I apologize for the long post. After struggling through getting SPNEGO to work with CAS behind a load balancer with an ActiveDirectory Kerberos KDC I decided to test the configuration with an actual application, not the CAS login url. My CAS configuration is as follows:
• F5 BigIP Load Balancer • 2 CAS servers running inside Tomcat6, on RedHat v5, jdk1.6 • Memcached backed ticket registry This configuration works perfectly with the CAS login url i.e. http(s)://my.cas.server/login The request hits one server, logs me in using SPNEGO. I hit it again and the request is served by the other server, I am logged in, no SPENEGO handshake this time because I have the CAS TGC on my host. Switch to the application. This app needs to proxy cas to a different service so I need to get a proxy ticket. This app worked when I ran the client app on my dev box and the CAS server on another dev box, no SPNEGO, no load balancer, no memcached. To simplify troubleshooting, I turned off one of the test CAS servers so I only have one server behind the load balancer. I have included logs, any insight is appreciated. FYI, the proxy callback endpoint does accept https: if I enter https://my.server.com:8843 tomcat lists the known application contexts. All required ssl certs are in the keystores of the respective servers. CAS Enabled application log: DEBUG Cas20ProxyTicketValidator - Placing URL parameters in map. DEBUG Cas20ProxyTicketValidator - Calling template URL attribute map. DEBUG Cas20ProxyTicketValidator - Loading custom parameters from configuration. DEBUG Cas20ProxyTicketValidator - Constructing validation url: https://my.server.com/proxyValidate?service=http%3A%2F%my.server.com%3A8888%2Fibpm-ws-sample%2Fj_spring_cas_security_check&ticket=ST-6-Mh63x2bMBCuFgGu41L59-cas&pgtUrl=https%3A%2F%2Fmy.server.com%3A8843%2Fibpm-ws-sample%2Fsecure%2Freceptor DEBUG Cas20ProxyTicketValidator - Retrieving response from server. DEBUG Cas20ProxyTicketValidator - Server response: <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationSuccess> <cas:user>spamboy</cas:user> </cas:authenticationSuccess> </cas:serviceResponse> INFO ProxyGrantingTicketStorageImpl - No Proxy Ticket found for -- NOT GOOD exception thrown by the server……. DEBUG LdapConnectionObjectFactory - Start timing for [makeObject] DEBUG LdapConnectionObjectFactory - Timing for [makeObject: createConnection]: 63ms. DEBUG LdapConnectionObjectFactory - Timing for [makeObject: bindConnection]: 31ms. DEBUG LdapConnectionObjectFactory - Start timing for [validateObject] DEBUG LdapConnectionObjectFactory - Timing for [validateObject: checkIsAlive, valid: true]: 0ms. DEBUG SingleSignOutFilter - Storing session identifier for umylbnszlo2o MEMCACHED LOG: <25 get ST-6-Mh63x2bMBCuFgGu41L59-cas >25 sending key ST-6-Mh63x2bMBCuFgGu41L59-cas >25 END <25 replace ST-6-Mh63x2bMBCuFgGu41L59-cas 1 300 2540 >25 STORED <25 delete ST-6-Mh63x2bMBCuFgGu41L59-cas >25 DELETED You can see the service ticket that was sent back CAS SERVER LOG: 2010-02-10 10:53:11,112 DEBUG [org.jasig.cas.web.flow.SendTicketGrantingTicketAc tion] - <Action 'SendTicketGrantingTicketAction' beginning execution> 2010-02-10 10:53:11,112 DEBUG [org.jasig.cas.web.support.CookieRetrievingCookieG enerator] - <Added cookie with name [CASTGC] and value [TGT-4-ot7mZD3GBIsAcj6Zfe aGxgSoj4eDa7oHFbDZuLmemD74Z2fA02-cas]> 2010-02-10 10:53:11,112 DEBUG [org.jasig.cas.CentralAuthenticationServiceImpl] - <Removing ticket [TGT-3-XzOcfCkeo77JKpXVZ1WIyvbADXeQuzySjBiFLfElC2DReHPIh4-cas] from registry.> 2010-02-10 10:53:11,113 DEBUG [org.jasig.cas.web.flow.SendTicketGrantingTicketAc tion] - <Action 'SendTicketGrantingTicketAction' completed execution; result is 'success'> 2010-02-10 10:53:11,113 DEBUG [org.jasig.cas.web.flow.GenerateServiceTicketActio n] - <Action 'GenerateServiceTicketAction' beginning execution> 2010-02-10 10:53:11,115 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket [ST-6-Mh63x2bMBCuFgGu41L59-cas] for service [http://my.server.com:8888/ibpm-ws-sample/j_spring_cas_security_check] for use r [spamboy]> 2010-02-10 10:53:11,115 DEBUG [org.jasig.cas.web.flow.GenerateServiceTicketActio n] - <Action 'GenerateServiceTicketAction' completed execution; result is 'succe ss'> 2010-02-10 10:53:11,181 DEBUG [org.jasig.cas.web.support.CasArgumentExtractor] - <Extractor generated service for: http://my.server.com:8888/ibpm- ws-sample/j_spring_cas_security_check> 2010-02-10 10:53:11,181 DEBUG [org.jasig.cas.authentication.handler.support.Http BasedServiceCredentialsAuthenticationHandler] - <Attempting to resolve credentia ls for [callbackUrl: https://my.server.com:8843/ibpm-ws-sample/sec ure/receptor]> Not Quite sure what generated this: 2010-02-10 10:53:11,242 DEBUG [org.jasig.cas.util.HttpClient] - <Response Code d id not match any of the acceptable response codes. Code returned was 400> 2010-02-10 10:53:11,242 INFO [org.jasig.cas.authentication.AuthenticationManager Impl] - <AuthenticationHandler: org.jasig.cas.authentication.handler.support.Htt pBasedServiceCredentialsAuthenticationHandler failed to authenticate the user wh ich provided the following credentials: [callbackUrl: https://my.server.com:8843/ibpm-ws-sample/secure/receptor]> 2010-02-10 10:53:11,243 ERROR [org.jasig.cas.web.ServiceValidateController] - <T icketException generating ticket for: [callbackUrl: https://my.server.com:8843/ibpm-ws-sample/secure/receptor]> org.jasig.cas.ticket.TicketCreationException: error.authentication.credentials.b ad -- View this message in context: http://n4.nabble.com/ProxyTickets-Load-Balancer-Unable-to-validate-credentials-tp1476315p1476315.html Sent from the CAS Users mailing list archive at Nabble.com. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
