Hello, We're developing a servlet that uses ClearPass via proxy validation. I have been able to implement ClearPass on the server and install the Java CAS client (3.2) on the application server. I followed both guides for ClearPass and the client to the letter (at least as far as I know) and proxy validation appears to be working.
When the application server requests the proxy ticket for ClearPass (at https://cas.institution.edu/cas/clearpass) it grants the ST (PT) successfully. However, validation fails with "service does not exist is not enabled". Here's the resulting trace: > 2013-07-11 16:06:17,315 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted proxy ticket [ST-2-VkieGGdEitd0UCdGwg2E-cas.institution.edu] for service [https://cas.institution.edu/cas/clearPass] for user [walter_sobchak]> 2013-07-11 16:06:17,320 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: https://appserver.institution.edu:8443/webapp/proxyCallback WHAT: ST-2-VkieGGdEitd0UCdGwg2E-cas.institution.edu for https://cas.institution.edu/cas/clearPass ACTION: SERVICE_TICKET_CREATED APPLICATION: CAS WHEN: Thu Jul 11 16:06:17 EDT 2013 CLIENT IP ADDRESS: SERVER IP ADDRESS: ============================================================= *As a side note, I assume that the proxy tickets being prefixed with "ST" (and PGTs with "TGT") is an expected behavior due to recent changes to CAS. Is this accurate? Immediately after creating the ticket, CAS tries to validate it but fails. Here's the trace: > 2013-07-11 16:06:17,351 DEBUG [org.springframework.security.web.util.AntPathRequestMatcher] - <Checking match of request : '/clearpass'; against '/clearpass'> 2013-07-11 16:06:17,356 DEBUG [org.springframework.security.web.FilterChainProxy] - </clearPass?ticket=ST-2-VkieGGdEitd0UCdGwg2E-cas.institution.edu&service=https://cas.institution.edu:443/cas/clearPass at position 1 of 2 in additional filter chain; firing Filter: 'Cas20ProxyReceivingTicketValidationFilter'> 2013-07-11 16:06:17,463 WARN [org.jasig.cas.CentralAuthenticationServiceImpl] - <ServiceManagement: Service does not exist is not enabled, and thus not allowed to validate tickets. Service: [https://cas.institution.edu:443/cas/clearPass]> 2013-07-11 16:06:17,468 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: https://appserver.institution.edu:8443/webapp/proxyCallback WHAT: ST-2-VkieGGdEitd0UCdGwg2E-cas.institution.edu ACTION: SERVICE_TICKET_VALIDATE_FAILED APPLICATION: CAS WHEN: Thu Jul 11 16:06:17 EDT 2013 CLIENT IP ADDRESS: SERVER IP ADDRESS: ============================================================= > 2013-07-11 16:06:17,505 WARN [org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter] - <org.jasig.cas.client.validation.TicketValidationException: Service not allowed to validate tickets. > org.jasig.cas.client.validation.TicketValidationException: Service not allowed to validate tickets. at org.jasig.cas.client.validation.Cas20ServiceTicketValidator.parseResponseFromServer(Cas20ServiceTicketValidator.java:86) I'm not entirely sure why we're receiving an error when attempting to validate the proxy ticket. I'm hoping someone with more CAS experience than me has an idea about what is misconfigured. Thanks. -Ken -------------------------------------------------------------------------- PS - Here's the trace from the end of LDAP authentication to the error: ============================================================= WHO: [username: walter_sobchak] WHAT: supplied credentials: [username: walter_sobchak] ACTION: AUTHENTICATION_SUCCESS APPLICATION: CAS WHEN: Thu Jul 11 16:06:16 EDT 2013 CLIENT IP ADDRESS: SERVER IP ADDRESS: ============================================================= > 2013-07-11 16:06:16,800 DEBUG [org.jasig.cas.extension.clearpass.TicketRegistryDecorator] - <Creating mapping ticket TGT-1-F9NYdifANRGnNgKZcl4qaOCqZ7kbyrbVcWwLpZdrcPvauHtDfN-cas.institution.edu to user name walter_sobchak> 2013-07-11 16:06:16,812 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: [username: walter_sobchak] WHAT: TGT-1-F9NYdifANRGnNgKZcl4qaOCqZ7kbyrbVcWwLpZdrcPvauHtDfN-cas.institution.edu ACTION: TICKET_GRANTING_TICKET_CREATED APPLICATION: CAS WHEN: Thu Jul 11 16:06:16 EDT 2013 CLIENT IP ADDRESS: SERVER IP ADDRESS: ============================================================= > 2013-07-11 16:06:16,813 TRACE [org.jasig.cas.web.flow.AuthenticationViaFormAction] - <Leaving method [submit] with return value [success].> 2013-07-11 16:06:16,856 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket [ST-1-djqbG91Bngf7jdDk2lEy-cas.institution.edu] for service [https://appserver.institution.edu:8443/webapp/Servlet] for user [walter_sobchak]> 2013-07-11 16:06:16,858 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: walter_sobchak WHAT: ST-1-djqbG91Bngf7jdDk2lEy-cas.institution.edu for https://appserver.institution.edu:8443/webapp/Servlet ACTION: SERVICE_TICKET_CREATED APPLICATION: CAS WHEN: Thu Jul 11 16:06:16 EDT 2013 CLIENT IP ADDRESS: SERVER IP ADDRESS: ============================================================= > 2013-07-11 16:06:16,887 TRACE [org.jasig.cas.web.flow.TerminateWebSessionListener] - <Entering method [sessionEnded with arguments [[[RequestControlContextImpl@1787d61 externalContext = org.springframework.webflow.mvc.servlet.MvcExternalContext@d6f6c08, currentEvent = success, requestScope = map['response' -> org.jasig.cas.authentication.principal.Response@473b864c, 'serviceTicketId' -> 'ST-1-djqbG91Bngf7jdDk2lEy-cas.institution.edu', 'ticketGrantingTicketId' -> 'TGT-1-F9NYdifANRGnNgKZcl4qaOCqZ7kbyrbVcWwLpZdrcPvauHtDfN-cas.institution.edu'], attributes = map[[empty]], messageContext = [DefaultMessageContext@e1d881c sourceMessages = map[[null] -> list[[empty]]]], flowExecution = [Ended execution of 'login']], [FlowSessionImpl@3e6cb3f flow = 'login', state = 'redirectView', scope = map['service' -> https://appserver.institution.edu:8443/webapp/Servlet, 'credentials' -> [username: walter_sobchak], 'warnCookieValue' -> false, 'ticketGrantingTicketId' -> [null]]], redirectView, map[[empty]]]]> 2013-07-11 16:06:16,889 DEBUG [org.jasig.cas.web.flow.TerminateWebSessionListener] - <Terminate web session A3CA290376A9FDB8C2456C1CA2D01008 in 2 seconds> 2013-07-11 16:06:16,889 TRACE [org.jasig.cas.web.flow.TerminateWebSessionListener] - <Leaving method [sessionEnded] with return value [null].> 2013-07-11 16:06:17,108 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler successfully authenticated [callbackUrl: https://appserver.institution.edu:8443/webapp/proxyCallback]> 2013-07-11 16:06:17,111 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <Resolved principal https://appserver.institution.edu:8443/webapp/proxyCallback> 2013-07-11 16:06:17,112 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler@e99fb2d authenticated https://appserver.institution.edu:8443/webapp/proxyCallback with credential [callbackUrl: https://appserver.institution.edu:8443/webapp/proxyCallback].> 2013-07-11 16:06:17,114 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: [callbackUrl: https://appserver.institution.edu:8443/webapp/proxyCallback] WHAT: supplied credentials: [callbackUrl: https://appserver.institution.edu:8443/webapp/proxyCallback] ACTION: AUTHENTICATION_SUCCESS APPLICATION: CAS WHEN: Thu Jul 11 16:06:17 EDT 2013 CLIENT IP ADDRESS: SERVER IP ADDRESS: ============================================================= > 2013-07-11 16:06:17,127 DEBUG [org.jasig.cas.extension.clearpass.TicketRegistryDecorator] - <Creating mapping ticket TGT-2-DIbebDuojhbIdDLW2pPlGY9XZ2MZDZQKHbHiZLhwoNzBkU4abW-cas.institution.edu to user name https://appserver.institution.edu:8443/webapp/proxyCallback> 2013-07-11 16:06:17,134 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: walter_sobchak WHAT: TGT-2-DIbebDuojhbIdDLW2pPlGY9XZ2MZDZQKHbHiZLhwoNzBkU4abW-cas.institution.edu ACTION: PROXY_GRANTING_TICKET_CREATED APPLICATION: CAS WHEN: Thu Jul 11 16:06:17 EDT 2013 CLIENT IP ADDRESS: SERVER IP ADDRESS: ============================================================= > 2013-07-11 16:06:17,157 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: audit:unknown WHAT: ST-1-djqbG91Bngf7jdDk2lEy-cas.institution.edu ACTION: SERVICE_TICKET_VALIDATED APPLICATION: CAS WHEN: Thu Jul 11 16:06:17 EDT 2013 CLIENT IP ADDRESS: SERVER IP ADDRESS: ============================================================= > 2013-07-11 16:06:17,315 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted proxy ticket [ST-2-VkieGGdEitd0UCdGwg2E-cas.institution.edu] for service [https://cas.institution.edu/cas/clearPass] for user [walter_sobchak]> 2013-07-11 16:06:17,320 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: https://appserver.institution.edu:8443/webapp/proxyCallback WHAT: ST-2-VkieGGdEitd0UCdGwg2E-cas.institution.edu for https://cas.institution.edu/cas/clearPass ACTION: SERVICE_TICKET_CREATED APPLICATION: CAS WHEN: Thu Jul 11 16:06:17 EDT 2013 CLIENT IP ADDRESS: SERVER IP ADDRESS: ============================================================= > 2013-07-11 16:06:17,351 DEBUG [org.springframework.security.web.util.AntPathRequestMatcher] - <Checking match of request : '/clearpass'; against '/clearpass'> 2013-07-11 16:06:17,356 DEBUG [org.springframework.security.web.FilterChainProxy] - </clearPass?ticket=ST-2-VkieGGdEitd0UCdGwg2E-cas.institution.edu&service=https://cas.institution.edu:443/cas/clearPass at position 1 of 2 in additional filter chain; firing Filter: 'Cas20ProxyReceivingTicketValidationFilter'> 2013-07-11 16:06:17,463 WARN [org.jasig.cas.CentralAuthenticationServiceImpl] - <ServiceManagement: Service does not exist is not enabled, and thus not allowed to validate tickets. Service: [https://cas.institution.edu:443/cas/clearPass]> 2013-07-11 16:06:17,468 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN ============================================================= WHO: https://appserver.institution.edu:8443/webapp/proxyCallback WHAT: ST-2-VkieGGdEitd0UCdGwg2E-cas.institution.edu ACTION: SERVICE_TICKET_VALIDATE_FAILED APPLICATION: CAS WHEN: Thu Jul 11 16:06:17 EDT 2013 CLIENT IP ADDRESS: SERVER IP ADDRESS: ============================================================= > 2013-07-11 16:06:17,505 WARN [org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter] - <org.jasig.cas.client.validation.TicketValidationException: Service not allowed to validate tickets. > org.jasig.cas.client.validation.TicketValidationException: Service not allowed to validate tickets. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
