Kevin, The Shibboleth IdP doesn't trust the CAS server's certificate it seems:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target -Scott On 10/4/07, Kevin Foote <[EMAIL PROTECTED]> wrote: > > Hello > Im trying to get cas-server and cas-client to work for ldap authentication > to MSAD for Shibboleth-IdP/SSO > > So far I'm using the package provided here shib.kuleuven.be/docs/idp which > is basically what I need Shibboleth with CAS on the > back end doing the connection to AD etc. I have set logging on everything > to DEBUG and see quite a bit.. I also have things working somewhat as > I can see the username being authenticated on the AD server side through > logs there. It seems to die at a ticket problem.. > Or is this related to certificates ?? > > Here is the error that I get: > > == /opt/tomcat5/logs/tomcat.log > 13:51:10,199 [TP-Processor6] DEBUG Action 'AuthenticationViaFormAction' > beginning execution - org.jasig.cas.web.flow.AuthenticationViaForm > Action [20071004] > 13:51:10,205 [TP-Processor6] DEBUG Executing bind - > org.jasig.cas.web.flow.AuthenticationViaFormAction [20071004] > 13:51:10,206 [TP-Processor6] DEBUG Loading new form object - > org.jasig.cas.web.flow.AuthenticationViaFormAction [20071004] > 13:51:10,207 [TP-Processor6] DEBUG Creating new instance of form object > class [class org.jasig.cas.authentication.principal.UsernamePasswo > rdCredentials] - org.jasig.cas.web.flow.AuthenticationViaFormAction[20071004] > 13:51:10,208 [TP-Processor6] DEBUG Setting form object of type [class > org.jasig.cas.authentication.principal.UsernamePasswordCredentials] > in scope [class org.springframework.webflow.ScopeType.Flow (1)] with name > 'credentials' - org.jasig.cas.web.flow.AuthenticationViaFormActi > on [20071004] > 13:51:10,244 [TP-Processor6] DEBUG No property editor registrar set, no > custom editors to register - org.jasig.cas.web.flow.Authentication > ViaFormAction [20071004] > 13:51:10,269 [TP-Processor6] DEBUG Binding allowed request parameters in > map['lt' -> '_c025B5288-CE44-A636-26C1-03360144BE32_kDFEE0594-228 > 5-6890-46C6-8E9398DA2FAF', 'service' -> > 'https://k2.cc.iup.edu/shibboleth-idp/SSO?shire=https%3A%2F%2Faktag.cc.iup.edu%2FShibboleth.sso%2F > > SAML%2FPOST&time=1191519847&target=cookie&providerId=https%3A%2F%2Faktag.cc.iup.edu%2Fshibboleth%2Fk2%2Fsp', > '_eventId' -> 'submit', 'pass > word' -> 'welcome1', '_currentStateId' -> '', 'username' -> 'testuser'] to > form object with name 'credentials', pre-bind formObject toStri > ng = null - org.jasig.cas.web.flow.AuthenticationViaFormAction [20071004] > 13:51:10,269 [TP-Processor6] DEBUG (Any field is allowed) - > org.jasig.cas.web.flow.AuthenticationViaFormAction [20071004] > 13:51:10,292 [TP-Processor6] DEBUG Binding completed for form object with > name 'credentials', post-bind formObject toString = testuser - o > rg.jasig.cas.web.flow.AuthenticationViaFormAction [20071004] > 13:51:10,293 [TP-Processor6] DEBUG There are [0] errors, details: [] - > org.jasig.cas.web.flow.AuthenticationViaFormAction [20071004] > 13:51:10,294 [TP-Processor6] DEBUG Setting form errors instance in scope > [class org.springframework.webflow.ScopeType.Request (0)] - org.j > asig.cas.web.flow.AuthenticationViaFormAction [20071004] > 13:51:10,298 [TP-Processor6] DEBUG Executing validate - > org.jasig.cas.web.flow.AuthenticationViaFormAction [20071004] > 13:51:10,299 [TP-Processor6] DEBUG Invoking validator > [EMAIL PROTECTED] - > org.jasig.cas > .web.flow.AuthenticationViaFormAction [20071004] > 13:51:10,303 [TP-Processor6] DEBUG Validation completed for form object > with name 'credentials' - org.jasig.cas.web.flow.AuthenticationVia > FormAction [20071004] > 13:51:10,304 [TP-Processor6] DEBUG There are [0] errors, details: [] - > org.jasig.cas.web.flow.AuthenticationViaFormAction [20071004] > 13:51:10,305 [TP-Processor6] DEBUG Action 'AuthenticationViaFormAction' > completed execution; result is 'success' - org.jasig.cas.web.flow. > AuthenticationViaFormAction [20071004] > 13:51:10,305 [TP-Processor6] DEBUG Action 'AuthenticationViaFormAction' > beginning execution - org.jasig.cas.web.flow.AuthenticationViaForm > Action [20071004] > 13:51:10,306 [TP-Processor6] DEBUG Found existing form object with name > 'credentials' of type [class org.jasig.cas.authentication.principa > l.UsernamePasswordCredentials] in scope [class > org.springframework.webflow.ScopeType.Flow (1)] - > org.jasig.cas.web.flow.AuthenticationViaF > ormAction [20071004] > 13:51:10,365 [TP-Processor6] INFO AuthenticationHandler: > org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler successfully > authentic > ated the user which provided the following credentials: testuser - > org.jasig.cas.authentication.AuthenticationManagerImpl [20071004] > 13:51:10,365 [TP-Processor6] DEBUG Creating SimplePrincipal for [testuser] > - org.jasig.cas.authentication.principal.UsernamePasswordCreden > tialsToPrincipalResolver [20071004] > 13:51:10,381 [TP-Processor6] DEBUG Added ticket > [TGT-2-PFMtLkwBFbFC9ErY2hVFBkSWYSbdNyGpRp6-50] to registry. - > org.jasig.cas.ticket.registr > y.DefaultTicketRegistry [20071004] > 13:51:10,382 [TP-Processor6] DEBUG Action 'AuthenticationViaFormAction' > completed execution; result is 'success' - org.jasig.cas.web.flow. > AuthenticationViaFormAction [20071004] > 13:51:10,383 [TP-Processor6] DEBUG Action 'SendTicketGrantingTicketAction' > beginning execution - org.jasig.cas.web.flow.SendTicketGranting > TicketAction [20071004] > 13:51:10,384 [TP-Processor6] DEBUG Action 'SendTicketGrantingTicketAction' > completed execution; result is 'success' - org.jasig.cas.web.fl > ow.SendTicketGrantingTicketAction [20071004] > 13:51:10,385 [TP-Processor6] DEBUG Action 'HasServiceCheckAction' > beginning execution - org.jasig.cas.web.flow.HasServiceCheckAction [2007 > 1004] > 13:51:10,386 [TP-Processor6] DEBUG Action 'HasServiceCheckAction' > completed execution; result is 'hasService' - org.jasig.cas.web.flow.Has > ServiceCheckAction [20071004] > 13:51:10,387 [TP-Processor6] DEBUG Action 'GenerateServiceTicketAction' > beginning execution - org.jasig.cas.web.flow.GenerateServiceTicket > Action [20071004] > 13:51:10,400 [TP-Processor6] DEBUG Attempting to retrieve ticket > [TGT-2-PFMtLkwBFbFC9ErY2hVFBkSWYSbdNyGpRp6-50] - org.jasig.cas.ticket.reg > istry.DefaultTicketRegistry [20071004] > 13:51:10,401 [TP-Processor6] DEBUG Ticket > [TGT-2-PFMtLkwBFbFC9ErY2hVFBkSWYSbdNyGpRp6-50] found in registry. - > org.jasig.cas.ticket.registr > y.DefaultTicketRegistry [20071004] > 13:51:10,405 [TP-Processor6] DEBUG Added ticket > [ST-2-uaefuYhGGxF2WZO5hpRvNpVY7wwzUEppBeO-20] to registry. - > org.jasig.cas.ticket.registry > .DefaultTicketRegistry [20071004] > 13:51:10,406 [TP-Processor6] INFO Granted service ticket > [ST-2-uaefuYhGGxF2WZO5hpRvNpVY7wwzUEppBeO-20] for service [ > https://k2.cc.iup.edu > > /shibboleth-idp/SSO?shire=https%3A%2F%2Faktag.cc.iup.edu%2FShibboleth.sso%2FSAML%2FPOST&time=1191519847&target=cookie&providerId=https%3A% > 2F%2Faktag.cc.iup.edu%2Fshibboleth%2Fk2%2Fsp] for user [testuser] - > org.jasig.cas.CentralAuthenticationServiceImpl [20071004] > 13:51:10,407 [TP-Processor6] DEBUG Action 'GenerateServiceTicketAction' > completed execution; result is 'success' - org.jasig.cas.web.flow. > GenerateServiceTicketAction [20071004] > 13:51:10,407 [TP-Processor6] DEBUG Action 'WarnAction' beginning execution > - org.jasig.cas.web.flow.WarnAction [20071004] > 13:51:10,408 [TP-Processor6] DEBUG Action 'WarnAction' completed > execution; result is 'redirect' - org.jasig.cas.web.flow.WarnAction [2007 > 1004] > 13:51:11,018 [ > edu.internet2.middleware.shibboleth.common.provider.SharedMemoryShibHandle.HandleCache.MemoryRepositoryCleaner] > DEBUG Memory > cache handle cache cleanup thread searching for stale entries. - > edu.internet2.middleware.shibboleth.common.provider.HandleCache [20071004] > 13:51:11,880 [ > edu.internet2.middleware.shibboleth.aa.attrresolv.ResolverCacher.Cleaner] > DEBUG Resolver Cache cleanup thread searching cach > e for stale entries. - > edu.internet2.middleware.shibboleth.aa.attrresolv.ResolverCache [20071004] > 13:51:11,948 [TP-Processor5] ERROR > edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate > ProxyTicketValidator [[edu.ya > le.its.tp.cas.client.ProxyTicketValidator proxyList=[null] [ > edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[ > https://k2.c > c.iup.edu/cas/serviceValidate] > ticket=[ST-2-uaefuYhGGxF2WZO5hpRvNpVY7wwzUEppBeO-20] > service=[https%3A%2F%2Fk2.cc.iup.edu%2Fshibboleth-idp% > > 2FSSO%3Fshire%3Dhttps%253A%252F%252Faktag.cc.iup.edu%252FShibboleth.sso%252FSAML%252FPOST%26time%3D1191519847%26target%3Dcookie%26provider > Id%3Dhttps%253A%252F%252Faktag.cc.iup.edu%252Fshibboleth%252Fk2%252Fsp] > renew=false]]] - edu.yale.its.tp.cas.client.CASReceipt [20071004] > 13:51:11,949 [TP-Processor5] ERROR > edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate > ProxyTicketValidator [[edu.ya > le.its.tp.cas.client.ProxyTicketValidator proxyList=[null] [ > edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[ > https://k2.c > c.iup.edu/cas/serviceValidate] > ticket=[ST-2-uaefuYhGGxF2WZO5hpRvNpVY7wwzUEppBeO-20] > service=[https%3A%2F%2Fk2.cc.iup.edu%2Fshibboleth-idp% > > 2FSSO%3Fshire%3Dhttps%253A%252F%252Faktag.cc.iup.edu%252FShibboleth.sso%252FSAML%252FPOST%26time%3D1191519847%26target%3Dcookie%26provider > Id%3Dhttps%253A%252F%252Faktag.cc.iup.edu%252Fshibboleth%252Fk2%252Fsp] > renew=false]]] - edu.yale.its.tp.cas.client.filter.CASFilter [2007 > 1004] > 13:51:11,954 [TP-Processor5] ERROR Servlet.service() for servlet IdP threw > exception - org.apache.catalina.core.ContainerBase.[Catalina].[ > localhost].[/shibboleth-idp].[IdP] [20071004] > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > valid certification path to requested target > at > sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown > Source) > at java.security.cert.CertPathBuilder.build(Unknown Source) > at sun.security.validator.PKIXValidator.doBuild(Unknown Source) > at sun.security.validator.PKIXValidator.engineValidate(Unknown > Source) > at sun.security.validator.Validator.validate(Unknown Source) > at > com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown > Source) > at > com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(Unknown > Source) > at > com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown > Source) > at > com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown > Source) > at com.sun.net.ssl.internal.ssl.Handshaker.processLoop (Unknown > Source) > at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown > Source) > at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown > Source) > at > com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown > Source) > at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown > Source) > at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown > Source) > at sun.net.www.protocol.https.HttpsClient.afterConnect (Unknown > Source) > at > sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown > Source) > at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown > Source) > at > sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream (Unknown > Source) > at edu.yale.its.tp.cas.util.SecureURL.retrieve(SecureURL.java:84) > at edu.yale.its.tp.cas.client.ServiceTicketValidator.validate( > ServiceTicketValidator.java:212) > at edu.yale.its.tp.cas.client.CASReceipt.getReceipt ( > CASReceipt.java:50) > at > edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser( > CASFilter.java:455) > at edu.yale.its.tp.cas.client.filter.CASFilter.doFilter( > CASFilter.java:378) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter( > ApplicationFilterChain.java:215) > at org.apache.catalina.core.ApplicationFilterChain.doFilter( > ApplicationFilterChain.java:188) > at org.apache.catalina.core.StandardWrapperValve.invoke ( > StandardWrapperValve.java:210) > at org.apache.catalina.core.StandardContextValve.invoke( > StandardContextValve.java:174) > at org.apache.catalina.core.StandardHostValve.invoke( > StandardHostValve.java:127) > at org.apache.catalina.valves.ErrorReportValve.invoke( > ErrorReportValve.java:117) > at org.apache.catalina.core.StandardEngineValve.invoke( > StandardEngineValve.java:108) > at org.apache.catalina.connector.CoyoteAdapter.service ( > CoyoteAdapter.java:151) > at org.apache.jk.server.JkCoyoteHandler.invoke( > JkCoyoteHandler.java:200) > at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java > :283) > at org.apache.jk.common.ChannelSocket.invoke (ChannelSocket.java > :773) > at org.apache.jk.common.ChannelSocket.processConnection( > ChannelSocket.java:703) > at org.apache.jk.common.ChannelSocket$SocketConnection.runIt( > ChannelSocket.java:895) > at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run( > ThreadPool.java:685) > at java.lang.Thread.run(Unknown Source) > 13:51:11,955 [ > edu.internet2.middleware.shibboleth.idp.provider.MemoryArtifactMapper..MemoryArtifactCleaner] > DEBUG Memory-based artifact ma > pper cleanup thread searching for stale entries. - > edu.internet2.middleware.shibboleth.artifact.provider.MemoryArtifactMapper[20071004] > 13:51:12,377 [Thread-13] DEBUG Checking for updates to resource > (file:/usr/local/shib-idp/etc/my- metadata.xml) - edu.internet2.middleware > . > shibboleth.common.ResourceWatchdog [20071004] > > Thanks for any help .. > > -- > :wq! > kevin.foote > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > > -- -Scott Battaglia LinkedIn: http://www.linkedin.com/in/scottbattaglia
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
