Hi all, this is my first CAS setup (said this, you are prepared for the worst...)
When I try a walk through manually, I see authentication is working and I receive a ticket, but that expires immediately. I cannot figure out, where the problem might be and am hoping for some useful hints and directions. Setup: OS....: Win2K8 Tomcat: 7.0.14 CAS...: 3.4.7 Step 1: invoke login URL ------------------------ http://The-tomcat-server-IP:8080/cas/login?service=http://The-tomcat-ser ver-IP:8080/ service points to Tomcat's start page, so I can see the CAS ticket. Step 2: result: CAS Ticket -------------------------- http://The-tomcat-server-IP:8080/?ticket=ST-3-0AiC9n2tI79xCgmB2nda-cas Step 3: validation of service ----------------------------- http://The-tomcat-server-IP:8080/cas/serviceValidate?service=http://The- tomcat-server-IP:8080/&ticket=ST-3-0AiC9n2tI79xCgmB2nda-cas Step 4: result: INVALID_TICKET ------------------------------ <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationFailure code='INVALID_TICKET'> Ticket 'ST-3-0AiC9n2tI79xCgmB2nda-cas' wurde nicht anerkannt </cas:authenticationFailure> </cas:serviceResponse> Inspecting the cas.log shows: ----------------------------- ServiceTicket [ST-3-0AiC9n2tI79xCgmB2nda-cas] has expired. This is 4 seconds after successful "ACTION: SERVICE_TICKET_CREATED". Why is that service ticket expiring so fast? What am I doing wrong? Log & deployerConfigContext.xml see below. Best regards, Dirk LOG & DELPOYER...XML ==================== The complete log is: 2011-06-03 11:11:50,287 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - AuthenticationHandler: org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler successfully authenticated the user which provided the following credentials: [username: some_username] 2011-06-03 11:11:50,287 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - AuthenticationHandler: org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler successfully authenticated the user which provided the following credentials: [username: some_username] 2011-06-03 11:11:50,716 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - Resolved principal some_username 2011-06-03 11:11:50,716 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - Resolved principal some_username 2011-06-03 11:11:50,716 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - Principal found: some_username 2011-06-03 11:11:50,716 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - Principal found: some_username 2011-06-03 11:11:50,716 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN ============================================================= WHO: [username: some_username] WHAT: supplied credentials: [username: some_username] ACTION: AUTHENTICATION_SUCCESS APPLICATION: CAS WHEN: Fri Jun 03 11:11:50 CEST 2011 CLIENT IP ADDRESS: The-tomcat-server-IP SERVER IP ADDRESS: The-tomcat-server-IP ============================================================= 2011-06-03 11:11:50,716 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN ============================================================= WHO: [username: some_username] WHAT: supplied credentials: [username: some_username] ACTION: AUTHENTICATION_SUCCESS APPLICATION: CAS WHEN: Fri Jun 03 11:11:50 CEST 2011 CLIENT IP ADDRESS: The-tomcat-server-IP SERVER IP ADDRESS: The-tomcat-server-IP ============================================================= 2011-06-03 11:11:50,717 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN ============================================================= WHO: [username: some_username] WHAT: TGT-3-JfACacnRWuRhAyvxKaqLPRtUYpbRfybjNMj5fSaXzZ0bTWCFjZ-cas ACTION: TICKET_GRANTING_TICKET_CREATED APPLICATION: CAS WHEN: Fri Jun 03 11:11:50 CEST 2011 CLIENT IP ADDRESS: The-tomcat-server-IP SERVER IP ADDRESS: The-tomcat-server-IP ============================================================= 2011-06-03 11:11:50,717 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN ============================================================= WHO: [username: some_username] WHAT: TGT-3-JfACacnRWuRhAyvxKaqLPRtUYpbRfybjNMj5fSaXzZ0bTWCFjZ-cas ACTION: TICKET_GRANTING_TICKET_CREATED APPLICATION: CAS WHEN: Fri Jun 03 11:11:50 CEST 2011 CLIENT IP ADDRESS: The-tomcat-server-IP SERVER IP ADDRESS: The-tomcat-server-IP ============================================================= 2011-06-03 11:11:50,718 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service ticket [ST-3-0AiC9n2tI79xCgmB2nda-cas] for service [http://The-tomcat-server-IP:8080/] for user [some_username] 2011-06-03 11:11:50,718 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service ticket [ST-3-0AiC9n2tI79xCgmB2nda-cas] for service [http://The-tomcat-server-IP:8080/] for user [some_username] 2011-06-03 11:11:50,718 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN ============================================================= WHO: some_username WHAT: ST-3-0AiC9n2tI79xCgmB2nda-cas for http://The-tomcat-server-IP:8080/ ACTION: SERVICE_TICKET_CREATED APPLICATION: CAS WHEN: Fri Jun 03 11:11:50 CEST 2011 CLIENT IP ADDRESS: The-tomcat-server-IP SERVER IP ADDRESS: The-tomcat-server-IP ============================================================= 2011-06-03 11:11:50,718 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN ============================================================= WHO: some_username WHAT: ST-3-0AiC9n2tI79xCgmB2nda-cas for http://The-tomcat-server-IP:8080/ ACTION: SERVICE_TICKET_CREATED APPLICATION: CAS WHEN: Fri Jun 03 11:11:50 CEST 2011 CLIENT IP ADDRESS: The-tomcat-server-IP SERVER IP ADDRESS: The-tomcat-server-IP ============================================================= 2011-06-03 11:11:54,518 INFO [org.jasig.cas.services.DefaultServicesManagerImpl] - Reloading registered services. 2011-06-03 11:11:54,518 INFO [org.jasig.cas.services.DefaultServicesManagerImpl] - Reloading registered services. 2011-06-03 11:11:54,518 INFO [org.jasig.cas.services.DefaultServicesManagerImpl] - Loaded 4 services. 2011-06-03 11:11:54,518 INFO [org.jasig.cas.services.DefaultServicesManagerImpl] - Loaded 4 services. 2011-06-03 11:13:09,967 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - ServiceTicket [ST-3-0AiC9n2tI79xCgmB2nda-cas] has expired. 2011-06-03 11:13:09,967 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - ServiceTicket [ST-3-0AiC9n2tI79xCgmB2nda-cas] has expired. deployerConfigContext.xml: -------------------------- <?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xmlns:p="http://www.springframework.org/schema/p"; xmlns:sec="http://www.springframework.org/schema/security"; xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd";> <bean id="authenticationManager" class="org.jasig.cas.authentication.AuthenticationManagerImpl"> <property name="credentialsToPrincipalResolvers"> <list> <bean class="org.jasig.cas.authentication.principal.CredentialsToLDAPAttribute PrincipalResolver"> <property name="credentialsToPrincipalResolver"> <bean class="org.jasig.cas.authentication.principal.UsernamePasswordCredential sToPrincipalResolver"/> </property> <property name="filter" value="(sAMAccountName=%u)"/> <property name="principalAttributeName" value="sAMAccountName"/> <property name="searchBase" value="OU=DESY_GROUPS,DC=win,DC=desy,DC=de"/> <property name="contextSource" ref="contextSource"/> <property name="attributeRepository"> <ref bean="attributeRepository"/> </property> </bean> </list> </property> <property name="authenticationHandlers"> <list> <bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCred entialsAuthenticationHandler" p:httpClient-ref="httpClient" /> <bean class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler"> <property name="filter" value="sAMAccountName=%u" /> <property name="searchBase" value="OU=DESY_GROUPS,DC=win,DC=desy,DC=de" /> <property name="contextSource" ref="contextSource" /> <property name="ignorePartialResultException" value="yes" /> <!-- fix because of how AD returns results --> </bean> </list> </property> </bean> <bean id="attributeRepository" class="org.jasig.services.persondir.support.ldap.LdapPersonAttributeDao" > <property name="ignorePartialResultException" value="yes"/> <property name="contextSource" ref="contextSource" /> <property name="baseDN" value=".........,DC=desy,DC=de" /> <property name="requireAllQueryAttributes" value="true" /> <property name="queryAttributeMapping"> <map> <entry key="username" value="sAMAccountName" /> </map> <map> <entry key="mail" value="EmailAddress" /> </map> </property> <property name="resultAttributeMapping"> <map> <entry key="cn" value="cn"/> <entry value="mail" key="Mail" /> <entry value="description" key="description" /> <entry value="memberOf" key="memberOf" /> <entry value="displayName" key="displayName" /> <entry value="givenName" key="givenName" /> <entry value="employeeID" key="employeeID" /> <entry value="sn" key="sn" /> </map> </property> </bean> <bean id="contextSource" class="org.springframework.ldap.core.support.LdapContextSource"> <property name="urls"> <list> <value>ldaps://domaincontroller-hostname.desy.de:port/</value> </list> </property> <property name="userDn" value="CN=xxxxxxxx,.......,DC=desy,DC=de"/> <property name="password" value="xxxxxxxxxxxxxx"/> <property name="baseEnvironmentProperties"> <map> <entry> <key> <value>java.naming.security.authentication</value> </key> <value>simple</value> </entry> </map> </property> </bean> <sec:user-service id="userDetailsService"> <sec:user name="xxxxxxxxxx" password="xxxxxxxxxxxxxxx" authorities="ROLE_ADMIN" /> </sec:user-service> <bean id="serviceRegistryDao" class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl"> <property name="registeredServices"> <list> <bean class="org.jasig.cas.services.RegisteredServiceImpl"> <property name="id" value="0" /> <property name="name" value="HTTP" /> <property name="description" value="Only Allows HTTP Urls" /> <property name="serviceId" value="http://**"; /> <property name="ignoreAttributes" value="true" /> </bean> <bean class="org.jasig.cas.services.RegisteredServiceImpl"> <property name="id" value="1" /> <property name="name" value="HTTPS" /> <property name="description" value="Only Allows HTTPS Urls" /> <property name="serviceId" value="https://**"; /> <property name="ignoreAttributes" value="true" /> </bean> <bean class="org.jasig.cas.services.RegisteredServiceImpl"> <property name="id" value="2" /> <property name="name" value="IMAPS" /> <property name="description" value="Only Allows HTTPS Urls" /> <property name="serviceId" value="imaps://**" /> </bean> <bean class="org.jasig.cas.services.RegisteredServiceImpl"> <property name="id" value="3" /> <property name="name" value="IMAP" /> <property name="description" value="Only Allows IMAP Urls" /> <property name="serviceId" value="imap://**" /> </bean> </list> </property> </bean> <bean id="auditTrailManager" class="com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager" /> <bean id="grantingTicketExpirationPolicy" class="org.jasig.cas.ticket.support.NeverExpiresExpirationPolicy" /> </beans> -- Dirk Jahnke-Zumbusch Deutsches Elektronen-Synchrotron DESY IT Information Fabrics Member of the Helmholtz Association D-22603 Hamburg Notkestrasse 85 / 22607 Hamburg [email protected] -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
