:-)
Thanks! I went back through and realized that my handlers.xml file got
clobbered by a rebuild. I fixed that and I got to the CAS login page as
expected. When I authenticated, though, I got a PKIX exception. I don't see the
exception when I log in through CAS without Shibboleth. It seems odd to me that
the certificate can be found using just CAS, but not when going from Shibboleth
IdP -> CAS. Is there some black magic I missed?
Thanks,
Eric
Mar 12, 2013 1:42:11 PM org.jasig.cas.client.util.CommonUtils
getResponseFromServer
SEVERE: sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:
PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown Source)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown
Source)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown
Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown
Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown
Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown
Source)
at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown
Source)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown
Source)
at
sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source)
at
org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:311)
at
org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:291)
at
org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:32)
at
org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:187)
at
org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:164)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:102)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
at
org.apache.coyote.ajp.AjpAprProcessor.process(AjpAprProcessor.java:448)
at
org.apache.coyote.ajp.AjpAprProtocol$AjpConnectionHandler.process(AjpAprProtocol.java:403)
at
org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1703)
at java.lang.Thread.run(Unknown Source)
Caused by: sun.security.validator.ValidatorException: PKIX path building
failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(Unknown
Source)
at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown
Source)
at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown
Source)
... 32 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable
to find valid certification path to requested target
at
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
at java.security.cert.CertPathBuilder.build(Unknown Source)
... 38 more
-----Original Message-----
From: Misagh Moayyed [mailto:[email protected]]
Sent: Tuesday, March 12, 2013 2:05 PM
To: [email protected]
Subject: RE: [cas-user] Shibboleth in front of CAS
Sorry, I meant turn up the logging level to DEBUG :)
-Misagh
> -----Original Message-----
> From: Misagh Moayyed [mailto:[email protected]]
> Sent: Tuesday, March 12, 2013 11:03 AM
> To: [email protected]
> Subject: RE: [cas-user] Shibboleth in front of CAS
>
> How many login handlers do you have enabled for shib? If you turn up
> the
IDP
> logging to SHIB, you can tell which handler is taking over the login
request.
> Chances are, it's not the CAS external handler because you have more
than one
> enabled in your shib config and SP isn't requesting an authN method
> explicitly.
>
> -Misagh
>
>
>
> > -----Original Message-----
> > From: Stein, Eric [mailto:[email protected]]
> > Sent: Tuesday, March 12, 2013 9:43 AM
> > To: [email protected]
> > Subject: [cas-user] Shibboleth in front of CAS
> >
> > I'm trying to run Shibboleth using CAS as the authentication provider.
> > I followed these directions for setting things up:
> > https://github.com/Unicon/shib-cas-authenticator#readme
> > I tried running a test of Shibboleth against TestShib.org and I'm
> getting a
> > FatalProfileException message. Here's an abbreviated
> >
> > idp-process.log
> > 07:27:11.749 - ERROR
> > [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:
> > 61
> > 8]
> - No
> > user identified by login handler.
> > 07:27:11.764 - ERROR
> > [edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:
> > 56
> > 3]
> -
> > Authentication failed with the error:
> > edu.internet2.middleware.shibboleth.idp.authn.AuthenticationException:
> No
> > user identified by login handler.
> > at
> >
>
edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine.validat
> eSu
> > ccessfulAuthentication(AuthenticationEngine.java:619) [shibboleth-
> > identityprovider-2.3.8.jar:na]
> > at
> >
>
edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine.complet
> eAu
> > thentication(AuthenticationEngine.java:537)
> [shibboleth-identityprovider-
> > 2.3.8.jar:na]
> > at
> >
>
edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine.service
> (Au
> > thenticationEngine.java:225)
> > [shibboleth-identityprovider-2.3.8.jar:na]
> > [...]
> >
> >
> > Does anybody know what might be causing this? I can provide any
> configuration
> > files, but I didn't want to spam with everything and I don't know
> > what's important.
> >
> > Thanks,
> > Eric
> >
> > --
> > You are currently subscribed to [email protected] as:
> > [email protected] To unsubscribe, change settings or access
> > archives,
> see
> > http://www.ja-sig.org/wiki/display/JSG/cas-user
>
>
> --
> You are currently subscribed to [email protected] as:
> [email protected] To unsubscribe, change settings or access
> archives,
see
> http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected] To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
