In Step 2.b shouldn't you use proxyValidate instead of serviceValidate? That said, the walkthrough specifies serviceValidate, so maybe its OK, but I expect you won't get a PGTIOU unless you use proxyValidate. Also, cas.zenvoo.ch must trust the certificate for the server specified to receive the PGT https://voot.zenvoo.ch/, are you sure that the voot cert is signed by a CA trusted on cas.zenvoo.ch? Your pgtUrl looks a bit suspect, as it should be a servlet on voot.zenvoo.ch waiting to receive the PGT... ________________________________
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dario Gallicchio Sent: Friday, 30 November 2007 4:40 a.m. To: [email protected] Subject: CAS proxy - can't receive PGTIOU Hello everybody, I'm developing a virtual desktop system and I want to cas-ify it. I'm trying to enable the CAS proxy mechanism, but it seems that I can't receive any PGTIOU (and neither PGT). Referring to Proxy CAS walkthrough (http://www.ja-sig.org/wiki/display/CAS/Proxy+CAS+Walkthrough), I can successfully accomplish step 1 and 2.a. Then, I repeat step 1 and successfully generate a new ticket, but when I try step 2.b I can only get a partial response. Here are the steps in more details: * Step 1 * URL https://cas.zenvoo.ch:8443/cas/login?http://www.zenvoo.ch * Received ticket ST-15-M2JUs3V7pVubJMOt7RC * Step 2.b * URL: https://cas.zenvoo.ch:8443/cas/serviceValidate?ticket=ST-15-M2JUs3V7pVub JMOt7RCb&service=http://www.zenvoo.ch&pgtUrl=https://voot.zenvoo.ch/help .php, where voot.zenvoo.ch is a server with a correct certificate. * Received XML: <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationSuccess> <cas:user>dariog</cas:user> </cas:authenticationSuccess> </cas:serviceResponse> As you can see, PGTIOU is missing. * The CAS server log file gives me the following error: 2007-11-29 15:25:18,731 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <AuthenticationHandler: org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentials AuthenticationHandler failed to authenticate the user which provided the following credentials: https://voot.zenvoo.ch/help.php> 2007-11-29 15:25:18,731 ERROR [org.jasig.cas.web.ServiceValidateController] - <TicketException generating ticket for: https://voot.zenvoo.ch/help.php> org.jasig.cas.ticket.TicketCreationException: error.authentication.credentials.bad at org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTic ket(CentralAuthenticationServiceImpl.java:271) at org.jasig.cas.web.ServiceValidateController.handleRequestInternal(Servic eValidateController.java:125) at org.springframework.web.servlet.mvc.AbstractController.handleRequest(Abs tractController.java:153) at org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handl e(SimpleControllerHandlerAdapter.java:48) at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherS ervlet.java:857) at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherSe rvlet.java:792) at org.springframework.web.servlet.FrameworkServlet.processRequest(Framewor kServlet.java:475) at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet. java:430) at javax.servlet.http.HttpServlet.service(Unknown Source) at javax.servlet.http.HttpServlet.service(Unknown Source) at org.jasig.cas.web.init.SafeDispatcherServlet.service(SafeDispatcherServl et.java:115) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown Source) at org.apache.catalina.core.ApplicationFilterChain.doFilter(Unknown Source) at org.apache.catalina.core.StandardWrapperValve.invoke(Unknown Source) at org.apache.catalina.core.StandardContextValve.invoke(Unknown Source) at org.apache.catalina.core.StandardHostValve.invoke(Unknown Source) at org.apache.catalina.valves.ErrorReportValve.invoke(Unknown Source) at org.apache.catalina.core.StandardEngineValve.invoke(Unknown Source) at org.apache.catalina.connector.CoyoteAdapter.service(Unknown Source) at org.apache.coyote.http11.Http11Processor.process(Unknown Source) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process( Unknown Source) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(Unknown Source) at java.lang.Thread.run(Thread.java:595) Caused by: error.authentication.credentials.bad at org.jasig.cas.authentication.handler.BadCredentialsAuthenticationExcepti on.<clinit>(BadCredentialsAuthenticationException.java:25) at org.jasig.cas.authentication.AuthenticationManagerImpl.authenticate(Auth enticationManagerImpl.java:108) at org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTic ket(CentralAuthenticationServiceImpl.java:242) ... 22 more Seemingly, we've got a credential problem here, but I've dug a little into CAS server source code and found that HttpBasedServiceCredentialsAuthenticationHandler.authenticate() calls HttpClient.isValidEndPoint( url ), that at the end of the day creates an HttpURLConnection object and calls its connect() method. I did the same in a litte test servlet, and I can successfully connect to the url https://voot.zenvoo.ch/help.php. So my certificate should be ok. Yet, I can't make it working in the Proxy mechanism. Anybody could help me? Thanks in advance Dario Gallicchio Zenvoo team
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
