I don't have access to the CAS logs, so I'm not really sure what's going on on the CAS side. I don't get the exception, I just get a "CAS is not available" message when I try to paste the clearPass URL into a browser. But, if I take the "clearPass" out of the URL and have it just use the index.jsp I get my password back after it changes the ticket.
I don't know what I'm missing. James On Mon, Nov 15, 2010 at 3:20 PM, Laura McCord <[email protected]>wrote: > I think I'm getting the same error as you. I can't seem to verify my > ticket correctly with clearPass through the URL....though I'm chalking it up > to my lack of knowledge on the subject. > > These are the kind of errors I'm seeing. Also, my cas server and portal > server are on the same server right now until I separate things out so > therefore you'll see <my-server> in the designated areas. > > I'm getting the internal error also....Is this what you're seeing? > > *description* *The server encountered an internal error () that prevented > it from fulfilling this request.* > > *exception* > > javax.servlet.ServletException: > org.jasig.cas.client.validation.TicketValidationException: > ticket 'ST-2-blahblahblahblah-my-server' not recognized > > > org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:189) > > com.github.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:46) > > *root cause* > > org.jasig.cas.client.validation.TicketValidationException: > ticket 'ST-2-blahblahblahblah-my-server' not recognized > > > > My catalina log looks like this: > > 2010-11-15 13:53:52,307 INFO > [org.jasig.cas.authentication.AuthenticationManagerImpl] - > <AuthenticationHandler: > org.jasig.cas.adaptors.ldap.FastBindLdapAuthenticationHandler successfully > authenticated the user which provided the following credentials: [username: > mccordl]> > 2010-11-15 13:53:52,326 INFO > [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket > [ST-1-yaddayaddayadda-my-server] for service [ > https://my-server/uPortal/Login] for user [mccordl]> > 2010-11-15 13:53:52,476 INFO > [org.jasig.cas.authentication.AuthenticationManagerImpl] - > <AuthenticationHandler: > org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler > successfully authenticated the user which provided the following > credentials: [callbackUrl: https://my-server/uPortal/CasProxyServlet]> > 2010-11-15 13:53:52,661 INFO > [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket > [ST-2-blahblahblahblah-my-server] for service [ > https://my-server/cas/clearPass] for user [ > https:/my-server/uPortal/CasProxyServlet]> > 2010-11-15 13:53:52,724 INFO > [org.jasig.cas.client.proxy.ProxyGrantingTicketStorageImpl] - <No Proxy > Ticket found for [].> > 2010-11-15 13:54:46,307 INFO > [org.jasig.cas.CentralAuthenticationServiceImpl] - <ServiceTicket > [ST-2-blahblahblahblah-my-server] does not exist.> > 2010-11-15 13:54:46,328 WARN > [org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter] > - <org.jasig.cas.client.validation.TicketValidationException: > ticket 'ST-2-blahblahblahblah -my-server' not recognized > > > org.jasig.cas.client.validation.TicketValidationException: > ticket 'ST-2-blahblahblahblah -my-server' not recognized > > at > org.jasig.cas.client.validation.Cas20ServiceTicketValidator.parseResponseFromServer(Cas20ServiceTicketValidator.java:73) > at > org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:197) > at > org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:164) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) > at > com.github.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:46) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) > at > org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:190) > at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:291) > at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:774) > at > org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:703) > at > org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:896) > at > org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:690) > at java.lang.Thread.run(Thread.java:619) > 2010-11-15 13:54:46,345 WARN > [org.springframework.context.support.ResourceBundleMessageSource] - > <ResourceBundle [theme] not found for MessageSource: Can't find bundle for > base name theme, locale en_US> > > > > > On 11/15/10 7:38 AM, James Winter wrote: > > Some more detail on this problem: > > If I go to my site, I can successfully login to CAS, but then I get the > error message: Error getting response from clearPass at URL: > https://cas.domain.local/cas/clearPass?ticket=ST-999-xxxxxxxxx-cas&service=https://cas.domain.local/cas/clearPass. > The remote server returned an error: (500) Internal Server Error. > > If I take that URL and paste it into a new browser, and if I change the > first clearPass to anything else, like clearPass/ or clearpass, I'll get my > password returned back to me. I also notice that the ticket changes. If the > original is ST-687, for example, the one in the URL when my password is > displayed is ST-688. Should clearPass be giving a new ticket? Or is the > ticket that it's attempting to pass to clearPass a bad ticket? > > I can't get access to the CAS server logs, so I'm in a little bit of a > bind here. > > Thanks for any help. > > James > > > > On Fri, Nov 12, 2010 at 3:40 PM, James Winter <[email protected]> wrote: > >> Ok, more progress. The SSL certificate problem is no more, but now I get >> the following: >> >> Error getting response from clearPass at URL: >> https://cas.domain.local/cas/clearPass?ticket=ST-999-xxxxxxxxx-cas&service=https://cas.domain.local/cas/clearPass. >> The remote server returned an error: (500) Internal Server Error. >> >> Is this a configuration problem in clearPass? Or CAS? If I change the >> first clearPass in the URL to clearpass, I get my password returned to me. >> But if I change the web.config to use clearpass instead of clearPass, I get >> the same 500 error as above. >> >> Any ideas? >> >> James >> >> >> On Fri, Nov 12, 2010 at 10:45 AM, William G. Thompson, Jr. < >> [email protected]> wrote: >> >>> Likely...if the certs aren't trusted CasOwa won't be able to get PGT >>> and a subsequent PT/ST for clearPass. >>> >>> Bill >>> >>> On Fri, Nov 12, 2010 at 10:33 AM, James Winter <[email protected]> >>> wrote: >>> > What does it mean that the ticket parameter is blank in that error >>> message? >>> > I understand that var proxyTicket = >>> user.GetProxyTicketFor(ClearPassUri); is >>> > returning nothing, but is that also caused by the SSL cert? >>> > >>> > James >>> > >>> > >>> > On Fri, Nov 12, 2010 at 10:13 AM, James Winter <[email protected]> >>> wrote: >>> >> >>> >> Progress! >>> >> >>> >> I now get this response: >>> >> Received response from >>> >> >>> https://mycampus.arcadia.edu/cas/clearPass?ticket=&service=https://mycampus.arcadia.edu/cas/clearPass >>> , >>> >> but cas:credientials IsNullOrEmpty. Check CAS server logs for errors. >>> Make >>> >> sure SSL certs are trusted. >>> >> We don't have direct access to our CAS server, so we'll have to >>> contact >>> >> our host to add the certificate to their end. I got the cert from a >>> free >>> >> site, but I'm guessing that's the problem. >>> >> James >>> >> >>> >> >>> >> >>> >> On Fri, Nov 12, 2010 at 9:34 AM, William G. Thompson, Jr. >>> >> <[email protected]> wrote: >>> >>> >>> >>> On Fri, Nov 12, 2010 at 9:30 AM, James Winter <[email protected]> >>> >>> wrote: >>> >>> > We have some additional problems (the test server is unable to >>> access >>> >>> > the >>> >>> > CAS server at all) so I'm going to have to wait until that's >>> resolved. >>> >>> >>> >>> That would help. :) >>> >>> >>> >>> > >>> >>> > Both servers are using commericial certs, and I'm pretty sure >>> Clearpass >>> >>> > is >>> >>> > working. When I go to /cas/clearPass I don't get a login prompt, I >>> just >>> >>> > get >>> >>> > the "No authentication information provided." response. >>> >>> >>> >>> Login first, and then try the clearPass URL you should get the >>> following: >>> >>> <cas:clearPassResponse >>> >>> xmlns:cas='http://www.yale.edu/tp/cas'><http://www.yale.edu/tp/cas%27>> >>> ; >>> >>> <cas:clearPassFailure>invalid sevice >>> >>> specified</cas:clearPassFailure> >>> >>> </cas:clearPassResponse> >>> >>> >>> >>> Bill >>> >>> >>> >>> >>> >>> >>> >>> > James >>> >>> > >>> >>> > >>> >>> > >>> >>> > On Fri, Nov 12, 2010 at 9:13 AM, William G. Thompson, Jr. >>> >>> > <[email protected]> >>> >>> > wrote: >>> >>> >> >>> >>> >> If you're using self-signed certs, both IIS and the CAS JVM must >>> be >>> >>> >> configured to trust them. >>> >>> >> >>> >>> >> If you're using commercial certs there shouldn't be an issue. >>> >>> >> >>> >>> >> Have you verified Clearpass extension is working? >>> >>> >> >>> >>> >> 7. Verify ClearPass install >>> >>> >> Authenticate normally by visiting https://{host}/cas/clearPass. >>> You >>> >>> >> should get this message back. >>> >>> >> >>> >>> >> <cas:clearPassResponse >>> >>> >> xmlns:cas='http://www.yale.edu/tp/cas'><http://www.yale.edu/tp/cas%27>> >>> ; >>> >>> >> <cas:clearPassFailure>invalid sevice >>> >>> >> specified</cas:clearPassFailure> >>> >>> >> </cas:clearPassResponse> >>> >>> >> >>> >>> >> >>> >>> >> Bill >>> >>> >> >>> >>> >> >>> >>> >> >>> >>> >> On Fri, Nov 12, 2010 at 9:04 AM, James Winter < >>> [email protected]> >>> >>> >> wrote: >>> >>> >> > Sorry to be clueless, I was kind of thrown into the deep end >>> here >>> >>> >> > with >>> >>> >> > the >>> >>> >> > CAS/OWA implentation. What do you mean by "cert is known to the >>> cas >>> >>> >> > jvm >>> >>> >> > and >>> >>> >> > vice versa"? >>> >>> >> > I did get a valid SSL certificate for our test server with no >>> >>> >> > change. I >>> >>> >> > still get the HttpContext.Current.User is null error. >>> >>> >> > Thanks for the help. >>> >>> >> > >>> >>> >> > James >>> >>> >> > >>> >>> >> > >>> >>> >> > >>> >>> >> > On Thu, Nov 11, 2010 at 9:40 PM, William G. Thompson, Jr. >>> >>> >> > <[email protected]> >>> >>> >> > wrote: >>> >>> >> >> >>> >>> >> >> You need to make sure that the exchange server cert is known to >>> the >>> >>> >> >> cas jvm and visa versa. >>> >>> >> >> >>> >>> >> >> Bill >>> >>> >> >> >>> >>> >> >> >>> >>> >> >> On Thu, Nov 11, 2010 at 9:30 PM, James Winter < >>> [email protected]> >>> >>> >> >> wrote: >>> >>> >> >> > I'm a little farther, I'm now at the point where I get the >>> >>> >> >> > "HttpContext.Current.User is null" error but I read that they >>> be >>> >>> >> >> > due >>> >>> >> >> > to >>> >>> >> >> > an >>> >>> >> >> > incorrect SSL certificate which our Exchange server has. I >>> set >>> >>> >> >> > the >>> >>> >> >> > skip >>> >>> >> >> > OWA >>> >>> >> >> > cert parameter to false, but I don't know if that effects the >>> CAS >>> >>> >> >> > side >>> >>> >> >> > of >>> >>> >> >> > things. >>> >>> >> >> > Is there something I need to do on the CAS side of the setup >>> to >>> >>> >> >> > allow >>> >>> >> >> > the >>> >>> >> >> > process, or should a correct SSL cert do the trick? >>> >>> >> >> > I'll find out tomorrow. >>> >>> >> >> > >>> >>> >> >> > -James >>> >>> >> >> > On Nov 11, 2010, at 7:39 PM, "William G. Thompson, Jr." >>> >>> >> >> > <[email protected]> >>> >>> >> >> > wrote: >>> >>> >> >> > >>> >>> >> >> > Did you follow these instructions? >>> >>> >> >> > https://wiki.jasig.org/pages/viewpage.action?pageId=29133913 >>> >>> >> >> > >>> >>> >> >> > Bill >>> >>> >> >> > >>> >>> >> >> > >>> >>> >> >> > On Thu, Nov 11, 2010 at 4:29 PM, James Winter >>> >>> >> >> > <[email protected]> >>> >>> >> >> > wrote: >>> >>> >> >> > >>> >>> >> >> > Some background: >>> >>> >> >> > >>> >>> >> >> > I setup the CAS Client for OWA on a test Exchange 2003 server >>> in >>> >>> >> >> > IIS >>> >>> >> >> > 6 >>> >>> >> >> > and I >>> >>> >> >> > >>> >>> >> >> > can successfully get to server.domain.local/coa/auth. I get >>> >>> >> >> > redirected >>> >>> >> >> > to >>> >>> >> >> > >>> >>> >> >> > the CAS login, which then redirects me back to >>> >>> >> >> > >>> >>> >> >> > server.domain.local/coa/auth?ticket=ST-XXX-xxxxetc which >>> gives me >>> >>> >> >> > a >>> >>> >> >> > 404 >>> >>> >> >> > >>> >>> >> >> > error. >>> >>> >> >> > >>> >>> >> >> > Am I missing a configuration piece somewhere? Or does anyone >>> know >>> >>> >> >> > what >>> >>> >> >> > the >>> >>> >> >> > >>> >>> >> >> > CasOwa.OwaUrl should be for Exchange 2003? I've tried >>> /exchange, >>> >>> >> >> > /exchweb, >>> >>> >> >> > >>> >>> >> >> > /exchweb/bin/auth, and a few others with no change. >>> >>> >> >> > >>> >>> >> >> > Thanks. >>> >>> >> >> > >>> >>> >> >> > -James >>> >>> >> >> > >>> >>> >> >> > -- >>> >>> >> >> > >>> >>> >> >> > You are currently subscribed to [email protected] as: >>> >>> >> >> > >>> >>> >> >> > [email protected] >>> >>> >> >> > >>> >>> >> >> > To unsubscribe, change settings or access archives, see >>> >>> >> >> > >>> >>> >> >> > http://www.ja-sig.org/wiki/display/JSG/cas-user >>> >>> >> >> > >>> >>> >> >> > -- >>> >>> >> >> > You are currently subscribed to [email protected] as: >>> >>> >> >> > [email protected] >>> >>> >> >> > To unsubscribe, change settings or access archives, see >>> >>> >> >> > http://www.ja-sig.org/wiki/display/JSG/cas-user >>> >>> >> >> > >>> >>> >> >> > -- >>> >>> >> >> > You are currently subscribed to [email protected] as: >>> >>> >> >> > [email protected] >>> >>> >> >> > To unsubscribe, change settings or access archives, see >>> >>> >> >> > http://www.ja-sig.org/wiki/display/JSG/cas-user >>> >>> >> >> >>> >>> >> >> -- >>> >>> >> >> You are currently subscribed to [email protected] as: >>> >>> >> >> [email protected] >>> >>> >> >> To unsubscribe, change settings or access archives, see >>> >>> >> >> http://www.ja-sig.org/wiki/display/JSG/cas-user >>> >>> >> > >>> >>> >> > -- >>> >>> >> > You are currently subscribed to [email protected] as: >>> >>> >> > [email protected] >>> >>> >> > To unsubscribe, change settings or access archives, see >>> >>> >> > http://www.ja-sig.org/wiki/display/JSG/cas-user >>> >>> >> >>> >>> >> -- >>> >>> >> You are currently subscribed to [email protected] as: >>> >>> >> [email protected] >>> >>> >> To unsubscribe, change settings or access archives, see >>> >>> >> http://www.ja-sig.org/wiki/display/JSG/cas-user >>> >>> > >>> >>> > -- >>> >>> > You are currently subscribed to [email protected] as: >>> >>> > [email protected] >>> >>> > To unsubscribe, change settings or access archives, see >>> >>> > http://www.ja-sig.org/wiki/display/JSG/cas-user >>> >>> >>> >>> -- >>> >>> You are currently subscribed to [email protected] as: >>> >>> [email protected] >>> >>> To unsubscribe, change settings or access archives, see >>> >>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>> >>> >>> >> >>> > >>> > -- >>> > You are currently subscribed to [email protected] as: >>> > [email protected] >>> > To unsubscribe, change settings or access archives, see >>> > http://www.ja-sig.org/wiki/display/JSG/cas-user >>> >>> -- >>> You are currently subscribed to [email protected] as: >>> [email protected] >>> To unsubscribe, change settings or access archives, see >>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>> >>> >> > -- > You are currently subscribed to [email protected] as: > [email protected] > > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > -- > You are currently subscribed to [email protected] as: > [email protected] > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
