CAS proxy - can't receive PGTIOU

Dale Ogilvie Dale.Ogilvie at trimble.co.nz
Thu Nov 29 15:56:01 EST 2007 

In Step 2.b shouldn't you use proxyValidate instead of serviceValidate?
That said, the walkthrough specifies serviceValidate, so maybe its OK,
but I expect you won't get a PGTIOU unless you use proxyValidate.
 
Also, cas.zenvoo.ch must trust the certificate for the server specified
to receive the PGT https://voot.zenvoo.ch/, are you sure that the voot
cert is signed by a CA trusted on cas.zenvoo.ch?
 
Your pgtUrl looks a bit suspect, as it should be a servlet on
voot.zenvoo.ch waiting to receive the PGT...
 
________________________________

From: cas-bounces at tp.its.yale.edu [mailto:cas-bounces at tp.its.yale.edu]
On Behalf Of Dario Gallicchio
Sent: Friday, 30 November 2007 4:40 a.m.
To: cas at tp.its.yale.edu
Subject: CAS proxy - can't receive PGTIOU


 
Hello everybody,
 
I'm developing a virtual desktop system and I want to cas-ify it.
I'm trying to enable the CAS proxy mechanism, but it seems that I can't
receive any PGTIOU (and neither PGT). Referring to Proxy CAS walkthrough
(http://www.ja-sig.org/wiki/display/CAS/Proxy+CAS+Walkthrough), I can
successfully accomplish step 1 and  2.a. Then, I repeat step 1 and
successfully generate a new ticket, but when I try step 2.b I can only
get a partial response. 
 
Here are the steps in more details:
 

*	Step 1 

	*	URL
https://cas.zenvoo.ch:8443/cas/login?http://www.zenvoo.ch 
	*	 Received ticket ST-15-M2JUs3V7pVubJMOt7RC

*	Step 2.b  

	*	URL:
https://cas.zenvoo.ch:8443/cas/serviceValidate?ticket=ST-15-M2JUs3V7pVub
JMOt7RCb&service=http://www.zenvoo.ch&pgtUrl=https://voot.zenvoo.ch/help
.php, where voot.zenvoo.ch is a server with a correct certificate.  
	*	Received XML:

		<cas:serviceResponse
xmlns:cas='http://www.yale.edu/tp/cas'>
		 <cas:authenticationSuccess>
		  <cas:user>dariog</cas:user>
		 
		

		 </cas:authenticationSuccess>
		</cas:serviceResponse>
		 
		As you can see, PGTIOU is missing. 

	*	The CAS server log file gives me the following error:

	                    2007-11-29 15:25:18,731 INFO
[org.jasig.cas.authentication.AuthenticationManagerImpl] -
<AuthenticationHandler:
org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentials
AuthenticationHandler failed to authenticate the user which provided the
following credentials: https://voot.zenvoo.ch/help.php>
	2007-11-29 15:25:18,731 ERROR
[org.jasig.cas.web.ServiceValidateController] - <TicketException
generating ticket for: https://voot.zenvoo.ch/help.php>
	org.jasig.cas.ticket.TicketCreationException:
error.authentication.credentials.bad
	        at
org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTic
ket(CentralAuthenticationServiceImpl.java:271)
	        at
org.jasig.cas.web.ServiceValidateController.handleRequestInternal(Servic
eValidateController.java:125)
	        at
org.springframework.web.servlet.mvc.AbstractController.handleRequest(Abs
tractController.java:153)
	        at
org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handl
e(SimpleControllerHandlerAdapter.java:48)
	        at
org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherS
ervlet.java:857)
	        at
org.springframework.web.servlet.DispatcherServlet.doService(DispatcherSe
rvlet.java:792)
	        at
org.springframework.web.servlet.FrameworkServlet.processRequest(Framewor
kServlet.java:475)
	        at
org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.
java:430)
	        at javax.servlet.http.HttpServlet.service(Unknown
Source)
	        at javax.servlet.http.HttpServlet.service(Unknown
Source)
	        at
org.jasig.cas.web.init.SafeDispatcherServlet.service(SafeDispatcherServl
et.java:115)
	        at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown
Source)
	        at
org.apache.catalina.core.ApplicationFilterChain.doFilter(Unknown Source)
	        at
org.apache.catalina.core.StandardWrapperValve.invoke(Unknown Source)
	        at
org.apache.catalina.core.StandardContextValve.invoke(Unknown Source)
	        at
org.apache.catalina.core.StandardHostValve.invoke(Unknown Source)
	        at
org.apache.catalina.valves.ErrorReportValve.invoke(Unknown Source)
	        at
org.apache.catalina.core.StandardEngineValve.invoke(Unknown Source)
	        at
org.apache.catalina.connector.CoyoteAdapter.service(Unknown Source)
	        at
org.apache.coyote.http11.Http11Processor.process(Unknown Source)
	        at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(
Unknown Source)
	        at
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(Unknown Source)
	        at java.lang.Thread.run(Thread.java:595)
	Caused by: error.authentication.credentials.bad
	        at
org.jasig.cas.authentication.handler.BadCredentialsAuthenticationExcepti
on.<clinit>(BadCredentialsAuthenticationException.java:25)
	        at
org.jasig.cas.authentication.AuthenticationManagerImpl.authenticate(Auth
enticationManagerImpl.java:108)
	        at
org.jasig.cas.CentralAuthenticationServiceImpl.delegateTicketGrantingTic
ket(CentralAuthenticationServiceImpl.java:242)
	        ... 22 more
	

	
	Seemingly, we've got a credential problem here, but I've dug a
little into CAS server source code and found that
HttpBasedServiceCredentialsAuthenticationHandler.authenticate() calls
HttpClient.isValidEndPoint( url ), that at the end of the day creates an
HttpURLConnection object and calls its connect() method. I did the same
in a litte test servlet, and I can successfully connect to the url
https://voot.zenvoo.ch/help.php. So my certificate should be ok. Yet, I
can't make it working in the Proxy mechanism.
	Anybody could help me?
	

	
	Thanks in advance
	 
	Dario Gallicchio
	Zenvoo team
	
	 
	 

 
 
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20071130/82a05d64/attachment.html

More information about the cas mailing list