Yes, I found that reply on the (nable?) archive. Using real hostname was only a temporary measure to try to get around the problems. I am totally back to using only the virtual hostname of the cluster. Even the certificates are back to ONLY having the one for the cluster.
The problem persists... which is why I am looking for information to understand tickets, on the hope that I won't have to start looking at source code. In the meantime... I run a test with the client cluster pointing at an unclustered instance of CAS, and it worked. That seemed to indicate that the problem is within CAS itself, not with the client side as I was thinking. So I am now going on the assumption that a singleton won't work, and I'm trying to fully cluster CAS. My current problem is that when it tries to read jbossTicketCacheReplicationConfig.xml. Even putting it in jBoss' server/production/conf it doesn't seem to get found using classpath:jbossTicketCacheReplicationConfig.xml. Any idea what I might be doing wrong? thanks, bruno -----Original Message----- From: Marvin Addison [mailto:[email protected]] Sent: Tuesday, May 25, 2010 1:36 PM To: [email protected] Subject: Re: [cas-user] Need help understanding tickets > as soon as I have 2 nodes... I get an HTTP 401 error > "Authentication Failed: ticket 'ST-2-3VLTJeYvjeAfx5NutNPO-cas' not > recognized". > Of course... I have no clue what not recognizing a ticket means. >From a previous note I sent you on the same topic: The service that validates the ticket must be the same as the one that initially requested the ticket. Based on your configuration, you're using the virtual hostname to obtain the ticket and the real hostname to validate it, which is not allowed by the server. We have significant experience in HA setups here at Virginia Tech, and the only consideration we've found necessary for clustered clients is load balancer session affinity. Since the initial request to the client application and subsequent ticket delivery from CAS have the same source, the client's browser, session affinity guarantees that the same client node is accessed consistently. The ticket validation step is tricker in clustered CAS server setups since the validation has a different source, the actual service, than the ticket request. In your case, however, it's a non-issue since the server is effectively a single node. If you ever decide to move to an active-active setup, you'll need to use a ticket registry suitable for access by multiple nodes such as the JpaTicketRegistry or JBossCacheTicketRegistry. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
