I think I'm getting the same error as you. I can't seem to verify my
ticket correctly with clearPass through the URL....though I'm chalking
it up to my lack of knowledge on the subject.
These are the kind of errors I'm seeing. Also, my cas server and portal
server are on the same server right now until I separate things out so
therefore you'll see <my-server> in the designated areas.
I'm getting the internal error also....Is this what you're seeing?
*description* _The server encountered an internal error () that
prevented it from fulfilling this request._
*exception*
javax.servlet.ServletException:
org.jasig.cas.client.validation.TicketValidationException:
ticket 'ST-2-blahblahblahblah-my-server' not recognized
org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:189)
com.github.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:46)
*root cause*
org.jasig.cas.client.validation.TicketValidationException:
ticket 'ST-2-blahblahblahblah-my-server' not recognized
My catalina log looks like this:
2010-11-15 13:53:52,307 INFO
[org.jasig.cas.authentication.AuthenticationManagerImpl] -
<AuthenticationHandler:
org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler
successfully authenticated the user which provided the following
credentials: [username: mccordl]>
2010-11-15 13:53:52,326 INFO
[org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service
ticket [ST-1-yaddayaddayadda-my-server] for service
[https://my-server/uPortal/Login] for user [mccordl]>
2010-11-15 13:53:52,476 INFO
[org.jasig.cas.authentication.AuthenticationManagerImpl] -
<AuthenticationHandler:
org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler
successfully authenticated the user which provided the following
credentials: [callbackUrl: https://my-server/uPortal/CasProxyServlet]>
2010-11-15 13:53:52,661 INFO
[org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service
ticket [ST-2-blahblahblahblah-my-server] for service
[https://my-server/cas/clearPass] for user
[https:/my-server/uPortal/CasProxyServlet]>
2010-11-15 13:53:52,724 INFO
[org.jasig.cas.client.proxy.ProxyGrantingTicketStorageImpl] - <No Proxy
Ticket found for [].>
2010-11-15 13:54:46,307 INFO
[org.jasig.cas.CentralAuthenticationServiceImpl] - <ServiceTicket
[ST-2-blahblahblahblah-my-server] does not exist.>
2010-11-15 13:54:46,328 WARN
[org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter]
- <org.jasig.cas.client.validation.TicketValidationException:
ticket 'ST-2-blahblahblahblah -my-server' not recognized
>
org.jasig.cas.client.validation.TicketValidationException:
ticket 'ST-2-blahblahblahblah -my-server' not recognized
at
org.jasig.cas.client.validation.Cas20ServiceTicketValidator.parseResponseFromServer(Cas20ServiceTicketValidator.java:73)
at
org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:197)
at
org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:164)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
com.github.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:46)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
at
org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:190)
at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:291)
at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:774)
at
org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:703)
at
org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:896)
at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:690)
at java.lang.Thread.run(Thread.java:619)
2010-11-15 13:54:46,345 WARN
[org.springframework.context.support.ResourceBundleMessageSource] -
<ResourceBundle [theme] not found for MessageSource: Can't find bundle
for base name theme, locale en_US>
On 11/15/10 7:38 AM, James Winter wrote:
> Some more detail on this problem:
>
> If I go to my site, I can successfully login to CAS, but then I get
> the error message: Error getting response from clearPass at URL:
> https://cas.domain.local/cas/clearPass?ticket=ST-999-xxxxxxxxx-cas&service=https://cas.domain.local/cas/clearPass
>
> <https://cas.domain.local/cas/clearPass?ticket=ST-999-xxxxxxxxx-cas&service=https://cas.domain.local/cas/clearPass>.
>
> The remote server returned an error: (500) Internal Server Error.
>
> If I take that URL and paste it into a new browser, and if I change
> the first clearPass to anything else, like clearPass/ or clearpass,
> I'll get my password returned back to me. I also notice that the
> ticket changes. If the original is ST-687, for example, the one in the
> URL when my password is displayed is ST-688. Should clearPass be
> giving a new ticket? Or is the ticket that it's attempting to pass to
> clearPass a bad ticket?
>
> I can't get access to the CAS server logs, so I'm in a little bit of a
> bind here.
>
> Thanks for any help.
>
> James
>
>
>
> On Fri, Nov 12, 2010 at 3:40 PM, James Winter <[email protected]
> <mailto:[email protected]>> wrote:
>
> Ok, more progress. The SSL certificate problem is no more, but now
> I get the following:
>
> Error getting response from clearPass at URL:
>
> https://cas.domain.local/cas/clearPass?ticket=ST-999-xxxxxxxxx-cas&service=https://cas.domain.local/cas/clearPass
>
> <https://cas.domain.local/cas/clearPass?ticket=ST-999-xxxxxxxxx-cas&service=https://cas.domain.local/cas/clearPass>.
> The remote server returned an error: (500) Internal Server Error.
>
> Is this a configuration problem in clearPass? Or CAS? If I change
> the first clearPass in the URL to clearpass, I get my password
> returned to me. But if I change the web.config to use clearpass
> instead of clearPass, I get the same 500 error as above.
>
> Any ideas?
>
> James
>
>
> On Fri, Nov 12, 2010 at 10:45 AM, William G. Thompson, Jr.
> <[email protected] <mailto:[email protected]>> wrote:
>
> Likely...if the certs aren't trusted CasOwa won't be able to
> get PGT
> and a subsequent PT/ST for clearPass.
>
> Bill
>
> On Fri, Nov 12, 2010 at 10:33 AM, James Winter
> <[email protected] <mailto:[email protected]>> wrote:
> > What does it mean that the ticket parameter is blank in that
> error message?
> > I understand that var proxyTicket =
> user.GetProxyTicketFor(ClearPassUri); is
> > returning nothing, but is that also caused by the SSL cert?
> >
> > James
> >
> >
> > On Fri, Nov 12, 2010 at 10:13 AM, James Winter
> <[email protected] <mailto:[email protected]>> wrote:
> >>
> >> Progress!
> >>
> >> I now get this response:
> >> Received response from
> >>
>
> https://mycampus.arcadia.edu/cas/clearPass?ticket=&service=https://mycampus.arcadia.edu/cas/clearPass
>
> <https://mycampus.arcadia.edu/cas/clearPass?ticket=&service=https://mycampus.arcadia.edu/cas/clearPass>,
> >> but cas:credientials IsNullOrEmpty. Check CAS server logs
> for errors. Make
> >> sure SSL certs are trusted.
> >> We don't have direct access to our CAS server, so we'll
> have to contact
> >> our host to add the certificate to their end. I got the
> cert from a free
> >> site, but I'm guessing that's the problem.
> >> James
> >>
> >>
> >>
> >> On Fri, Nov 12, 2010 at 9:34 AM, William G. Thompson, Jr.
> >> <[email protected] <mailto:[email protected]>> wrote:
> >>>
> >>> On Fri, Nov 12, 2010 at 9:30 AM, James Winter
> <[email protected] <mailto:[email protected]>>
> >>> wrote:
> >>> > We have some additional problems (the test server is
> unable to access
> >>> > the
> >>> > CAS server at all) so I'm going to have to wait until
> that's resolved.
> >>>
> >>> That would help. :)
> >>>
> >>> >
> >>> > Both servers are using commericial certs, and I'm pretty
> sure Clearpass
> >>> > is
> >>> > working. When I go to /cas/clearPass I don't get a login
> prompt, I just
> >>> > get
> >>> > the "No authentication information provided." response.
> >>>
> >>> Login first, and then try the clearPass URL you should get
> the following:
> >>> <cas:clearPassResponse
> xmlns:cas='http://www.yale.edu/tp/cas'>
> <http://www.yale.edu/tp/cas%27>>;
> >>> <cas:clearPassFailure>invalid sevice
> >>> specified</cas:clearPassFailure>
> >>> </cas:clearPassResponse>
> >>>
> >>> Bill
> >>>
> >>>
> >>>
> >>> > James
> >>> >
> >>> >
> >>> >
> >>> > On Fri, Nov 12, 2010 at 9:13 AM, William G. Thompson, Jr.
> >>> > <[email protected] <mailto:[email protected]>>
> >>> > wrote:
> >>> >>
> >>> >> If you're using self-signed certs, both IIS and the CAS
> JVM must be
> >>> >> configured to trust them.
> >>> >>
> >>> >> If you're using commercial certs there shouldn't be an
> issue.
> >>> >>
> >>> >> Have you verified Clearpass extension is working?
> >>> >>
> >>> >> 7. Verify ClearPass install
> >>> >> Authenticate normally by visiting
> https://{host}/cas/clearPass. You
> >>> >> should get this message back.
> >>> >>
> >>> >> <cas:clearPassResponse
> xmlns:cas='http://www.yale.edu/tp/cas'>
> <http://www.yale.edu/tp/cas%27>>;
> >>> >> <cas:clearPassFailure>invalid sevice
> >>> >> specified</cas:clearPassFailure>
> >>> >> </cas:clearPassResponse>
> >>> >>
> >>> >>
> >>> >> Bill
> >>> >>
> >>> >>
> >>> >>
> >>> >> On Fri, Nov 12, 2010 at 9:04 AM, James Winter
> <[email protected] <mailto:[email protected]>>
> >>> >> wrote:
> >>> >> > Sorry to be clueless, I was kind of thrown into the
> deep end here
> >>> >> > with
> >>> >> > the
> >>> >> > CAS/OWA implentation. What do you mean by "cert is
> known to the cas
> >>> >> > jvm
> >>> >> > and
> >>> >> > vice versa"?
> >>> >> > I did get a valid SSL certificate for our test server
> with no
> >>> >> > change. I
> >>> >> > still get the HttpContext.Current.User is null error.
> >>> >> > Thanks for the help.
> >>> >> >
> >>> >> > James
> >>> >> >
> >>> >> >
> >>> >> >
> >>> >> > On Thu, Nov 11, 2010 at 9:40 PM, William G. Thompson, Jr.
> >>> >> > <[email protected] <mailto:[email protected]>>
> >>> >> > wrote:
> >>> >> >>
> >>> >> >> You need to make sure that the exchange server cert
> is known to the
> >>> >> >> cas jvm and visa versa.
> >>> >> >>
> >>> >> >> Bill
> >>> >> >>
> >>> >> >>
> >>> >> >> On Thu, Nov 11, 2010 at 9:30 PM, James Winter
> <[email protected] <mailto:[email protected]>>
> >>> >> >> wrote:
> >>> >> >> > I'm a little farther, I'm now at the point where I
> get the
> >>> >> >> > "HttpContext.Current.User is null" error but I
> read that they be
> >>> >> >> > due
> >>> >> >> > to
> >>> >> >> > an
> >>> >> >> > incorrect SSL certificate which our Exchange
> server has. I set
> >>> >> >> > the
> >>> >> >> > skip
> >>> >> >> > OWA
> >>> >> >> > cert parameter to false, but I don't know if that
> effects the CAS
> >>> >> >> > side
> >>> >> >> > of
> >>> >> >> > things.
> >>> >> >> > Is there something I need to do on the CAS side of
> the setup to
> >>> >> >> > allow
> >>> >> >> > the
> >>> >> >> > process, or should a correct SSL cert do the trick?
> >>> >> >> > I'll find out tomorrow.
> >>> >> >> >
> >>> >> >> > -James
> >>> >> >> > On Nov 11, 2010, at 7:39 PM, "William G. Thompson,
> Jr."
> >>> >> >> > <[email protected] <mailto:[email protected]>>
> >>> >> >> > wrote:
> >>> >> >> >
> >>> >> >> > Did you follow these instructions?
> >>> >> >> >
> https://wiki.jasig.org/pages/viewpage.action?pageId=29133913
> >>> >> >> >
> >>> >> >> > Bill
> >>> >> >> >
> >>> >> >> >
> >>> >> >> > On Thu, Nov 11, 2010 at 4:29 PM, James Winter
> >>> >> >> > <[email protected] <mailto:[email protected]>>
> >>> >> >> > wrote:
> >>> >> >> >
> >>> >> >> > Some background:
> >>> >> >> >
> >>> >> >> > I setup the CAS Client for OWA on a test Exchange
> 2003 server in
> >>> >> >> > IIS
> >>> >> >> > 6
> >>> >> >> > and I
> >>> >> >> >
> >>> >> >> > can successfully get to
> server.domain.local/coa/auth. I get
> >>> >> >> > redirected
> >>> >> >> > to
> >>> >> >> >
> >>> >> >> > the CAS login, which then redirects me back to
> >>> >> >> >
> >>> >> >> > server.domain.local/coa/auth?ticket=ST-XXX-xxxxetc
> which gives me
> >>> >> >> > a
> >>> >> >> > 404
> >>> >> >> >
> >>> >> >> > error.
> >>> >> >> >
> >>> >> >> > Am I missing a configuration piece somewhere? Or
> does anyone know
> >>> >> >> > what
> >>> >> >> > the
> >>> >> >> >
> >>> >> >> > CasOwa.OwaUrl should be for Exchange 2003? I've
> tried /exchange,
> >>> >> >> > /exchweb,
> >>> >> >> >
> >>> >> >> > /exchweb/bin/auth, and a few others with no change.
> >>> >> >> >
> >>> >> >> > Thanks.
> >>> >> >> >
> >>> >> >> > -James
> >>> >> >> >
> >>> >> >> > --
> >>> >> >> >
> >>> >> >> > You are currently subscribed to
> [email protected] <mailto:[email protected]> as:
> >>> >> >> >
> >>> >> >> > [email protected] <mailto:[email protected]>
> >>> >> >> >
> >>> >> >> > To unsubscribe, change settings or access
> archives, see
> >>> >> >> >
> >>> >> >> > http://www.ja-sig.org/wiki/display/JSG/cas-user
> >>> >> >> >
> >>> >> >> > --
> >>> >> >> > You are currently subscribed to
> [email protected] <mailto:[email protected]> as:
> >>> >> >> > [email protected] <mailto:[email protected]>
> >>> >> >> > To unsubscribe, change settings or access
> archives, see
> >>> >> >> > http://www.ja-sig.org/wiki/display/JSG/cas-user
> >>> >> >> >
> >>> >> >> > --
> >>> >> >> > You are currently subscribed to
> [email protected] <mailto:[email protected]> as:
> >>> >> >> > [email protected] <mailto:[email protected]>
> >>> >> >> > To unsubscribe, change settings or access
> archives, see
> >>> >> >> > http://www.ja-sig.org/wiki/display/JSG/cas-user
> >>> >> >>
> >>> >> >> --
> >>> >> >> You are currently subscribed to
> [email protected] <mailto:[email protected]> as:
> >>> >> >> [email protected] <mailto:[email protected]>
> >>> >> >> To unsubscribe, change settings or access archives, see
> >>> >> >> http://www.ja-sig.org/wiki/display/JSG/cas-user
> >>> >> >
> >>> >> > --
> >>> >> > You are currently subscribed to
> [email protected] <mailto:[email protected]> as:
> >>> >> > [email protected] <mailto:[email protected]>
> >>> >> > To unsubscribe, change settings or access archives, see
> >>> >> > http://www.ja-sig.org/wiki/display/JSG/cas-user
> >>> >>
> >>> >> --
> >>> >> You are currently subscribed to
> [email protected] <mailto:[email protected]> as:
> >>> >> [email protected] <mailto:[email protected]>
> >>> >> To unsubscribe, change settings or access archives, see
> >>> >> http://www.ja-sig.org/wiki/display/JSG/cas-user
> >>> >
> >>> > --
> >>> > You are currently subscribed to [email protected]
> <mailto:[email protected]> as:
> >>> > [email protected] <mailto:[email protected]>
> >>> > To unsubscribe, change settings or access archives, see
> >>> > http://www.ja-sig.org/wiki/display/JSG/cas-user
> >>>
> >>> --
> >>> You are currently subscribed to [email protected]
> <mailto:[email protected]> as:
> >>> [email protected] <mailto:[email protected]>
> >>> To unsubscribe, change settings or access archives, see
> >>> http://www.ja-sig.org/wiki/display/JSG/cas-user
> >>>
> >>
> >
> > --
> > You are currently subscribed to [email protected]
> <mailto:[email protected]> as:
> > [email protected] <mailto:[email protected]>
> > To unsubscribe, change settings or access archives, see
> > http://www.ja-sig.org/wiki/display/JSG/cas-user
>
> --
> You are currently subscribed to [email protected]
> <mailto:[email protected]> as: [email protected]
> <mailto:[email protected]>
> To unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/display/JSG/cas-user
>
>
>
> --
> You are currently subscribed to [email protected] as:
> [email protected]
> To unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
