Sk S
Reputation: 11
CAS ticket validation always fails
I installed CAS 4.1 successfully and configured it to use Active Directory as backend authentication. Now the problem is, that each time I try to validate a ticket CAS server complains about the ticket has expired. The steps i've been doing to get and validate a ticket are as follow:
- call https://sso.domain.net/cas/login?service=https://myservice.domain.net
- I get a ticket such ST-2-NLOngMHayTl3uCLKn91T-sso.domain.net
- Call validation service https://sso.domain.net/serviceValidate?ticket=ST-3-zrjAFf1UU95NdzGmCibv-sso.domain.net&service=https://myservice.domain.net
And I get the following response:
<cas:serviceResponse xmlns:cas="http://www.yale.edu/tp/cas">
<script/>
<cas:authenticationFailure code="INVALID_TICKET">
Ticket 'ST-3-zrjAFf1UU95NdzGmCibv-sso.domain.net' not recognized
</cas:authenticationFailure>
</cas:serviceResponse>
Ticket granting log shows
2015-12-18 15:28:53,505 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted ticket [ST-3-zrjAFf1UU95NdzGmCibv-sso.domain.net] for service [https://e.domain.net/] for user [castest]>
2015-12-18 15:28:53,506 INFO [org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
Dec 18 15:28:53 mk-jas-cas-01 server[24501]: =============================================================
Dec 18 15:28:53 mk-jas-cas-01 server[24501]: WHO: castest
Dec 18 15:28:53 mk-jas-cas-01 server[24501]: WHAT: ST-3-zrjAFf1UU95NdzGmCibv-sso.domain.net for https://e.domain.net/
Dec 18 15:28:53 mk-jas-cas-01 server[24501]: ACTION: SERVICE_TICKET_CREATED
Dec 18 15:28:53 mk-jas-cas-01 server[24501]: APPLICATION: CAS
Dec 18 15:28:53 mk-jas-cas-01 server[24501]: WHEN: Fri Dec 18 15:28:53 AST 2015
Dec 18 15:28:53 mk-jas-cas-01 server[24501]: CLIENT IP ADDRESS: 10.100.25.89
Dec 18 15:28:53 mk-jas-cas-01 server[24501]: SERVER IP ADDRESS: 10.10.12.120
Dec 18 15:28:53 mk-jas-cas-01 server[24501]: =============================================================
The validation log shows
2015-12-18 15:29:05,633 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - <ServiceTicket [ST-3-zrjAFf1UU95NdzGmCibv-sso.domain.net] has expired.>
Dec 18 15:29:05 mk-jas-cas-01 server[24501]: 2015-12-18 15:29:05,635 INFO [org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
Dec 18 15:29:05 mk-jas-cas-01 server[24501]: =============================================================
Dec 18 15:29:05 mk-jas-cas-01 server[24501]: WHO: audit:unknown
Dec 18 15:29:05 mk-jas-cas-01 server[24501]: WHAT: ST-3-zrjAFf1UU95NdzGmCibv-sso.domain.net
Dec 18 15:29:05 mk-jas-cas-01 server[24501]: ACTION: SERVICE_TICKET_VALIDATE_FAILED
Dec 18 15:29:05 mk-jas-cas-01 server[24501]: APPLICATION: CAS
Dec 18 15:29:05 mk-jas-cas-01 server[24501]: WHEN: Fri Dec 18 15:29:05 AST 2015
Dec 18 15:29:05 mk-jas-cas-01 server[24501]: CLIENT IP ADDRESS: 10.100.25.89
Dec 18 15:29:05 mk-jas-cas-01 server[24501]: SERVER IP ADDRESS: 10.10.12.120
Dec 18 15:29:05 mk-jas-cas-01 server[24501]:=============================================================
I used the same ticketExpirationPolicy.xml from this StackOverflow entry and I got the same result, I tried also changing to no expiration at all but get the same result My current ticketExpirationPolicy.xml file:
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c" xmlns:util="http://www.springframework.org/schema/util"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/util
http://www.springframework.org/schema/util/spring-util.xsd">
<bean id="serviceTicketExpirationPolicy" class="org.jasig.cas.ticket.support.MultiTimeUseOrTimeoutExpirationPolicy">
<!-- This argument is the number of times that a ticket can be used before its considered expired. -->
<constructor-arg
index="0"
value="1" />
<!-- This argument is the time a ticket can exist before its considered expired. -->
<constructor-arg
index="1"
value="10000" />
</bean>
<bean id="grantingTicketExpirationPolicy" class="org.jasig.cas.ticket.support.NeverExpiresExpirationPolicy" />
</beans>
A side question: where and how do I define a service to act as a proxy?!
Upvotes: 0
Views: 3687
Answers (1)
Sk S
Reputation: 11
Well, I fixed it by increasing the second constructor argument from 10000 to 100000
<!-- This argument is the time a ticket can exist before its considered expired. -->
<constructor-arg
index="1"
value="100000" />
Upvotes: 1
Related Questions
- not recognized cas ticket
- CAS service ticket validate failed
- How to read CAS ticket validation XML using spring security?
- Can't make CAS Single Sign Out work with Spring Security
- Retrieve CAS ticket after login
- CAS 4 with Spring Security 4 (java config) - stuck in a redirect loop after ticket granted SSO
- Error on CAS redirect when ticket is SERVICE_TICKET_CREATED
- ServiceValidateController [ERROR] TicketException generating ticket for
- Spring Security and CAS
- Spring and CAS using Proxy Tickets