RemoteUserAuthHandler (CAS) wedged

Baron Fujimoto baron at hawaii.edu
Wed May 7 16:29:37 EDT 2014 

We have our IdP configured to authenticate via the RemoteUserAuthHandler
with CAS. We recently encountered a situation where the RemoteUser/CAS
handler seemed to wedge or go permanently out to lunch (those are the
technical terms, right?).

It appears CAS was behaving correctly. When I took the suspect IdP host
out of service and a failover host took over, service resumed as expected.
Reviewing logs, I find the following:

######
CAS:

2014-05-07 03:26:59,884 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service ticket [ST-1044245-1GMdZ1PhU6id3JaHf2IU-cas] for service [https://idp.hawaii.edu/idp/Authn/RemoteUser] for user [userFOO]
2014-05-07 03:26:59,884 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN
=============================================================
WHO: userFOO
WHAT: ST-1044245-1GMdZ1PhU6id3JaHf2IU-cas for https://idp.hawaii.edu/idp/Authn/RemoteUser
ACTION: SERVICE_TICKET_CREATED
APPLICATION: CAS
WHEN: Wed May 07 03:26:59 HST 2014
CLIENT IP ADDRESS: 10.10.10.183
SERVER IP ADDRESS: 10.10.10.31
=============================================================

IdP's tomcat:

May 7, 2014 3:27:00 AM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet RemoteUserAuthHandler threw exception
org.jasig.cas.client.validation.TicketValidationException:
                ticket 'ST-1044245-1GMdZ1PhU6id3JaHf2IU-cas' not recognized
        [...]
######

Every subsequent authentication attempt by the IdP generated a similar
pair. I haven't found any other forensic evidence yet though. A review
of previous logs show this sort of thing happens occasionally, but not
to the point where it fails consistently like this.

Any ideas on what might have happened or suggestions for further
troubleshooting?

IdP: 2.4.0
CAS client: 3.2.1

Aloha,
-baron
-- 
Baron Fujimoto <baron at hawaii.edu> :: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum

More information about the users mailing list