05-13 14:20:42,972 [1] DEBUG CasAuthenticationModule - Starting EndRequest for /clearpass/Default.aspx 2010-05-13 14:20:42,972 [1] DEBUG CasAuthenticationModule - Ending EndRequest for /clearpass/Default.aspx ====================================================== webserver logs ======================================= ====================================================== 137.159.68.98 - - [13/May/2010:14:20:35 -0700] "GET /cas/login?service=https%3a%2f%2fsbolan1.pepperdine.edu%3a443%2fclearpass%2fDefault.aspx HTTP/1.1" 200 4982 137.159.68.98 - - [13/May/2010:14:20:35 -0700] "GET /cas/css/cas.css HTTP/1.1" 304 - 137.159.68.98 - - [13/May/2010:14:20:35 -0700] "GET /cas/js/common_rosters.js HTTP/1.1" 304 - 137.159.68.98 - - [13/May/2010:14:20:35 -0700] "GET /cas/css/ie_cas.css HTTP/1.1" 304 - 137.159.68.98 - - [13/May/2010:14:20:35 -0700] "GET /cas/images/pepperdine.png HTTP/1.1" 304 - 137.159.68.98 - - [13/May/2010:14:20:35 -0700] "GET /cas/images/ja-sig-logo.gif HTTP/1.1" 304 - 137.159.68.98 - - [13/May/2010:14:20:35 -0700] "GET /cas/images/key-point_tr.gif HTTP/1.1" 304 - 137.159.68.98 - - [13/May/2010:14:20:35 -0700] "GET /cas/images/key-point_tl.gif HTTP/1.1" 304 - 137.159.68.98 - - [13/May/2010:14:20:35 -0700] "GET /cas/images/key-point_br.gif HTTP/1.1" 304 - 137.159.68.98 - - [13/May/2010:14:20:35 -0700] "GET /cas/images/key-point_bl.gif HTTP/1.1" 304 - 137.159.68.98 - - [13/May/2010:14:20:42 -0700] "POST /cas/login?service=https%3a%2f%2fsbolan1.pepperdine.edu%3a443%2fclearpass%2fDefault.aspx HTTP/1.1" 302 - 137.159.68.98 - - [13/May/2010:14:20:42 -0700] "GET /cas/proxyValidate?ticket=ST-56-enSPfWgYfEaBabxRLLg5-pcas&service=https%3a%2f%2fsbolan1.pepperdine.edu%3a443%2fclearpass%2fDefault.aspx&pgtUrl=https%3a%2f%2fsbolan1.pepperdine.edu%3a443%2fclearpass%2fDefault.aspx%3fproxyResponse%3dtrue HTTP/1.1" 200 264 137.159.68.98 - - [13/May/2010:14:20:42 -0700] "GET /cas/proxy?pgt=TGT-45-T05rL3V2vCubkbnMvD9JJdzw2m5Ww1adSG6GLLa27Z7jfmcham-pcas&targetService=https%3a%2f%2fsbolan1.pepperdine.edu%2fclearpass%2fDefault.aspx HTTP/1.1" 200 193 137.159.9.7 - - [13/May/2010:14:20:42 -0700] "GET /cas/proxyValidate?service=https%3A%2F%2Fcas.pepperdine.edu%3A8443%2Fcas%2FclearPass&ticket=ST-57-beOjozKFxt5fnukAr2Yf-pcas& HTTP/1.1" 200 431 137.159.68.98 - - [13/May/2010:14:20:42 -0700] "GET /cas/clearPass?ticket=ST-57-beOjozKFxt5fnukAr2Yf-pcas&service=https%3a%2f%2fsbolan1.pepperdine.edu%2fclearpass%2fDefault.aspx HTTP/1.1" 302 - 137.159.68.98 - - [13/May/2010:14:20:42 -0700] "GET /cas/clearPass HTTP/1.1" 200 177 ====================================================== CAS logs ============================================= ====================================================== 2010-05-13 14:20:41,736 INFO [org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler] - Search for sAMAccountName=sbolan returned 0 results. 2010-05-13 14:20:42,393 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service ticket [ST-56-enSPfWgYfEaBabxRLLg5-pcas] for service [https://sbolan1.pepperdine.edu:443/clearpass/Default.aspx] for user [sbolan] 2010-05-13 14:20:42,623 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service ticket [ST-57-beOjozKFxt5fnukAr2Yf-pcas] for service [https://sbolan1.pepperdine.edu/clearpass/Default.aspx] for user [https://sbolan1.pepperdine.edu:443/clearpass/Default.aspx?proxyResponse=true] 2010-05-13 14:20:42,635 ERROR [org.jasig.cas.CentralAuthenticationServiceImpl] - ServiceTicket [ST-57-beOjozKFxt5fnukAr2Yf-pcas] with service [https://sbolan1.pepperdine.edu/clearpass/Default.aspx does not match supplied service [https://cas.pepperdine.edu:8443/cas/clearPass] 2010-05-13 14:20:42,724 WARN [org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter] - org.jasig.cas.client.validation.TicketValidationException: ticket 'ST-57-beOjozKFxt5fnukAr2Yf-pcas' does not match supplied service. The original service was 'https://sbolan1.pepperdine.edu/clearpass/Default.aspx' and the supplied service was 'https://cas.pepperdine.edu:8443/cas/clearPass'. org.jasig.cas.client.validation.TicketValidationException: ticket 'ST-57-beOjozKFxt5fnukAr2Yf-pcas' does not match supplied service. The original service was 'https://sbolan1.pepperdine.edu/clearpass/Default.aspx' and the supplied service was 'https://cas.pepperdine.edu:8443/cas/clearPass'. at org.jasig.cas.client.validation.Cas20ServiceTicketValidator.parseResponseFromServer(Cas20ServiceTicketValidator.java:73) at org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:188) at org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:132) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.inspektr.common.web.ClientInfoThreadLocalFilter.doFilterInternal(ClientInfoThreadLocalFilter.java:48) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:845) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447) at java.lang.Thread.run(Thread.java:613) -- View this message in context: http://jasig.275507.n4.nabble.com/Clearpass-DotNetCasClient-ticket-does-not-match-supplied-service-tp2215801p2215801.html Sent from the CAS Developers mailing list archive at Nabble.com. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
