Your proxy callback is failing which is why you're not getting a PGT. You can see that by the fact that the AuthenticationHandler failed to authenticate the proxy callback url. My guess is it got a server 400 error. I'm not sure why you would be generating a server 400 error.
Cheers, Scott On Wed, Feb 10, 2010 at 2:20 PM, Dean Heisey <[email protected]>wrote: > > I apologize for the long post. > > After struggling through getting SPNEGO to work with CAS behind a load > balancer with an ActiveDirectory Kerberos KDC I decided to test the > configuration with an actual application, not the CAS login url. My CAS > configuration is as follows: > > • F5 BigIP Load Balancer > • 2 CAS servers running inside Tomcat6, on RedHat v5, jdk1.6 > • Memcached backed ticket registry > > This configuration works perfectly with the CAS login url i.e. > http(s)://my.cas.server/login > The request hits one server, logs me in using SPNEGO. I hit it again and > the request is served by the other server, I am logged in, no SPENEGO > handshake this time because I have the CAS TGC on my host. > > Switch to the application. > > This app needs to proxy cas to a different service so I need to get a proxy > ticket. This app worked when I ran the client app on my dev box and the > CAS > server on another dev box, no SPNEGO, no load balancer, no memcached. To > simplify troubleshooting, I turned off one of the test CAS servers so I > only > have one server behind the load balancer. I have included logs, any > insight > is appreciated. > > FYI, the proxy callback endpoint does accept https: if I enter > https://my.server.com:8843 tomcat lists the known application contexts. > All > required ssl certs are in the keystores of the respective servers. > > CAS Enabled application log: > > DEBUG Cas20ProxyTicketValidator - Placing URL parameters in map. > DEBUG Cas20ProxyTicketValidator - Calling template URL attribute map. > DEBUG Cas20ProxyTicketValidator - Loading custom parameters from > configuration. > DEBUG Cas20ProxyTicketValidator - Constructing validation url: > > https://my.server.com/proxyValidate?service=http%3A%2F%my.server.com%3A8888%2Fibpm-ws-sample%2Fj_spring_cas_security_check&ticket=ST-6-Mh63x2bMBCuFgGu41L59-cas&pgtUrl=https%3A%2F%2Fmy.server.com%3A8843%2Fibpm-ws-sample%2Fsecure%2Freceptor > DEBUG Cas20ProxyTicketValidator - Retrieving response from server. > DEBUG Cas20ProxyTicketValidator - Server response: > <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> > <cas:authenticationSuccess> > <cas:user>spamboy</cas:user> > > > </cas:authenticationSuccess> > </cas:serviceResponse> > > INFO ProxyGrantingTicketStorageImpl - No Proxy Ticket found for -- NOT > GOOD exception thrown by the server……. > DEBUG LdapConnectionObjectFactory - Start timing for [makeObject] > DEBUG LdapConnectionObjectFactory - Timing for [makeObject: > createConnection]: 63ms. > DEBUG LdapConnectionObjectFactory - Timing for [makeObject: > bindConnection]: 31ms. > DEBUG LdapConnectionObjectFactory - Start timing for [validateObject] > DEBUG LdapConnectionObjectFactory - Timing for [validateObject: > checkIsAlive, valid: true]: 0ms. > DEBUG SingleSignOutFilter - Storing session identifier for > umylbnszlo2o > > MEMCACHED LOG: > <25 get ST-6-Mh63x2bMBCuFgGu41L59-cas > >25 sending key ST-6-Mh63x2bMBCuFgGu41L59-cas > >25 END > <25 replace ST-6-Mh63x2bMBCuFgGu41L59-cas 1 300 2540 > >25 STORED > <25 delete ST-6-Mh63x2bMBCuFgGu41L59-cas > >25 DELETED > You can see the service ticket that was sent back > > CAS SERVER LOG: > 2010-02-10 10:53:11,112 DEBUG > [org.jasig.cas.web.flow.SendTicketGrantingTicketAc > tion] - <Action 'SendTicketGrantingTicketAction' beginning execution> > 2010-02-10 10:53:11,112 DEBUG > [org.jasig.cas.web.support.CookieRetrievingCookieG > enerator] - <Added cookie with name [CASTGC] and value > [TGT-4-ot7mZD3GBIsAcj6Zfe > aGxgSoj4eDa7oHFbDZuLmemD74Z2fA02-cas]> > 2010-02-10 10:53:11,112 DEBUG > [org.jasig.cas.CentralAuthenticationServiceImpl] - > <Removing ticket > [TGT-3-XzOcfCkeo77JKpXVZ1WIyvbADXeQuzySjBiFLfElC2DReHPIh4-cas] > from registry.> > 2010-02-10 10:53:11,113 DEBUG > [org.jasig.cas.web.flow.SendTicketGrantingTicketAc > tion] - <Action 'SendTicketGrantingTicketAction' completed execution; > result > is > 'success'> > 2010-02-10 10:53:11,113 DEBUG > [org.jasig.cas.web.flow.GenerateServiceTicketActio > n] - <Action 'GenerateServiceTicketAction' beginning execution> > 2010-02-10 10:53:11,115 INFO > [org.jasig.cas.CentralAuthenticationServiceImpl] - > <Granted service ticket [ST-6-Mh63x2bMBCuFgGu41L59-cas] for service > [http://my.server.com:8888/ibpm-ws-sample/j_spring_cas_security_check] for > use > r [spamboy]> > 2010-02-10 10:53:11,115 DEBUG > [org.jasig.cas.web.flow.GenerateServiceTicketActio > n] - <Action 'GenerateServiceTicketAction' completed execution; result is > 'succe > ss'> > 2010-02-10 10:53:11,181 DEBUG > [org.jasig.cas.web.support.CasArgumentExtractor] - > <Extractor generated service for: http://my.server.com:8888/ibpm- > ws-sample/j_spring_cas_security_check<http://my.server.com:8888/ibpm-%0Aws-sample/j_spring_cas_security_check> > > > 2010-02-10 10:53:11,181 DEBUG > [org.jasig.cas.authentication.handler.support.Http > BasedServiceCredentialsAuthenticationHandler] - <Attempting to resolve > credentia > ls for [callbackUrl: https://my.server.com:8843/ibpm-ws-sample/sec > ure/receptor<https://my.server.com:8843/ibpm-ws-sample/sec%0Aure/receptor> > ]> > > Not Quite sure what generated this: > 2010-02-10 10:53:11,242 DEBUG [org.jasig.cas.util.HttpClient] - <Response > Code d > id not match any of the acceptable response codes. Code returned was 400> > > > 2010-02-10 10:53:11,242 INFO > [org.jasig.cas.authentication.AuthenticationManager > Impl] - <AuthenticationHandler: > org.jasig.cas.authentication.handler.support.Htt > pBasedServiceCredentialsAuthenticationHandler failed to authenticate the > user wh > ich provided the following credentials: [callbackUrl: > https://my.server.com:8843/ibpm-ws-sample/secure/receptor]> > 2010-02-10 10:53:11,243 ERROR [org.jasig.cas.web.ServiceValidateController] > - <T > icketException generating ticket for: [callbackUrl: > https://my.server.com:8843/ibpm-ws-sample/secure/receptor]> > org.jasig.cas.ticket.TicketCreationException: > error.authentication.credentials.b > ad > > -- > View this message in context: > http://n4.nabble.com/ProxyTickets-Load-Balancer-Unable-to-validate-credentials-tp1476315p1476315.html > Sent from the CAS Users mailing list archive at Nabble.com. > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
