What versions of CAS and mod_auth_cas are you using? I recently set up a system with CAS 4.0.x (4.0 initially, later 4.0.1) and mod_auth_cas, and initially I was having some problems using mod_auth_cas (using the latest version). I did have it set up to use SAML. Turns out mod_auth_cas needed to be modified/upgraded some to get things working. I got help from people on the mod_auth_cas dev list (some of whom read this list, I believe).
As I recall, the error you're getting is not the same as what I was getting, but perhaps there's still some similarities between the problems. Milt Epstein Applications Developer Graduate School of Library and Information Science (GSLIS) University of Illinois at Urbana-Champaign (UIUC) [email protected] On Wed, 11 Feb 2015, Tiit Kaeeli wrote: > mod_auth_cas log of the first try. Fails with > > MOD_AUTH_CAS: Error parsing XML content (Internal error) > > > > > [Wed Feb 11 18:40:02 2015] [debug] mod_auth_cas.c(2026): [client > 192.168.8.218] Entering cas_authenticate() > [Wed Feb 11 18:40:02 2015] [debug] mod_auth_cas.c(645): [client 192.168.8.218] > Modified r->args (now '') > [Wed Feb 11 18:40:02 2015] [debug] mod_auth_cas.c(1729): [client > 192.168.8.218] entering getResponseFromServer() > [Wed Feb 11 18:40:02 2015] [debug] mod_auth_cas.c(575): [client 192.168.8.218] > CAS Service 'https%3a%2f%2fnagios.quretec.com%2fcas' > [Wed Feb 11 18:40:02 2015] [debug] mod_auth_cas.c(1806): [client > 192.168.8.218] Validation response: <?xml version="1.0" > encoding="UTF-8"?><SOAP-ENV:Envelope > > xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";><SOAP-ENV:Body><saml1p:Response > xmlns:saml1p="urn:oasis:names:tc:SAML:1.0:protocol" IssueInstant= > "2015-02-11T16:40:02.454Z" MajorVersion="1" MinorVersion="1" > Recipient="https://nagios.quretec.com/cas"; > ResponseID="_e4cafa37cb4c77fe55aae7c0d482e40e"><saml1 > p:Status><saml1p:StatusCode > Value="saml1p:Success"/></saml1p:Status><saml1:Assertion > xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="_2121b0 > 19c9fedf9b287bb811280e227c" IssueInstant="2015-02-11T16:40:02.454Z" > Issuer="localhost" MajorVersion="1" MinorVersion="1"><saml1:Conditions > NotBefore="2015-02 > -11T16:40:02.454Z" > NotOnOrAfter="2015-02-11T16:40:32.454Z"><saml1:AudienceRestrictionCondition><saml1:Audience>https://nagios.quretec.com/cas</saml1:Audience > > </saml1:AudienceRestrictionCondition></saml1:Conditions><saml1:AuthenticationStatement > > > AuthenticationInstant="2015-02-11T15:07:56.192Z" AuthenticationMethod > ="urn:oasis:names:tc:SAML:1.0:am:unspecified"><saml1:Subject><saml1:NameIdentifier>kaeeli</saml1:NameIdentifier><saml1:SubjectConfirmation><saml1:Confirmatio > nMethod>urn:oasis:names:tc:SAML:1.0:cm:artifact</saml1:ConfirmationMethod></saml1:SubjectConfirmation></saml1:Subject></saml1:AuthenticationStatement></saml1 > :Assertion></saml1p:Response></SOAP-ENV:Body></SOAP-ENV:Envelope> > [Wed Feb 11 18:40:02 2015] [debug] mod_auth_cas.c(1434): [client > 192.168.8.218] entering isValidCASTicket() > [Wed Feb 11 18:40:02 2015] [debug] mod_auth_cas.c(1440): [client > 192.168.8.218] MOD_AUTH_CAS: response = <?xml version="1.0" > encoding="UTF-8"?><SOAP-ENV:Enve > lope > xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";><SOAP-ENV:Body><saml1p:Response > xmlns:saml1p="urn:oasis:names:tc:SAML:1.0:protocol" IssueInst > ant="2015-02-11T16:40:02.454Z" MajorVersion="1" MinorVersion="1" > Recipient="https://nagios.quretec.com/cas"; > ResponseID="_e4cafa37cb4c77fe55aae7c0d482e40e"><s > aml1p:Status><saml1p:StatusCode > Value="saml1p:Success"/></saml1p:Status><saml1:Assertion > xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="_21 > 21b019c9fedf9b287bb811280e227c" IssueInstant="2015-02-11T16:40:02.454Z" > Issuer="localhost" MajorVersion="1" MinorVersion="1"><saml1:Conditions > NotBefore="201 > 5-02-11T16:40:02.454Z" > NotOnOrAfter="2015-02-11T16:40:32.454Z"><saml1:AudienceRestrictionCondition><saml1:Audience>https://nagios.quretec.com/cas</saml1:Audi > ence></saml1:AudienceRestrictionCondition></saml1:Conditions><saml1:AuthenticationStatement > AuthenticationInstant="2015-02-11T15:07:56.192Z" AuthenticationMe > thod="urn:oasis:names:tc:SAML:1.0:am:unspecified"><saml1:Subject><saml1:NameIdentifier>kaeeli</saml1:NameIdentifier><saml1:SubjectConfirmation><saml1:Confirm > ationMethod>urn:oasis:names:tc:SAML:1.0:cm:artifact</saml1:ConfirmationMethod></saml1:SubjectConfirmation></saml1:Subject></saml1:AuthenticationStatement></s > aml1:Assertion></saml1p:Response></SOAP-ENV:Body></SOAP-ENV:Envelope> > [Wed Feb 11 18:40:02 2015] [debug] mod_auth_cas.c(1266): [client > 192.168.8.218] entering createCASCookie() > [Wed Feb 11 18:40:02 2015] [debug] mod_auth_cas.c(1061): [client > 192.168.8.218] entering CASCleanCache() > [Wed Feb 11 18:40:02 2015] [debug] mod_auth_cas.c(1117): [client > 192.168.8.218] Beginning cache clean > [Wed Feb 11 18:40:02 2015] [debug] mod_auth_cas.c(1140): [client > 192.168.8.218] Processing cache file 'd76eaa64b28d6adf641e9d8fe59e39bb' > [Wed Feb 11 18:40:02 2015] [debug] mod_auth_cas.c(890): [client 192.168.8.218] > entering readCASCacheFile() > [Wed Feb 11 18:40:02 2015] [error] [client 192.168.8.218] MOD_AUTH_CAS: Error > parsing XML content (Internal error) > [Wed Feb 11 18:40:02 2015] [debug] mod_auth_cas.c(1156): [client > 192.168.8.218] Removing corrupt cache entry 'd76eaa64b28d6adf641e9d8fe59e39bb' > [Wed Feb 11 18:40:02 2015] [debug] mod_auth_cas.c(1406): [client > 192.168.8.218] entering deleteCASCacheFile() > [Wed Feb 11 18:40:02 2015] [debug] mod_auth_cas.c(890): [client 192.168.8.218] > entering readCASCacheFile() > [Wed Feb 11 18:40:02 2015] [error] [client 192.168.8.218] MOD_AUTH_CAS: Error > parsing XML content (Internal error) > [Wed Feb 11 18:40:02 2015] [debug] mod_auth_cas.c(1178): [client > 192.168.8.218] entering writeCASCacheEntry() > > > > > > > > Yes. > > The service ticket can only be used once. > > Once a service validates the service ticket, it ought to establish some kind > > of local application specific session. > > The fact that the ticket is being validated twice suggests that maybe the > > client is configured incorrectly. > > > > Thanks, > > Carl Waldbieser > > ITS System Programmer > > Lafayette College > > > > ----- Original Message ----- > > From: "Tiit Kaeeli" <[email protected]> > > To: [email protected] > > Sent: Wednesday, February 11, 2015 8:10:56 AM > > Subject: [cas-user] <ServiceTicket [...] does not exist.> after <Removing > > ticket [...] from registry> > > > > Hi, > > > > I got mod_auth_cas working without SAML. Now I am trying to enable SAML > > for LDAP group based auth. But unfortunately apache returns 401. So I am > > in need for help again. > > > > In tomcat logs, there are no errors, but final result is > > > > WHAT: ST-1-V6yYyU7eDUu1zqqh4gGm-cas.quretec.com > > ACTION: SERVICE_TICKET_VALIDATE_FAILED > > > > > > > > Before this I see: > > > > 2015-02-11 14:38:16,202 DEBUG > > [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to > > retrieve ticket [ST-1-V6yYyU7eDUu1zqqh4gGm-cas.quretec.com]> > > 2015-02-11 14:38:16,202 DEBUG > > [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Ticket > > [ST-1-V6yYyU7eDUu1zqqh4gGm-cas.quretec.com] found in registry.> > > 2015-02-11 14:38:16,202 DEBUG > > [org.jasig.cas.CentralAuthenticationServiceImpl] - <Principal id to return > > for service [HTTP and IMAP] is [kaeeli]. The default principal id is > > [kaeeli].> > > 2015-02-11 14:38:16,202 DEBUG > > [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Removing ticket > > [ST-1-V6yYyU7eDUu1zqqh4gGm-cas.quretec.com] from registry> > > 2015-02-11 14:38:16,202 DEBUG > > [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to > > retrieve ticket [ST-1-V6yYyU7eDUu1zqqh4gGm-cas.quretec.com]> > > 2015-02-11 14:38:16,202 INFO > > [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit > > trail record BEGIN > > ============================================================= > > WHO: audit:unknown > > WHAT: ST-1-V6yYyU7eDUu1zqqh4gGm-cas.quretec.com > > ACTION: SERVICE_TICKET_VALIDATED > > APPLICATION: CAS > > WHEN: Wed Feb 11 14:38:16 EET 2015 > > CLIENT IP ADDRESS: 192.168.7.108 > > SERVER IP ADDRESS: 192.168.7.183 > > ============================================================= > > > > > > ... > > > > 2015-02-11 14:38:16,562 DEBUG > > [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to > > retrieve ticket [ST-1-V6yYyU7eDUu1zqqh4gGm-cas.quretec.com]> > > 2015-02-11 14:38:16,562 INFO > > [org.jasig.cas.CentralAuthenticationServiceImpl] - <ServiceTicket > > [ST-1-V6yYyU7eDUu1zqqh4gGm-cas.quretec.com] does not exist.> > > 2015-02-11 14:38:16,566 DEBUG > > [org.jasig.cas.ticket.registry.DefaultTicketRegistry] - <Attempting to > > retrieve ticket [ST-1-V6yYyU7eDUu1zqqh4gGm-cas.quretec.com]> > > 2015-02-11 14:38:16,566 INFO > > [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit > > trail record BEGIN > > ============================================================= > > WHO: audit:unknown > > WHAT: ST-1-V6yYyU7eDUu1zqqh4gGm-cas.quretec.com > > ACTION: SERVICE_TICKET_VALIDATE_FAILED > > APPLICATION: CAS > > WHEN: Wed Feb 11 14:38:16 EET 2015 > > CLIENT IP ADDRESS: 192.168.7.108 > > SERVER IP ADDRESS: 192.168.7.183 > > ============================================================= > > > > > > > > > > It seems, that service ticket is looked for twice, first time it succeeds. > > Then the ticket is removed from the registry. The other attemp after that > > fails. > > > > Is this normal and expected behaviour? > > > > > > > > > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
