mod_auth_cas log of the first try. Fails with
MOD_AUTH_CAS: Error parsing XML content (Internal error)
[Wed Feb 11 18:40:02 2015] [debug] mod_auth_cas.c(2026): [client
192.168.8.218] Entering cas_authenticate()
[Wed Feb 11 18:40:02 2015] [debug] mod_auth_cas.c(645): [client
192.168.8.218] Modified r->args (now '')
[Wed Feb 11 18:40:02 2015] [debug] mod_auth_cas.c(1729): [client
192.168.8.218] entering getResponseFromServer()
[Wed Feb 11 18:40:02 2015] [debug] mod_auth_cas.c(575): [client
192.168.8.218] CAS Service 'https%3a%2f%2fnagios.quretec.com%2fcas'
[Wed Feb 11 18:40:02 2015] [debug] mod_auth_cas.c(1806): [client
192.168.8.218] Validation response: <?xml version="1.0"
encoding="UTF-8"?><SOAP-ENV:Envelope
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";><SOAP-ENV:Body><saml1p:Response
xmlns:saml1p="urn:oasis:names:tc:SAML:1.0:protocol" IssueInstant=
"2015-02-11T16:40:02.454Z" MajorVersion="1" MinorVersion="1"
Recipient="https://nagios.quretec.com/cas";
ResponseID="_e4cafa37cb4c77fe55aae7c0d482e40e"><saml1
p:Status><saml1p:StatusCode
Value="saml1p:Success"/></saml1p:Status><saml1:Assertion
xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="_2121b0
19c9fedf9b287bb811280e227c" IssueInstant="2015-02-11T16:40:02.454Z"
Issuer="localhost" MajorVersion="1" MinorVersion="1"><saml1:Conditions
NotBefore="2015-02
-11T16:40:02.454Z"
NotOnOrAfter="2015-02-11T16:40:32.454Z"><saml1:AudienceRestrictionCondition><saml1:Audience>https://nagios.quretec.com/cas</saml1:Audience
</saml1:AudienceRestrictionCondition></saml1:Conditions><saml1:AuthenticationStatement
AuthenticationInstant="2015-02-11T15:07:56.192Z" AuthenticationMethod
="urn:oasis:names:tc:SAML:1.0:am:unspecified"><saml1:Subject><saml1:NameIdentifier>kaeeli</saml1:NameIdentifier><saml1:SubjectConfirmation><saml1:Confirmatio
nMethod>urn:oasis:names:tc:SAML:1.0:cm:artifact</saml1:ConfirmationMethod></saml1:SubjectConfirmation></saml1:Subject></saml1:AuthenticationStatement></saml1
:Assertion></saml1p:Response></SOAP-ENV:Body></SOAP-ENV:Envelope>
[Wed Feb 11 18:40:02 2015] [debug] mod_auth_cas.c(1434): [client
192.168.8.218] entering isValidCASTicket()
[Wed Feb 11 18:40:02 2015] [debug] mod_auth_cas.c(1440): [client
192.168.8.218] MOD_AUTH_CAS: response = <?xml version="1.0"
encoding="UTF-8"?><SOAP-ENV:Enve
lope
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";><SOAP-ENV:Body><saml1p:Response
xmlns:saml1p="urn:oasis:names:tc:SAML:1.0:protocol" IssueInst
ant="2015-02-11T16:40:02.454Z" MajorVersion="1" MinorVersion="1"
Recipient="https://nagios.quretec.com/cas";
ResponseID="_e4cafa37cb4c77fe55aae7c0d482e40e"><s
aml1p:Status><saml1p:StatusCode
Value="saml1p:Success"/></saml1p:Status><saml1:Assertion
xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="_21
21b019c9fedf9b287bb811280e227c" IssueInstant="2015-02-11T16:40:02.454Z"
Issuer="localhost" MajorVersion="1" MinorVersion="1"><saml1:Conditions
NotBefore="201
5-02-11T16:40:02.454Z"
NotOnOrAfter="2015-02-11T16:40:32.454Z"><saml1:AudienceRestrictionCondition><saml1:Audience>https://nagios.quretec.com/cas</saml1:Audi
ence></saml1:AudienceRestrictionCondition></saml1:Conditions><saml1:AuthenticationStatement
AuthenticationInstant="2015-02-11T15:07:56.192Z" AuthenticationMe
thod="urn:oasis:names:tc:SAML:1.0:am:unspecified"><saml1:Subject><saml1:NameIdentifier>kaeeli</saml1:NameIdentifier><saml1:SubjectConfirmation><saml1:Confirm
ationMethod>urn:oasis:names:tc:SAML:1.0:cm:artifact</saml1:ConfirmationMethod></saml1:SubjectConfirmation></saml1:Subject></saml1:AuthenticationStatement></s
aml1:Assertion></saml1p:Response></SOAP-ENV:Body></SOAP-ENV:Envelope>
[Wed Feb 11 18:40:02 2015] [debug] mod_auth_cas.c(1266): [client
192.168.8.218] entering createCASCookie()
[Wed Feb 11 18:40:02 2015] [debug] mod_auth_cas.c(1061): [client
192.168.8.218] entering CASCleanCache()
[Wed Feb 11 18:40:02 2015] [debug] mod_auth_cas.c(1117): [client
192.168.8.218] Beginning cache clean
[Wed Feb 11 18:40:02 2015] [debug] mod_auth_cas.c(1140): [client
192.168.8.218] Processing cache file 'd76eaa64b28d6adf641e9d8fe59e39bb'
[Wed Feb 11 18:40:02 2015] [debug] mod_auth_cas.c(890): [client
192.168.8.218] entering readCASCacheFile()
[Wed Feb 11 18:40:02 2015] [error] [client 192.168.8.218] MOD_AUTH_CAS:
Error parsing XML content (Internal error)
[Wed Feb 11 18:40:02 2015] [debug] mod_auth_cas.c(1156): [client
192.168.8.218] Removing corrupt cache entry
'd76eaa64b28d6adf641e9d8fe59e39bb'
[Wed Feb 11 18:40:02 2015] [debug] mod_auth_cas.c(1406): [client
192.168.8.218] entering deleteCASCacheFile()
[Wed Feb 11 18:40:02 2015] [debug] mod_auth_cas.c(890): [client
192.168.8.218] entering readCASCacheFile()
[Wed Feb 11 18:40:02 2015] [error] [client 192.168.8.218] MOD_AUTH_CAS:
Error parsing XML content (Internal error)
[Wed Feb 11 18:40:02 2015] [debug] mod_auth_cas.c(1178): [client
192.168.8.218] entering writeCASCacheEntry()
Yes.
The service ticket can only be used once.
Once a service validates the service ticket, it ought to establish some kind of
local application specific session.
The fact that the ticket is being validated twice suggests that maybe the
client is configured incorrectly.
Thanks,
Carl Waldbieser
ITS System Programmer
Lafayette College
----- Original Message -----
From: "Tiit Kaeeli" <[email protected]>
To: [email protected]
Sent: Wednesday, February 11, 2015 8:10:56 AM
Subject: [cas-user] <ServiceTicket [...] does not exist.> after <Removing ticket
[...] from registry>
Hi,
I got mod_auth_cas working without SAML. Now I am trying to enable SAML
for LDAP group based auth. But unfortunately apache returns 401. So I am
in need for help again.
In tomcat logs, there are no errors, but final result is
WHAT: ST-1-V6yYyU7eDUu1zqqh4gGm-cas.quretec.com
ACTION: SERVICE_TICKET_VALIDATE_FAILED
Before this I see:
2015-02-11 14:38:16,202 DEBUG
[org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to
retrieve ticket [ST-1-V6yYyU7eDUu1zqqh4gGm-cas.quretec.com]>
2015-02-11 14:38:16,202 DEBUG
[org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Ticket
[ST-1-V6yYyU7eDUu1zqqh4gGm-cas.quretec.com] found in registry.>
2015-02-11 14:38:16,202 DEBUG
[org.jasig.cas.CentralAuthenticationServiceImpl] - <Principal id to return
for service [HTTP and IMAP] is [kaeeli]. The default principal id is
[kaeeli].>
2015-02-11 14:38:16,202 DEBUG
[org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Removing ticket
[ST-1-V6yYyU7eDUu1zqqh4gGm-cas.quretec.com] from registry>
2015-02-11 14:38:16,202 DEBUG
[org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to
retrieve ticket [ST-1-V6yYyU7eDUu1zqqh4gGm-cas.quretec.com]>
2015-02-11 14:38:16,202 INFO
[com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit
trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: ST-1-V6yYyU7eDUu1zqqh4gGm-cas.quretec.com
ACTION: SERVICE_TICKET_VALIDATED
APPLICATION: CAS
WHEN: Wed Feb 11 14:38:16 EET 2015
CLIENT IP ADDRESS: 192.168.7.108
SERVER IP ADDRESS: 192.168.7.183
=============================================================
...
2015-02-11 14:38:16,562 DEBUG
[org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to
retrieve ticket [ST-1-V6yYyU7eDUu1zqqh4gGm-cas.quretec.com]>
2015-02-11 14:38:16,562 INFO
[org.jasig.cas.CentralAuthenticationServiceImpl] - <ServiceTicket
[ST-1-V6yYyU7eDUu1zqqh4gGm-cas.quretec.com] does not exist.>
2015-02-11 14:38:16,566 DEBUG
[org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to
retrieve ticket [ST-1-V6yYyU7eDUu1zqqh4gGm-cas.quretec.com]>
2015-02-11 14:38:16,566 INFO
[com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit
trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: ST-1-V6yYyU7eDUu1zqqh4gGm-cas.quretec.com
ACTION: SERVICE_TICKET_VALIDATE_FAILED
APPLICATION: CAS
WHEN: Wed Feb 11 14:38:16 EET 2015
CLIENT IP ADDRESS: 192.168.7.108
SERVER IP ADDRESS: 192.168.7.183
=============================================================
It seems, that service ticket is looked for twice, first time it succeeds.
Then the ticket is removed from the registry. The other attemp after that
fails.
Is this normal and expected behaviour?
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
