> We are having an issue with a two node cluster CAS 3.2.1 and uPortal 2.6. We > have the two nodes behind a BIGip F5 loadbalacer. When CAS authenticates a > uPortal user, I get the following error (below) from uPortal. We only get the > error when the two nodes are running. If just one node is running, everything > works fine. > ... > edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate > ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator > proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator > casValidateUrl=[https://testcas.irt.csus.edu/csus.cas/serviceValidate] > proxyCallbackUrl=[https://mybetatst.csus.edu/portal/CasProxyServlet] > ticket=[ST-3-T4qVxXdSXewF7umkIjzj-testcas1] > service=[https%3A%2F%2Fmybetatst.csus.edu%2Fportal%2FLogin] > errorCode=[INVALID_TICKET] errorMessage=[ticket > 'ST-3-T4qVxXdSXewF7umkIjzj-testcas1' not recognized]
You didn't mention whether you're using a distributed ticket registry for CAS. The CAS nodes either need to share state or use a distributed ticket registry (memcached, DB, JBoss cache). If you do not meet these requirements and you have an active-active load balancer config, you would see this error if the service ticket is issued against node 1 and it is validated by the service against node 2. (These are different sources so sticky sessions won't help.) The fact that your problem goes away when you shut down one of the nodes seems to support the fact your CAS nodes don't know anything about each others' tickets. Hope that helps, M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
