Re: [cas-user] CAS 5 Connect to JDBC for Authentication

[Misagh Moayyed]

Well, your other error about logs went away. So something’s up with permissions 
and/or tomcat that reads them perhaps.

If you want to get db authn working, it’s not enough to simply include the 
properties. You’ll also need to declare the relevant module to express your 
intention. Your overlay didnt show it.

https://apereo.github.io/cas/development/installation/Database-Authentication.html


-- 
Misagh

From: Loren Klingman 
Reply: Loren Klingman 
Date: August 3, 2016 at 2:36:22 PM
To: CAS Community 
Cc: mmoay...@unicon.net 
Subject:  Re: [cas-user] CAS 5 Connect to JDBC for Authentication  

I still get the static login from ./bulid.sh run.  It seems to generate a bunch 
of keys which should have already been set in my cas.properties file which 
leads me to think at least part of the problem is with that.

The file is in /etc/cas/config/cas.properties (seems to be a new location from 
the former /etc/cas/cas.properties).  The file (and folders) are owned by 
root:root, but the are all world readable.

If nothing rings a bell in any of that, could you put the exact overlay 
template you are using with database authentication online somewhere, and I'll 
try pulling that in?  (Of course, I'll have to change the database, but even if 
I didn't if I can get to an error with the database connection that would be 
progress.)

Also, thanks so much for your help!  I try to keep detailed notes so I'll post 
my full install guide for Ubuntu 16.04 when I get it running and hopefully that 
will help others.

Here is my output:
  __   _   __ 
 / / / ___|   / \   / ___| \ \
| | | |  / _ \  \___ \  | |
| | | |___  / ___ \  ___) | | |
| |  \|/_/   \_\|/  | |
 \_\   /_/

CAS Version: 5.0.0.RC1-SNAPSHOT
Build Date/Time: 2016-08-03T21:18:38Z
Java Home: /usr/lib/jvm/java-8-openjdk-amd64/jre
Java Vendor: Oracle Corporation
Java Version: 1.8.0_91
OS Architecture: amd64
OS Name: Linux
OS Version: 4.4.0-21-generic


2016-08-03 17:19:09,728 INFO [org.apereo.cas.web.CasWebApplication] - 
2016-08-03 17:20:17,567 INFO 
[org.apereo.cas.services.DefaultServicesManagerImpl] - 
2016-08-03 17:21:09,669 WARN 
[org.apereo.cas.WebflowConversationStateCipherExecutor] - 
2016-08-03 17:21:09,738 WARN 
[org.apereo.cas.WebflowConversationStateCipherExecutor] - 
2016-08-03 17:21:09,739 WARN 
[org.apereo.cas.WebflowConversationStateCipherExecutor] - 
2016-08-03 17:21:09,740 WARN 
[org.apereo.cas.WebflowConversationStateCipherExecutor] - 
2016-08-03 17:21:10,808 WARN 
[org.apereo.cas.config.CasSecurityContextConfiguration] - <>
2016-08-03 17:21:10,825 WARN 
[org.apereo.cas.config.CasSecurityContextConfiguration] - <

    _   ___      _
/ ___| |_   _| / _ \ |  _ \ | |
\___ \   | |  | | | || |_) || |
 ___) |  | |  | |_| ||  __/ |_|
|/   |_|   \___/ |_|    (_)
  

CAS is configured to accept a static list of credentials for authentication. 
While this is generally useful for demo purposes, it is STRONGLY recommended 
that you DISABLE this authentication method (by REMOVING 
'cas.authn.accept.users' from your configuration) and switch to a mode that is 
more suitable for production.
>
2016-08-03 17:21:10,831 WARN 
[org.apereo.cas.config.CasSecurityContextConfiguration] - <>
2016-08-03 17:21:22,793 WARN 
[org.apereo.cas.services.InMemoryServiceRegistryDaoImpl] - 
2016-08-03 17:21:22,811 WARN 
[org.apereo.cas.services.InMemoryServiceRegistryDaoImpl] - 
2016-08-03 17:21:22,827 INFO 
[org.apereo.cas.services.DefaultServicesManagerImpl] - 
2016-08-03 17:22:04,182 INFO 
[org.apereo.cas.configuration.CasConfigurationRebinder] - 
2016-08-03 17:22:04,653 INFO 
[org.apereo.cas.configuration.CasConfigurationRebinder] - 
2016-08-03 17:22:11,319 INFO [org.apereo.cas.web.CasWebApplication] - 
2016-08-03 17:22:12,953 INFO [org.apereo.cas.web.CasWebApplication] - 
2016-08-03 17:22:13,694 WARN 
[org.apereo.cas.util.TicketGrantingCookieCipherExecutor] - 
2016-08-03 17:22:13,695 WARN 
[org.apereo.cas.util.TicketGrantingCookieCipherExecutor] - 
2016-08-03 17:22:13,696 WARN 
[org.apereo.cas.util.TicketGrantingCookieCipherExecutor] - 
2016-08-03 17:22:13,696 WARN 
[org.apereo.cas.util.TicketGrantingCookieCipherExecutor] - 
2016-08-03 17:22:14,152 INFO [org.apereo.cas.configuration.support.Beans] - 

2016-08-03 17:22:18,770 INFO [org.apereo.cas.web.CasWebApplication] - 
2016-08-03 17:22:27,505 INFO 
[org.apereo.cas.web.support.InMemoryThrottledSubmissionByIpAddressAndUsernameHandlerInterceptorAdapter]
 - 
2016-08-03 17:22:37,505 INFO 
[org.apereo.cas.services.DefaultServicesManagerImpl] - 
2016-08-03 17:22:37,539 INFO 
[org.apereo.cas.ticket.registry.DefaultTicketRegistryCleaner] - 
2016-08-03 17:22:37,546 INFO 
[org.apereo.cas.ticket.registry.DefaultTicketRegistryCleaner] - <0 expired 
tickets removed.>
2016-08-03 17:22:37,546 INFO 

Re: [cas-user] CAS 5 Connect to JDBC for Authentication

[Misagh Moayyed]

Cant duplicate. I’ll blame permissions, or tomcat. What happens when you run 
"./build.sh run”? 

-- 
Misagh

From: Loren Klingman 
Reply: Loren Klingman 
Date: August 3, 2016 at 1:13:05 PM
To: CAS Community 
Cc: mmoay...@unicon.net 
Subject:  Re: [cas-user] CAS 5 Connect to JDBC for Authentication  

Reposting because I failed to post the last reply publically.

Thanks, I've changed the cas.properties file as you requested.  That line is 
actually exactly out of the overlay template on github 
(https://github.com/apereo/cas-overlay-template/blob/5.0/etc/cas/config/cas.properties)
 so if it's wrong it probably needs to be updated there also.

My log4j2.xml should be an exact copy from the 5.0 branch of the overlay 
template, but I'm attaching it here just in case I changed something by mistake.

Since I don't want to push database passwords up, I did not push up any changes 
to cas.properties to the overlay (which means it's actually exactly the same as 
the master one) but for good measure and in case I need it for future testing, 
I did push up what I'm using (the 5.0 branch): 
https://github.com/loren138/cas-overlay-test

For deployment, I'm using the following commands to build and then send the war 
file over to tomcat8:
sudo ./build.sh package

sudo service tomcat8 stop && sudo rm -rf /var/lib/tomcat8/webapps/ROOT && sudo 
cp ./target/cas.war /var/lib/tomcat8/webapps/ROOT.war && sudo service tomcat8 
start



Loren Klingman


On Wednesday, August 3, 2016 at 3:40:49 PM UTC-4, Misagh Moayyed wrote:
And, this:

logging.config: file:/etc/cas/config/log4j2.xml


Probably should be:

logging.config=file:/etc/cas/config/log4j2.xml

And you want to make sure that file exists. If it does, please share that too. 

-- 
Misagh

From: Misagh Moayyed 
Reply: Misagh Moayyed 
Date: August 3, 2016 at 12:36:10 PM
To: CAS Community 
Subject:  Re: [cas-user] CAS 5 Connect to JDBC for Authentication

Got an overlay you can share? 

-- 
Misagh

From: Loren Klingman 
Reply: Loren Klingman 
Date: August 3, 2016 at 12:27:18 PM
To: CAS Community 
Subject:  [cas-user] CAS 5 Connect to JDBC for Authentication

I'm excited to start working with CAS 5 and setup all in the config file, but 
I'm having issues getting switched over to auth in the database.  (IE 
casuser/Mellon is still the only login that works to login.)

I've been trying to work slowly changing only what I need to at the time so I 
don't think I've changed any other files other than cas.properties (copied in 
below), but please let me know if some other file would be useful to include.

I'm seeing this error in catalina.out which may be related:
2016-08-03 15:18:40,206 Log4j2-AsyncLoggerConfig-14 ERROR An exception occurred 
processing Appender casAudit java.lang.NullPointerException
    at org.apereo.cas.logging.CasAppender.append(CasAppender.java:85)
    at 
org.apache.logging.log4j.core.config.AppenderControl.tryCallAppender(AppenderControl.java:155)
    at 
org.apache.logging.log4j.core.config.AppenderControl.callAppender0(AppenderControl.java:128)
    at 
org.apache.logging.log4j.core.config.AppenderControl.callAppenderPreventRecursion(AppenderControl.java:119)
    at 
org.apache.logging.log4j.core.config.AppenderControl.callAppender(AppenderControl.java:84)
    at 
org.apache.logging.log4j.core.config.LoggerConfig.callAppenders(LoggerConfig.java:390)
    at 
org.apache.logging.log4j.core.async.AsyncLoggerConfig.asyncCallAppenders(AsyncLoggerConfig.java:113)
    at 
org.apache.logging.log4j.core.async.AsyncLoggerConfigDisruptor$Log4jEventWrapperHandler.onEvent(AsyncLoggerConfigDisruptor.java:111)
    at 
org.apache.logging.log4j.core.async.AsyncLoggerConfigDisruptor$Log4jEventWrapperHandler.onEvent(AsyncLoggerConfigDisruptor.java:97)
    at 
com.lmax.disruptor.BatchEventProcessor.run(BatchEventProcessor.java:129)
    at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
    at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
    at java.lang.Thread.run(Thread.java:745)

I haven't found any CAS log files yet (looking in /var/log/cas where they used 
to be) so let me know if I should be looking somewhere new for those).

Here is my cas.properties file:

cas.server.name: https://webdev-g.sbts.edu
cas.server.prefix: https://webdev-g.sbts.edu/cas

cas.adminPagesSecurity.ip=(10)(\.(241|244|245|247|99))(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){2}

# 8 hours - negative value = never expires
cas.ticket.tgt.maxTimeToLiveInSeconds=28800
# 40 minutes (Set to a negative value to never expire tickets)
cas.ticket.tgt.timeToKillInSeconds=2400

##
# CAS SSO Cookie Generation & Security
# See 

Re: [cas-user] CAS 5 Connect to JDBC for Authentication

[Loren Klingman]

Reposting because I failed to post the last reply publically.

Thanks, I've changed the cas.properties file as you requested.  That line 
is actually exactly out of the overlay template on github (
https://github.com/apereo/cas-overlay-template/blob/5.0/etc/cas/config/cas.properties)
 
so if it's wrong it probably needs to be updated there also.

My log4j2.xml should be an exact copy from the 5.0 branch of the overlay 
template, but I'm attaching it here just in case I changed something by 
mistake.

Since I don't want to push database passwords up, I did not push up any 
changes to cas.properties to the overlay (which means it's actually exactly 
the same as the master one) but for good measure and in case I need it for 
future testing, I did push up what I'm using (the 5.0 branch): 
https://github.com/loren138/cas-overlay-test

For deployment, I'm using the following commands to build and then send the 
war file over to tomcat8:

sudo ./build.sh package


sudo service tomcat8 stop && sudo rm -rf /var/lib/tomcat8/webapps/ROOT && sudo 
cp ./target/cas.war /var/lib/tomcat8/webapps/ROOT.war && sudo service tomcat8 
start




Loren Klingman


On Wednesday, August 3, 2016 at 3:40:49 PM UTC-4, Misagh Moayyed wrote:
>
> And, this:
>
> logging.config: file:/etc/cas/config/log4j2.xml
>
>
> Probably should be:
>
> logging.config=file:/etc/cas/config/log4j2.xml
>
>
> And you want to make sure that file exists. If it does, please share that 
> too. 
>
> -- 
> Misagh
>
> From: Misagh Moayyed  
> Reply: Misagh Moayyed  
> Date: August 3, 2016 at 12:36:10 PM
> To: CAS Community  
> Subject:  Re: [cas-user] CAS 5 Connect to JDBC for Authentication 
>
> Got an overlay you can share? 
>
> -- 
> Misagh
>
> From: Loren Klingman  
> Reply: Loren Klingman  
> Date: August 3, 2016 at 12:27:18 PM
> To: CAS Community  
> Subject:  [cas-user] CAS 5 Connect to JDBC for Authentication
>
> I'm excited to start working with CAS 5 and setup all in the config file, 
> but I'm having issues getting switched over to auth in the database.  (IE 
> casuser/Mellon is still the only login that works to login.)
>
> I've been trying to work slowly changing only what I need to at the time 
> so I don't think I've changed any other files other than cas.properties 
> (copied in below), but please let me know if some other file would be 
> useful to include.
>
> I'm seeing this error in catalina.out which may be related:
> 2016-08-03 15:18:40,206 Log4j2-AsyncLoggerConfig-14 ERROR An exception 
> occurred processing Appender casAudit java.lang.NullPointerException
> at org.apereo.cas.logging.CasAppender.append(CasAppender.java:85)
> at 
> org.apache.logging.log4j.core.config.AppenderControl.tryCallAppender(AppenderControl.java:155)
> at 
> org.apache.logging.log4j.core.config.AppenderControl.callAppender0(AppenderControl.java:128)
> at 
> org.apache.logging.log4j.core.config.AppenderControl.callAppenderPreventRecursion(AppenderControl.java:119)
> at 
> org.apache.logging.log4j.core.config.AppenderControl.callAppender(AppenderControl.java:84)
> at 
> org.apache.logging.log4j.core.config.LoggerConfig.callAppenders(LoggerConfig.java:390)
> at 
> org.apache.logging.log4j.core.async.AsyncLoggerConfig.asyncCallAppenders(AsyncLoggerConfig.java:113)
> at 
> org.apache.logging.log4j.core.async.AsyncLoggerConfigDisruptor$Log4jEventWrapperHandler.onEvent(AsyncLoggerConfigDisruptor.java:111)
> at 
> org.apache.logging.log4j.core.async.AsyncLoggerConfigDisruptor$Log4jEventWrapperHandler.onEvent(AsyncLoggerConfigDisruptor.java:97)
> at 
> com.lmax.disruptor.BatchEventProcessor.run(BatchEventProcessor.java:129)
> at 
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> at 
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:745)
>
> I haven't found any CAS log files yet (looking in /var/log/cas where they 
> used to be) so let me know if I should be looking somewhere new for those).
>
> Here is my cas.properties file:
>
> cas.server.name: https://webdev-g.sbts.edu
> cas.server.prefix: https://webdev-g.sbts.edu/cas
>
>
> cas.adminPagesSecurity.ip=(10)(\.(241|244|245|247|99))(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){2}
>
> # 8 hours - negative value = never expires
> cas.ticket.tgt.maxTimeToLiveInSeconds=28800
> # 40 minutes (Set to a negative value to never expire tickets)
> cas.ticket.tgt.timeToKillInSeconds=2400
>
> ##
> # CAS SSO Cookie Generation & Security
> # See https://github.com/mitreid-connect/json-web-key-generator
> #
> # Do note that the following settings MUST be generated per deployment.
> #
> # Defaults at spring-configuration/ticketGrantingTicketCookieGenerator.xml
> # The encryption secret key. By default, must be a 

Re: [cas-user] Error with auditTrailContext.xml

[Misagh Moayyed]

No. It’s not something you’d “do”. Your handler is not your source. Your source 
is the database, and the database(likely, I don’t know for sure) has no way of 
blocking an account on X number of failed attempts. Lots of “it depends” there. 

So your best method of discourse would be to use throttling. If that doesn’t 
work, then you can do it manually by tracking failed authn attempts in the 
database somehow. 

-- 
Misagh

From: carlos maddaleno cuellar 
Reply: carlos maddaleno cuellar 
Date: August 3, 2016 at 12:45:57 PM
To: Misagh Moayyed 
Subject:  Re: [cas-user] Error with auditTrailContext.xml  

Ok thanks i will try im using


    
    
to authenticate to my database so you think i could do it on the 
queryDatabaseAuthenticationHandler bean?

2016-08-03 13:34 GMT-06:00 Misagh Moayyed :
That’s better handled by your authentication source, if it supports that, or 
via throttling. Not via audits. 

-- 
Misagh

From: carlos maddaleno cuellar 
Reply: carlos maddaleno cuellar 
Date: August 3, 2016 at 12:09:35 PM
To: Misagh Moayyed 
Subject:  Re: [cas-user] Error with auditTrailContext.xml

i wanted to overwrite 

org.jasig.inspektr.audit.AuditTrailManagementAspect

flow so when a user make a AUTHENTICATION_FAILED I have a flag to block the 
user on more than 3 fails

2016-08-03 12:47 GMT-06:00 Misagh Moayyed :
Why do you have that file in your configuration? 

-- 
Misagh

From: carlos maddaleno cuellar 
Reply: carlos maddaleno cuellar 
Date: August 3, 2016 at 10:22:23 AM
To: cas-user@apereo.org 
Subject:  [cas-user] Error with auditTrailContext.xml

Hi im having a problem with auditTrailContext.xml i have it under my 
spring-configuration im using cas 4.2.3  the error says this

org.springframework.beans.factory.UnsatisfiedDependencyException: Error 
creating bean with name 'assertionAsReturnValuePrincipalResolver' defined in 
URL 
[jar:file:/C:/Projects/cas/cas-overlay-template-master/cas-overlay-template-master/target/cas/WEB-INF/lib/cas-server-core-audit-4.2.3.jar!/org/jasig/cas/audit/spi/AssertionAsReturnValuePrincipalResolver.class]:
 Unsatisfied dependency expressed through constructor argument with index 0 of 
type [org.jasig.cas.audit.spi.TicketOrCredentialPrincipalResolver]: : Error 
creating bean with name 'auditablePrincipalResolver' defined in ServletContext 
resource [/WEB-INF/spring-configuration/auditTrailContext.xml]: Unsatisfied 
dependency expressed through constructor argument with index 0 of type 
[org.jasig.cas.CentralAuthenticationService]: Ambiguous constructor argument 
types - did you specify the correct bean references as constructor arguments?; 
nested exception is 
org.springframework.beans.factory.UnsatisfiedDependencyException: Error 
creating bean with name 'auditablePrincipalResolver' defined in ServletContext 
resource [/WEB-INF/spring-configuration/auditTrailContext.xml]: Unsatisfied 
dependency expressed through constructor argument with index 0 of type 
[org.jasig.cas.CentralAuthenticationService]: Ambiguous constructor argument 
types - did you specify the correct bean references as constructor arguments?

this is my file:


http://www.springframework.org/schema/beans;
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance;
       xmlns:aop="http://www.springframework.org/schema/aop;
       xmlns:p="http://www.springframework.org/schema/p;
       xmlns:c="http://www.springframework.org/schema/c;
       xmlns:util="http://www.springframework.org/schema/util;
       xsi:schemaLocation="http://www.springframework.org/schema/beans 
http://www.springframework.org/schema/beans/spring-beans.xsd
       http://www.springframework.org/schema/aop 
http://www.springframework.org/schema/aop/spring-aop.xsd
       http://www.springframework.org/schema/util 
http://www.springframework.org/schema/util/spring-util.xsd;>

    
        Configuration file for the Inspektr package which handles auditing for 
Java applications.
        If enabled this should be modified to log audit and statistics 
information the same way
        your local applications do. The default is currently to log to the 
console which is good
        for debugging/testing purposes.
    

    

    

    
        
            
        
        
            
        

        
            
        
        
            
        

        
            
        
        
            
        

        
            
        
        
            
        

        
            
        
    

    
        
            
        
        
            
        
        
            
        

        
            
        
        
            
        

        
            
        
        
            
        

        
            

Re: [cas-user] CAS 5 Connect to JDBC for Authentication

[Misagh Moayyed]

Got an overlay you can share? 

-- 
Misagh

From: Loren Klingman 
Reply: Loren Klingman 
Date: August 3, 2016 at 12:27:18 PM
To: CAS Community 
Subject:  [cas-user] CAS 5 Connect to JDBC for Authentication  

I'm excited to start working with CAS 5 and setup all in the config file, but 
I'm having issues getting switched over to auth in the database.  (IE 
casuser/Mellon is still the only login that works to login.)

I've been trying to work slowly changing only what I need to at the time so I 
don't think I've changed any other files other than cas.properties (copied in 
below), but please let me know if some other file would be useful to include.

I'm seeing this error in catalina.out which may be related:
2016-08-03 15:18:40,206 Log4j2-AsyncLoggerConfig-14 ERROR An exception occurred 
processing Appender casAudit java.lang.NullPointerException
    at org.apereo.cas.logging.CasAppender.append(CasAppender.java:85)
    at 
org.apache.logging.log4j.core.config.AppenderControl.tryCallAppender(AppenderControl.java:155)
    at 
org.apache.logging.log4j.core.config.AppenderControl.callAppender0(AppenderControl.java:128)
    at 
org.apache.logging.log4j.core.config.AppenderControl.callAppenderPreventRecursion(AppenderControl.java:119)
    at 
org.apache.logging.log4j.core.config.AppenderControl.callAppender(AppenderControl.java:84)
    at 
org.apache.logging.log4j.core.config.LoggerConfig.callAppenders(LoggerConfig.java:390)
    at 
org.apache.logging.log4j.core.async.AsyncLoggerConfig.asyncCallAppenders(AsyncLoggerConfig.java:113)
    at 
org.apache.logging.log4j.core.async.AsyncLoggerConfigDisruptor$Log4jEventWrapperHandler.onEvent(AsyncLoggerConfigDisruptor.java:111)
    at 
org.apache.logging.log4j.core.async.AsyncLoggerConfigDisruptor$Log4jEventWrapperHandler.onEvent(AsyncLoggerConfigDisruptor.java:97)
    at 
com.lmax.disruptor.BatchEventProcessor.run(BatchEventProcessor.java:129)
    at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
    at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
    at java.lang.Thread.run(Thread.java:745)

I haven't found any CAS log files yet (looking in /var/log/cas where they used 
to be) so let me know if I should be looking somewhere new for those).

Here is my cas.properties file:

cas.server.name: https://webdev-g.sbts.edu
cas.server.prefix: https://webdev-g.sbts.edu/cas

cas.adminPagesSecurity.ip=(10)(\.(241|244|245|247|99))(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){2}

# 8 hours - negative value = never expires
cas.ticket.tgt.maxTimeToLiveInSeconds=28800
# 40 minutes (Set to a negative value to never expire tickets)
cas.ticket.tgt.timeToKillInSeconds=2400

##
# CAS SSO Cookie Generation & Security
# See https://github.com/mitreid-connect/json-web-key-generator
#
# Do note that the following settings MUST be generated per deployment.
#
# Defaults at spring-configuration/ticketGrantingTicketCookieGenerator.xml
# The encryption secret key. By default, must be a octet string of size 256.
tgc.encryption.key=stuff...
# The signing secret key. By default, must be a octet string of size 512.
tgc.signing.key=stuf...

##
# Service Ticket Timeout
# Default sourced from WEB-INF/spring-configuration/ticketExpirationPolices.xml
#
# Service Ticket timeout - typically kept short as a control against replay 
attacks, default is 10s.  You'll want to
# increase this timeout if you are manually testing service ticket 
creation/validation via tamperdata or similar tools
cas.ticket.st.timeToKillInSeconds=45
cas.ticket.st.numberOfUses=1


cas.googleAnalytics.googleAnalyticsTrackingId=UA-801923423-2

cas.slo.disabled=true
# cas.slo.asynchronous=true

logging.config: file:/etc/cas/config/log4j2.xml

##
# CAS Logout Behavior
# WEB-INF/cas-servlet.xml
#
# Specify whether CAS should redirect to the specified service parameter on 
/logout requests
cas.logout.followServiceRedirects=true
# cas.serviceRegistry.config.location: classpath:/services

# Authentication

# Throttle - I honestly have no idea what units these things are in...  May the 
docs are better by now...
# 
https://apereo.github.io/cas/development/installation/Configuration-Properties.html#authentication-throttling
cas.authn.throttle.usernameParameter=username
cas.authn.throttle.startDelay=1
cas.authn.throttle.repeatInterval=2
cas.authn.throttle.appcode=CAS

cas.authn.throttle.failure.threshold=100
cas.authn.throttle.failure.code=AUTHENTICATION_FAILED
cas.authn.throttle.failure.rangeSeconds=60

cas.authn.jdbc.search[0].fieldUser=username
cas.authn.jdbc.search[0].tableUsers=users
cas.authn.jdbc.search[0].fieldPassword=passwordsha1
cas.authn.jdbc.search[0].healthQuery=SELECT 1
cas.authn.jdbc.search[0].isolateInternalQueries=false
cas.authn.jdbc.search[0].url=jdbc:sqlserver://oeuoue;databaseName=qjkrcg

Re: [cas-user] Error with auditTrailContext.xml

[Misagh Moayyed]

That’s better handled by your authentication source, if it supports that, or 
via throttling. Not via audits. 

-- 
Misagh

From: carlos maddaleno cuellar 
Reply: carlos maddaleno cuellar 
Date: August 3, 2016 at 12:09:35 PM
To: Misagh Moayyed 
Subject:  Re: [cas-user] Error with auditTrailContext.xml  

i wanted to overwrite 

org.jasig.inspektr.audit.AuditTrailManagementAspect

flow so when a user make a AUTHENTICATION_FAILED I have a flag to block the 
user on more than 3 fails

2016-08-03 12:47 GMT-06:00 Misagh Moayyed :
Why do you have that file in your configuration? 

-- 
Misagh

From: carlos maddaleno cuellar 
Reply: carlos maddaleno cuellar 
Date: August 3, 2016 at 10:22:23 AM
To: cas-user@apereo.org 
Subject:  [cas-user] Error with auditTrailContext.xml

Hi im having a problem with auditTrailContext.xml i have it under my 
spring-configuration im using cas 4.2.3  the error says this

org.springframework.beans.factory.UnsatisfiedDependencyException: Error 
creating bean with name 'assertionAsReturnValuePrincipalResolver' defined in 
URL 
[jar:file:/C:/Projects/cas/cas-overlay-template-master/cas-overlay-template-master/target/cas/WEB-INF/lib/cas-server-core-audit-4.2.3.jar!/org/jasig/cas/audit/spi/AssertionAsReturnValuePrincipalResolver.class]:
 Unsatisfied dependency expressed through constructor argument with index 0 of 
type [org.jasig.cas.audit.spi.TicketOrCredentialPrincipalResolver]: : Error 
creating bean with name 'auditablePrincipalResolver' defined in ServletContext 
resource [/WEB-INF/spring-configuration/auditTrailContext.xml]: Unsatisfied 
dependency expressed through constructor argument with index 0 of type 
[org.jasig.cas.CentralAuthenticationService]: Ambiguous constructor argument 
types - did you specify the correct bean references as constructor arguments?; 
nested exception is 
org.springframework.beans.factory.UnsatisfiedDependencyException: Error 
creating bean with name 'auditablePrincipalResolver' defined in ServletContext 
resource [/WEB-INF/spring-configuration/auditTrailContext.xml]: Unsatisfied 
dependency expressed through constructor argument with index 0 of type 
[org.jasig.cas.CentralAuthenticationService]: Ambiguous constructor argument 
types - did you specify the correct bean references as constructor arguments?

this is my file:


http://www.springframework.org/schema/beans;
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance;
       xmlns:aop="http://www.springframework.org/schema/aop;
       xmlns:p="http://www.springframework.org/schema/p;
       xmlns:c="http://www.springframework.org/schema/c;
       xmlns:util="http://www.springframework.org/schema/util;
       xsi:schemaLocation="http://www.springframework.org/schema/beans 
http://www.springframework.org/schema/beans/spring-beans.xsd
       http://www.springframework.org/schema/aop 
http://www.springframework.org/schema/aop/spring-aop.xsd
       http://www.springframework.org/schema/util 
http://www.springframework.org/schema/util/spring-util.xsd;>

    
        Configuration file for the Inspektr package which handles auditing for 
Java applications.
        If enabled this should be modified to log audit and statistics 
information the same way
        your local applications do. The default is currently to log to the 
console which is good
        for debugging/testing purposes.
    

    

    

    
        
            
        
        
            
        

        
            
        
        
            
        

        
            
        
        
            
        

        
            
        
        
            
        

        
            
        
    

    
        
            
        
        
            
        
        
            
        

        
            
        
        
            
        

        
            
        
        
            
        

        
            
        
        
            
        
    

    

    

    

    
    
    
    

    




could some one help me please


my pom dependencies




            org.jasig.cas
            cas-server-webapp
            ${cas.version}
            war
            runtime
        

        
            org.jasig.cas
            cas-server-support-jdbc
            ${cas.version}
        
        

        
            org.jasig.cas
            cas-server-webapp-actions-aup-webflow
            ${cas.version}
        
        
        
            org.apache.commons
            commons-collections4
            4.1
        
        
            org.apereo.service.persondir
            person-directory-api
            1.8.1
            jar
        
        
            org.apereo.service.persondir
            person-directory-impl
            1.8.1
            jar
        
        
            

[cas-user] CAS 5 Connect to JDBC for Authentication

[Loren Klingman]

I'm excited to start working with CAS 5 and setup all in the config file, 
but I'm having issues getting switched over to auth in the database.  (IE 
casuser/Mellon is still the only login that works to login.)

I've been trying to work slowly changing only what I need to at the time so 
I don't think I've changed any other files other than cas.properties 
(copied in below), but please let me know if some other file would be 
useful to include.

I'm seeing this error in catalina.out which may be related:
2016-08-03 15:18:40,206 Log4j2-AsyncLoggerConfig-14 ERROR An exception 
occurred processing Appender casAudit java.lang.NullPointerException
at org.apereo.cas.logging.CasAppender.append(CasAppender.java:85)
at 
org.apache.logging.log4j.core.config.AppenderControl.tryCallAppender(AppenderControl.java:155)
at 
org.apache.logging.log4j.core.config.AppenderControl.callAppender0(AppenderControl.java:128)
at 
org.apache.logging.log4j.core.config.AppenderControl.callAppenderPreventRecursion(AppenderControl.java:119)
at 
org.apache.logging.log4j.core.config.AppenderControl.callAppender(AppenderControl.java:84)
at 
org.apache.logging.log4j.core.config.LoggerConfig.callAppenders(LoggerConfig.java:390)
at 
org.apache.logging.log4j.core.async.AsyncLoggerConfig.asyncCallAppenders(AsyncLoggerConfig.java:113)
at 
org.apache.logging.log4j.core.async.AsyncLoggerConfigDisruptor$Log4jEventWrapperHandler.onEvent(AsyncLoggerConfigDisruptor.java:111)
at 
org.apache.logging.log4j.core.async.AsyncLoggerConfigDisruptor$Log4jEventWrapperHandler.onEvent(AsyncLoggerConfigDisruptor.java:97)
at 
com.lmax.disruptor.BatchEventProcessor.run(BatchEventProcessor.java:129)
at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)

I haven't found any CAS log files yet (looking in /var/log/cas where they 
used to be) so let me know if I should be looking somewhere new for those).

Here is my cas.properties file:

cas.server.name: https://webdev-g.sbts.edu
cas.server.prefix: https://webdev-g.sbts.edu/cas

cas.adminPagesSecurity.ip=(10)(\.(241|244|245|247|99))(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){2}

# 8 hours - negative value = never expires
cas.ticket.tgt.maxTimeToLiveInSeconds=28800
# 40 minutes (Set to a negative value to never expire tickets)
cas.ticket.tgt.timeToKillInSeconds=2400

##
# CAS SSO Cookie Generation & Security
# See https://github.com/mitreid-connect/json-web-key-generator
#
# Do note that the following settings MUST be generated per deployment.
#
# Defaults at spring-configuration/ticketGrantingTicketCookieGenerator.xml
# The encryption secret key. By default, must be a octet string of size 256.
tgc.encryption.key=stuff...
# The signing secret key. By default, must be a octet string of size 512.
tgc.signing.key=stuf...

##
# Service Ticket Timeout
# Default sourced from 
WEB-INF/spring-configuration/ticketExpirationPolices.xml
#
# Service Ticket timeout - typically kept short as a control against replay 
attacks, default is 10s.  You'll want to
# increase this timeout if you are manually testing service ticket 
creation/validation via tamperdata or similar tools
cas.ticket.st.timeToKillInSeconds=45
cas.ticket.st.numberOfUses=1


cas.googleAnalytics.googleAnalyticsTrackingId=UA-801923423-2

cas.slo.disabled=true
# cas.slo.asynchronous=true

logging.config: file:/etc/cas/config/log4j2.xml

##
# CAS Logout Behavior
# WEB-INF/cas-servlet.xml
#
# Specify whether CAS should redirect to the specified service parameter on 
/logout requests
cas.logout.followServiceRedirects=true
# cas.serviceRegistry.config.location: classpath:/services

# Authentication

# Throttle - I honestly have no idea what units these things are in...  May 
the docs are better by now...
# 
https://apereo.github.io/cas/development/installation/Configuration-Properties.html#authentication-throttling
cas.authn.throttle.usernameParameter=username
cas.authn.throttle.startDelay=1
cas.authn.throttle.repeatInterval=2
cas.authn.throttle.appcode=CAS

cas.authn.throttle.failure.threshold=100
cas.authn.throttle.failure.code=AUTHENTICATION_FAILED
cas.authn.throttle.failure.rangeSeconds=60

cas.authn.jdbc.search[0].fieldUser=username
cas.authn.jdbc.search[0].tableUsers=users
cas.authn.jdbc.search[0].fieldPassword=passwordsha1
cas.authn.jdbc.search[0].healthQuery=SELECT 1
cas.authn.jdbc.search[0].isolateInternalQueries=false
cas.authn.jdbc.search[0].url=jdbc:sqlserver://oeuoue;databaseName=qjkrcg
cas.authn.jdbc.search[0].failFast=true
cas.authn.jdbc.search[0].isolationLevelName=ISOLATION_READ_COMMITTED
cas.authn.jdbc.search[0].dialect=org.hibernate.dialect.SQLServer2008Dialect
cas.authn.jdbc.search[0].leakThreshold=10
cas.authn.jdbc.search[0].propagationBehaviorName=PROPAGATION_REQUIRED

Re: [cas-user] Re: Cas multiple service tickets created and multiple tickets failed validation for same user

[John Stevens II]

Ray/Misagh,

I thought of that when I was out to lunch and checked the servers just now 
and there was a 10+ second time difference on server 1. 

I corrected it and removed the 30 st ttyl I set in cas.properties, 
restarted and now everything is working.

Going to monitor the servers and will post any updates. 

Thanks for the help guys.

On Wednesday, August 3, 2016 at 12:30:47 PM UTC-4, Ray Bon wrote:
>
> John,
>
> Your service ticket is not 'immediately invalidated'. It seems unlikely 
> your client takes so long to request st validation. It looks like it sends 
> you back to CAS multiple times (5 times in 400 ms), then there is a 14 s 
> delay before your client attempts to validate the tickets.
> Could the servers be out of temporal sync (approx 15 s)? Server 2 is 'in 
> the past', st tickets created here will have 'more time' to be validated 
> which is why the config change has no effect. Server 1 st need a longer ttl 
> because they are validated 'in the past'.
>
> Ray
>
> On 2016-08-03 04:17, John Stevens II wrote:
>
> I agree I only increased the st ttl to see if it would fix the problem but 
> that troublesome node is not active in the load balancer, it was disabled 
> for troubleshooting. 
>
> The reason i'm confused is because the default st ttl is 10 seconds 
> (correct me if i'm wrong) but my ticket is immediately invalidated, so less 
> then 10 seconds and I can't find anything relevant in the logs as to why.
>
> As for couchbase it seems to be working well outside of the issue you help 
> me solve with the connection to the buckets timing out, since I increased 
> the timeout to 60 seconds I haven't had any other problems.
>
> Any suggestions would be great and as always your help is appreciated.
>
>
> On Wednesday, August 3, 2016 at 1:22:30 AM UTC-4, Misagh Moayyed wrote: 
>>
>> 1. That is a bad idea. Your nodes need to share the same configuration. 
>> While this may work for now, it will eventually break. It works now because 
>> the gods are favoring node1 to issue tickets and node2 to validate them. 
>> Whoever issues the ticket gets to decide how long it should last. 
>> 2. As the doc says, look into your app and figure out why it’s taking 20+ 
>> seconds to submit a validation event. 30-second timeouts are not unheard of 
>> though. 
>>
>> How’s couchbase working out for you? 
>>
>> On Tuesday, August 2, 2016 at 1:50:59 PM UTC-7, John Stevens II wrote: 
>>>
>>> Misagh, 
>>>
>>> I've looked at the docs and increased the the service ticket timeout to 
>>> 30 seconds:  
>>>  st.timeToKillInSeconds=30
>>>
>>> Now I am no longer receiving the too many redirect errors and am able to 
>>> login to my service and management web application but I am confused about 
>>> something.
>>>
>>> 1. I was able to confirm that node1 is the only one having the problem 
>>> (I have all my logs set to debug) and the nodes should be the same and I 
>>> can't figure out why I need to increase the st ttl on node1 but not node2.
>>> 2. Node1 and node2 share ticket registries so I don't believe it is a 
>>> problem with that.
>>>
>>> Any insight would be helpful, Thanks for your help.
>>>
>>> On Tuesday, August 2, 2016 at 4:18:58 PM UTC-4, Misagh Moayyed wrote: 

 See 
 https://apereo.github.io/cas/4.2.x/installation/Troubleshooting-Guide.html

 On Tuesday, August 2, 2016 at 11:49:49 AM UTC-7, John Stevens II wrote: 
>
> I have a problem that randomly happens, after hitting my service url 
> successfully I get redirected to CAS login page, I login successfully and 
> get redirected to my service but the service fails to load with the 
> browser 
> error "*performance.example.com * 
> redirected 
> you too many times."  
>
> Setup:
> 2 Active node servers behind F5 lb w/ source afffinity
> shared couchbase ticket and service registry
>
> When the issue occurs in the logs the service tickets are created on 
> one server and are validated on the other server (fails validation)
>
> CAS Server 1 (cas1.example.com):
>
> =
> WHO: user1
> WHAT: Supplied credentials: [user1]
> ACTION: AUTHENTICATION_SUCCESS
> APPLICATION: CAS
> WHEN: Tue Aug 02 14:35:07 EDT 2016
> CLIENT IP ADDRESS: 192.168.0.100
> SERVER IP ADDRESS: 192.168.21.142
> =
>
> >
> 2016-08-02 14:35:07,579 INFO 
> [org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager] -  trail record BEGIN
> =
> WHO: audit:unknown
> WHAT: TGT-**
> OsqfxL4sVn-cas1.example.com
> ACTION: TICKET_GRANTING_TICKET_CREATED
> APPLICATION: CAS
> WHEN: Tue Aug 02 14:35:07 EDT 2016
> CLIENT IP ADDRESS: 192.168.0.100
> SERVER IP ADDRESS: 

[cas-user] Error with auditTrailContext.xml

[carlos maddaleno cuellar]

Hi im having a problem with auditTrailContext.xml i have it under my
spring-configuration im using cas 4.2.3  the error says this

org.springframework.beans.factory.UnsatisfiedDependencyException: Error
creating bean with name 'assertionAsReturnValuePrincipalResolver' defined
in URL
[jar:file:/C:/Projects/cas/cas-overlay-template-master/cas-overlay-template-master/target/cas/WEB-INF/lib/cas-server-core-audit-4.2.3.jar!/org/jasig/cas/audit/spi/AssertionAsReturnValuePrincipalResolver.class]:
Unsatisfied dependency expressed through constructor argument with index 0
of type [org.jasig.cas.audit.spi.TicketOrCredentialPrincipalResolver]: :
Error creating bean with name 'auditablePrincipalResolver' defined in
ServletContext resource
[/WEB-INF/spring-configuration/auditTrailContext.xml]: Unsatisfied
dependency expressed through constructor argument with index 0 of type
[org.jasig.cas.CentralAuthenticationService]: Ambiguous constructor
argument types - did you specify the correct bean references as constructor
arguments?; nested exception is
org.springframework.beans.factory.UnsatisfiedDependencyException: Error
creating bean with name 'auditablePrincipalResolver' defined in
ServletContext resource
[/WEB-INF/spring-configuration/auditTrailContext.xml]: Unsatisfied
dependency expressed through constructor argument with index 0 of type
[org.jasig.cas.CentralAuthenticationService]: Ambiguous constructor
argument types - did you specify the correct bean references as constructor
arguments?

this is my file:


http://www.springframework.org/schema/beans;
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance;
   xmlns:aop="http://www.springframework.org/schema/aop;
   xmlns:p="http://www.springframework.org/schema/p;
   xmlns:c="http://www.springframework.org/schema/c;
   xmlns:util="http://www.springframework.org/schema/util;
   xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
   http://www.springframework.org/schema/aop
http://www.springframework.org/schema/aop/spring-aop.xsd
   http://www.springframework.org/schema/util
http://www.springframework.org/schema/util/spring-util.xsd;>


Configuration file for the Inspektr package which handles auditing
for Java applications.
If enabled this should be modified to log audit and statistics
information the same way
your local applications do. The default is currently to log to the
console which is good
for debugging/testing purposes.

























































































could some one help me please


my pom dependencies




org.jasig.cas
cas-server-webapp
${cas.version}
war
runtime



org.jasig.cas
cas-server-support-jdbc
${cas.version}




org.jasig.cas
cas-server-webapp-actions-aup-webflow
${cas.version}



org.apache.commons
commons-collections4
4.1


org.apereo.service.persondir
person-directory-api
1.8.1
jar


org.apereo.service.persondir
person-directory-impl
1.8.1
jar


org.jasig.cas
cas-server-webapp-throttle
${cas.version}



javax.servlet
servlet-api
2.5


org.apereo.inspektr
inspektr-audit
1.5.GA
jar



4.2.3

9.3.6.v20151106
1.7
1.7
UTF-8


-- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To post to this group, send email to cas-user@apereo.org.
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CANEG9%2BcecBn4fBv7fqxJZJ7ecOB9Gx32UnKiFn0s3j12VUJ%2BBw%40mail.gmail.com.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.

Re: [cas-user] Re: Cas multiple service tickets created and multiple tickets failed validation for same user

[Ray Bon]

John,

Your service ticket is not 'immediately invalidated'. It seems unlikely
your client takes so long to request st validation. It looks like it
sends you back to CAS multiple times (5 times in 400 ms), then there is
a 14 s delay before your client attempts to validate the tickets.
Could the servers be out of temporal sync (approx 15 s)? Server 2 is 'in
the past', st tickets created here will have 'more time' to be validated
which is why the config change has no effect. Server 1 st need a longer
ttl because they are validated 'in the past'.

Ray

On 2016-08-03 04:17, John Stevens II wrote:
> I agree I only increased the st ttl to see if it would fix the problem
> but that troublesome node is not active in the load balancer, it was
> disabled for troubleshooting.
>
> The reason i'm confused is because the default st ttl is 10 seconds
> (correct me if i'm wrong) but my ticket is immediately invalidated, so
> less then 10 seconds and I can't find anything relevant in the logs as
> to why.
>
> As for couchbase it seems to be working well outside of the issue you
> help me solve with the connection to the buckets timing out, since I
> increased the timeout to 60 seconds I haven't had any other problems.
>
> Any suggestions would be great and as always your help is appreciated.
>
>
> On Wednesday, August 3, 2016 at 1:22:30 AM UTC-4, Misagh Moayyed wrote:
>
> 1. That is a bad idea. Your nodes need to share the same
> configuration. While this may work for now, it will eventually
> break. It works now because the gods are favoring node1 to issue
> tickets and node2 to validate them. Whoever issues the ticket gets
> to decide how long it should last. 
> 2. As the doc says, look into your app and figure out why it’s
> taking 20+ seconds to submit a validation event. 30-second
> timeouts are not unheard of though. 
>
> How’s couchbase working out for you? 
>
> On Tuesday, August 2, 2016 at 1:50:59 PM UTC-7, John Stevens II
> wrote:
>
> Misagh,
>
> I've looked at the docs and increased the the service ticket
> timeout to 30 seconds: 
> |
>  st.timeToKillInSeconds=30
> |
>
> Now I am no longer receiving the too many redirect errors and
> am able to login to my service and management web application
> but I am confused about something.
>
> 1. I was able to confirm that node1 is the only one having the
> problem (I have all my logs set to debug) and the nodes should
> be the same and I can't figure out why I need to increase the
> st ttl on node1 but not node2.
> 2. Node1 and node2 share ticket registries so I don't believe
> it is a problem with that.
>
> Any insight would be helpful, Thanks for your help.
>
> On Tuesday, August 2, 2016 at 4:18:58 PM UTC-4, Misagh Moayyed
> wrote:
>
> See
> 
> https://apereo.github.io/cas/4.2.x/installation/Troubleshooting-Guide.html
> 
> 
>
> On Tuesday, August 2, 2016 at 11:49:49 AM UTC-7, John
> Stevens II wrote:
>
> I have a problem that randomly happens, after hitting
> my service url successfully I get redirected to CAS
> login page, I login successfully and get redirected to
> my service but the service fails to load with the
> browser error "*performance.example.com
> * redirected you too
> many times." 
>
> Setup:
> 2 Active node servers behind F5 lb w/ source afffinity
> shared couchbase ticket and service registry
>
> When the issue occurs in the logs the service tickets
> are created on one server and are validated on the
> other server (fails validation)
>
> CAS Server 1 (cas1.example.com ):
>
> |
> =
> WHO: user1
> WHAT: Supplied credentials: [user1]
> ACTION: AUTHENTICATION_SUCCESS
> APPLICATION: CAS
> WHEN: Tue Aug 02 14:35:07 EDT 2016
> CLIENT IP ADDRESS: 192.168.0.100
> SERVER IP ADDRESS: 192.168.21.142
> =
>
> >
> 2016-08-02 14:35:07,579 INFO
> 
> [org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager]
> -  =
> WHO: audit:unknown
> WHAT:
> 
> 

[cas-user] Re: Cas multiple service tickets created and multiple tickets failed validation for same user

[Misagh Moayyed]

 

Your tickets are not immediately invalidated. You have 
ST-68-YJvyjEaYZCeKhFhHxet1-cas1.example.com issued at 14:35:07. When you 
trace the corresponding validation event, you see that request is received 
at 14:35:22. 22-7=15. 15 is greater than the default 10. Ergo... 


Since your nodes are sharing the same registry instance, that node1 vs 
node2 discussion is irrelevant. As you may have observed, you will just as 
well experience the same problem with a single node without couchbase even 
involved. As I said, you need to investigate the app to figure out why it’s 
taking 10+ seconds to issue a validation event. Fix it there. If you can’t, 
you might as well live with an adjusted timeout value. 

On Wednesday, August 3, 2016 at 4:17:55 AM UTC-7, John Stevens II wrote:
>
> I agree I only increased the st ttl to see if it would fix the problem but 
> that troublesome node is not active in the load balancer, it was disabled 
> for troubleshooting.
>
> The reason i'm confused is because the default st ttl is 10 seconds 
> (correct me if i'm wrong) but my ticket is immediately invalidated, so less 
> then 10 seconds and I can't find anything relevant in the logs as to why.
>
> As for couchbase it seems to be working well outside of the issue you help 
> me solve with the connection to the buckets timing out, since I increased 
> the timeout to 60 seconds I haven't had any other problems.
>
> Any suggestions would be great and as always your help is appreciated.
>
>
> On Wednesday, August 3, 2016 at 1:22:30 AM UTC-4, Misagh Moayyed wrote:
>>
>> 1. That is a bad idea. Your nodes need to share the same configuration. 
>> While this may work for now, it will eventually break. It works now because 
>> the gods are favoring node1 to issue tickets and node2 to validate them. 
>> Whoever issues the ticket gets to decide how long it should last. 
>> 2. As the doc says, look into your app and figure out why it’s taking 20+ 
>> seconds to submit a validation event. 30-second timeouts are not unheard of 
>> though. 
>>
>> How’s couchbase working out for you? 
>>
>> On Tuesday, August 2, 2016 at 1:50:59 PM UTC-7, John Stevens II wrote:
>>>
>>> Misagh,
>>>
>>> I've looked at the docs and increased the the service ticket timeout to 
>>> 30 seconds: 
>>>  st.timeToKillInSeconds=30
>>>
>>> Now I am no longer receiving the too many redirect errors and am able to 
>>> login to my service and management web application but I am confused about 
>>> something.
>>>
>>> 1. I was able to confirm that node1 is the only one having the problem 
>>> (I have all my logs set to debug) and the nodes should be the same and I 
>>> can't figure out why I need to increase the st ttl on node1 but not node2.
>>> 2. Node1 and node2 share ticket registries so I don't believe it is a 
>>> problem with that.
>>>
>>> Any insight would be helpful, Thanks for your help.
>>>
>>> On Tuesday, August 2, 2016 at 4:18:58 PM UTC-4, Misagh Moayyed wrote:

 See 
 https://apereo.github.io/cas/4.2.x/installation/Troubleshooting-Guide.html

 On Tuesday, August 2, 2016 at 11:49:49 AM UTC-7, John Stevens II wrote:
>
> I have a problem that randomly happens, after hitting my service url 
> successfully I get redirected to CAS login page, I login successfully and 
> get redirected to my service but the service fails to load with the 
> browser 
> error "*performance.example.com * 
> redirected 
> you too many times." 
>
> Setup:
> 2 Active node servers behind F5 lb w/ source afffinity
> shared couchbase ticket and service registry
>
> When the issue occurs in the logs the service tickets are created on 
> one server and are validated on the other server (fails validation)
>
> CAS Server 1 (cas1.example.com):
>
> =
> WHO: user1
> WHAT: Supplied credentials: [user1]
> ACTION: AUTHENTICATION_SUCCESS
> APPLICATION: CAS
> WHEN: Tue Aug 02 14:35:07 EDT 2016
> CLIENT IP ADDRESS: 192.168.0.100
> SERVER IP ADDRESS: 192.168.21.142
> =
>
> >
> 2016-08-02 14:35:07,579 INFO 
> [org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager] -  trail record BEGIN
> =
> WHO: audit:unknown
> WHAT: TGT-**
> OsqfxL4sVn-cas1.example.com
> ACTION: TICKET_GRANTING_TICKET_CREATED
> APPLICATION: CAS
> WHEN: Tue Aug 02 14:35:07 EDT 2016
> CLIENT IP ADDRESS: 192.168.0.100
> SERVER IP ADDRESS: 192.168.21.142
> =
>
> >
> 2016-08-02 14:35:07,600 INFO 
> [org.jasig.cas.CentralAuthenticationServiceImpl] -  ST-68-YJvyjEaYZCeKhFhHxet1-cas1.example.com] for service [
>