Ronen, Do you know if the session is replicating quickly enough? (I don't actually know the best way to test this :-))
Cheers, Scott On Tue, Jun 12, 2012 at 8:18 AM, Ronen Itkin <[email protected]> wrote: > Scott - Actually I enabled a 'sticky session' option on the load balancer > - so as long as the session was not terminated by the cas server itself, > it should be always redirected to the same as. > > by the way when the load balancer has only one cas server in service it > works great! > When I add another cas server to the load balancer, those issues arises. > So is has to be something with the lb redirection - but what? :/ > > Leszek - Thanks! I dont want to give up on load sharing (yet :)). > > > > > > > > > On Tue, Jun 12, 2012 at 2:51 PM, Scott Battaglia < > [email protected]> wrote: > >> Spring Web Flow doesn't allow you to round robin your CAS requests unless >> you're using Tomcat session replication. Spring Web Flow holds its >> internal state in session (though you could write something that replaces >> that). >> >> Cheers, >> Scott >> >> >> On Tue, Jun 12, 2012 at 6:30 AM, Ronen Itkin <[email protected]> wrote: >> >>> Hi All, >>> >>> I have implemented two cas 3.4.12 servers with jdbc support and JPA >>> ticket registration. >>> It worked great until I added a load balancer that redirects traffic to >>> one of the available cas servers (based on port availability - round robin >>> session redirection), >>> Actually it is Amazon's web services load balancer, AKA Elastic Load >>> Balancer. >>> It listens to port 8443 and forwards it to the same port (8443) towards >>> one on the available cas servers. >>> Cas login page appears and when I am trying to log in it just reloads >>> the cas login screen again - without mentioning any problems, it repeats >>> itself for a few login tries and after few attempts I get the following >>> notification from my browser: >>> >>> --- >>> Authorization Required >>> >>> This server could not verify that you are authorized to access the >>> document requested. Either you supplied the wrong credentials (e.g., bad >>> password), or your browser doesn't understand how to supply the credentials >>> required. >>> ------------------------------ >>> Apache/2.2.16 (Ubuntu) Server at x.x.x.x..x.x.compute-1.amazonaws.comPort 80 >>> >>> --- >>> >>> >>> *Cas.log shows:* >>> >>> >>> 2012-06-12 10:11:22,848 INFO >>> [org.jasig.cas.CentralAuthenticationServiceImpl] - ServiceTicket [ >>> ST-1-SCiu0IAOcYwAcMd3ElRi-ec2-xx-xx-xxx-xxx.compute-1.amazonaws.com] >>> has expired. >>> 2012-06-12 10:11:22,851 INFO >>> [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit >>> trail record BEGIN >>> ============================================================= >>> *WHO: audit:unknown* >>> WHAT: >>> ST-1-SCiu0IAOcYwAcMd3ElRi-ec2-xx-xx-xxx-xxx.compute-1.amazonaws.com >>> ACTION: SERVICE_TICKET_VALIDATE_FAILED >>> APPLICATION: CAS >>> WHEN: Tue Jun 12 10:11:22 UTC 2012 >>> CLIENT IP ADDRESS: 10.210.218.98 >>> SERVER IP ADDRESS: 10.211.173.168 >>> ============================================================= >>> >>> So I guess it acts that way because it cant recognize the user that is >>> attempting to login because normally is should write: >>> >>> WHO: [username: ronen] >>> >>> Does someone has an Idea of why it can happen while accessing Cas trough >>> a load balancer? >>> If I am accessing both cas servers directly and try to simply >>> authenticate it works great!! only when accessing cas trough the load >>> balancer it happens occasionally. >>> (It does work sometimes - means that the ssl certificate of Cas's tomcat >>> machine was successfully imported to the load balancer and basic >>> configurations are fine) >>> >>> >>> Thanks!! >>> >>> >>> >>> -- >>> * >>> Ronen Itkin* >>> Taykey | www.taykey.com >>> >>> -- >>> You are currently subscribed to [email protected] as: >>> [email protected] >>> >>> >>> >>> >>> To unsubscribe, change settings or access archives, see >>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>> >>> >> -- >> You are currently subscribed to [email protected] as: [email protected] >> >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> > > > -- > * > Ronen Itkin* > Taykey | www.taykey.com > > -- > You are currently subscribed to [email protected] as: > [email protected] > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
