> You didn't mention whether you're using a distributed ticket registry > for CAS. The CAS nodes either need to share state or use a > distributed ticket registry (memcached, DB, JBoss cache).
We're using the JBoss cache, and it seems to be working. 2009-05-08 09:39:33,678 INFO [org.jasig.cas.util.JBossCacheFactoryBean] - <Starting TreeCache service.> Here's the CAS logs: Node 1: 2009-05-08 10:41:55,915 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - AuthenticationHandler: org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler successfully authenticated the user which provided the following credentials: load300 2009-05-08 10:41:55,930 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service ticket [ST-1-FSnmMYG7KwSZPNiIMxZV-testcas1] for service [https://mybetatst.csus.edu/portal/Login] for user [load300] Node 2: 2009-05-08 10:41:58,672 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - AuthenticationHandler: org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler successfully authenticated the user which provided the following credentials: https://mybetatst.csus.edu/portal/CasProxyServlet 2009-05-08 10:41:58,672 ERROR [org.jasig.cas.web.ServiceValidateController] - TicketException generating ticket for: https://mybetatst.csus.edu/portal/CasProxyServlet org.jasig.cas.ticket.InvalidTicketException at org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTicket(CentralAuthenticationServiceImpl.java:273) at org.jasig.cas.web.ServiceValidateController.handleRequestInternal(ServiceValidateController.java:126) at org.springframework.web.servlet.mvc.AbstractController.handleRequest(AbstractController.java:153) .... Here's the uPortal error: HTTP Status 500 - edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[https://testcas.irt.csus.edu/csus.cas/serviceValidate] proxyCallbackUrl=[https://mybetatst.csus.edu/portal/CasProxyServlet] ticket=[ST-1-FSnmMYG7KwSZPNiIMxZV-testcas1] service=[https%3A%2F%2Fmybetatst.csus.edu%2Fportal%2FLogin] errorCode=[INVALID_TICKET] errorMessage=[ticket 'ST-1-FSnmMYG7KwSZPNiIMxZV-testcas1' not recognized] renew=false entireResponse=[<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationFailure code='INVALID_TICKET'> ticket 'ST-1-FSnmMYG7KwSZPNiIMxZV-testcas1' not recognized </cas:authenticationFailure> </cas:serviceResponse> ]]]] edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:62) edu.yale.its.tp.cas.client.filter.CASValidateFilter.getAuthenticatedUser(CASValidateFilter.java:339) edu.yale.its.tp.cas.client.filter.CASValidateFilter.doFilter(CASValidateFilter.java:289) If I login directly to CAS, and I'm not coming from a service, one node will register the user without the other node complaining. In this case node 2: 2009-05-08 10:54:47,087 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <AuthenticationHandler: org.jasig.cas.adaptors.ldap.BindLdapAuthentica tionHandler successfully authenticated the user which provided the following credentials: load100> I then shutdown node 2, refreshed the browser pointed at CAS, and node 1 took let me stay logged in. They must be sharing tickets. Andy Osburn Sacramento State -----Original Message----- From: Marvin Addison [mailto:[email protected]] Sent: Thursday, May 07, 2009 5:59 PM To: [email protected] Subject: Re: [cas-user] Service ticket validated twice CAS client error > We are having an issue with a two node cluster CAS 3.2.1 and uPortal 2.6. We > have the two nodes behind a BIGip F5 loadbalacer. When CAS authenticates a > uPortal user, I get the following error (below) from uPortal. We only get the > error when the two nodes are running. If just one node is running, everything > works fine. > ... > edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate > ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator > proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator > casValidateUrl=[https://testcas.irt.csus.edu/csus.cas/serviceValidate] > proxyCallbackUrl=[https://mybetatst.csus.edu/portal/CasProxyServlet] > ticket=[ST-3-T4qVxXdSXewF7umkIjzj-testcas1] > service=[https%3A%2F%2Fmybetatst.csus.edu%2Fportal%2FLogin] > errorCode=[INVALID_TICKET] errorMessage=[ticket > 'ST-3-T4qVxXdSXewF7umkIjzj-testcas1' not recognized] You didn't mention whether you're using a distributed ticket registry for CAS. The CAS nodes either need to share state or use a distributed ticket registry (memcached, DB, JBoss cache). If you do not meet these requirements and you have an active-active load balancer config, you would see this error if the service ticket is issued against node 1 and it is validated by the service against node 2. (These are different sources so sticky sessions won't help.) The fact that your problem goes away when you shut down one of the nodes seems to support the fact your CAS nodes don't know anything about each others' tickets. Hope that helps, M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
