Hi Bruno, Which ticket registry are you using? JPA, JBossCache, Memcached? Default ticket registry will not work as tickets created on one node aren't shared to another node in the server cluster.
-Mihir On Fri, May 21, 2010 at 9:00 AM, Bruno Melloni <[email protected]>wrote: > After innumerable trial and error attempts and 3 postings to the list > that went unanswered, I reached the conclusion that you can cluster CAS but > you cannot authenticate through CAS from a clustered client application. > > > > The error? Always something like: “Authentication Failed: ticket > 'ST-2-aQJM2bMCvJfcfj4M6hhR-cas' not recognized”. > > > > The likely cause? > > > > · If you use the cluster(/load balancer) alias in the callback to > j_spring_cas_security_check then half the time the call goes to the wrong > node, which doesn’t recognize the ticket. Even clustering the session with > <distributable/> doesn’t seen to do the trick. > > · If you use the node hostname in the callback, then you still > (always?) get the error, probably because the hostname is different from the > cluster alias the browser used to make the original call. > > > > Workaround: > > > > Since you can’t truly cluster, the next best thing is to setup the client > WebApp as an HighAvailability-Singleton. An HASingleton won’t help you with > load, but if a node goes down your users will be able to start a new session > almost immediately. Not perfect… but better than running on Standalone > hosts. > > > > *From:* Bruno Melloni > *Sent:* Wednesday, May 19, 2010 3:06 PM > *To:* Bruno Melloni; The Community discussion list is for questions, > comments, feedback and issues associated with CAS and its clients. > *Subject:* Authentication Failed: ticket 'ST-2-aQJM2bMCvJfcfj4M6hhR-cas' > not recognized > > > > I have been using CAS for a while. We are slowly moving to a clustered > environment. To avoid the complexity of a clustered CAS server, I set it up > as an HA-Singleton while letting the client app be clustered. > > > > A typical call looks like: > > > > · Browser calls the client app. Uses the cluster DNS alias that > points to the load balancer. > > · Load balancer chooses a node and passes the call to the client > app on node X. > > · Client app calls CAS for authentication. Uses the cluster DNS > alias that points to the load balancer. > > · Load balancer passes the call to the single instance of CAS. > > · CAS authenticates and calls back the app with the authenticated > ticket. > > > > Here come the problem: > > > > · If I use the *DNS alias for the cluster* the call goes to the > load balancer, which in turn *may or may not pass the call to the right > node*. If it goes to the wrong node, it obviously doesn’t work. > > · So I think, no problem… I’ll add self-signed certificates to > each node and pass the *node’s hostname and port* in the callback so that > CAS will make the callback to the right node. But this is when I get. No > idea why, although I suspect it might have something to do with the browser > calling the client with the cluster alias and CAS calling back using the > node hostname name. > > > > Help! > > > > Callback configuration: > > > > <bean id="serviceProperties" > class="org.springframework.security.cas.ServiceProperties" > > p:service="https:// > ${appServer}:${appHttpsPort}/${appName}/j_spring_cas_security_check" > > p:sendRenew="false" /> > > -- > You are currently subscribed to [email protected] as: > [email protected] > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
