RemoteUserAuthHandler (CAS) wedged

Baron Fujimoto baron at hawaii.edu
Wed May 14 16:38:00 EDT 2014 

Bueller?

On Wed, May 07, 2014 at 10:29:37AM -1000, Baron Fujimoto wrote:
>We have our IdP configured to authenticate via the RemoteUserAuthHandler
>with CAS. We recently encountered a situation where the RemoteUser/CAS
>handler seemed to wedge or go permanently out to lunch (those are the
>technical terms, right?).
>
>It appears CAS was behaving correctly. When I took the suspect IdP host
>out of service and a failover host took over, service resumed as expected.
>Reviewing logs, I find the following:
>
>######
>CAS:
>
>2014-05-07 03:26:59,884 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service ticket [ST-1044245-1GMdZ1PhU6id3JaHf2IU-cas] for service [https://idp.hawaii.edu/idp/Authn/RemoteUser] for user [userFOO]
>2014-05-07 03:26:59,884 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN
>=============================================================
>WHO: userFOO
>WHAT: ST-1044245-1GMdZ1PhU6id3JaHf2IU-cas for https://idp.hawaii.edu/idp/Authn/RemoteUser
>ACTION: SERVICE_TICKET_CREATED
>APPLICATION: CAS
>WHEN: Wed May 07 03:26:59 HST 2014
>CLIENT IP ADDRESS: 10.10.10.183
>SERVER IP ADDRESS: 10.10.10.31
>=============================================================
>
>IdP's tomcat:
>
>May 7, 2014 3:27:00 AM org.apache.catalina.core.StandardWrapperValve invoke
>SEVERE: Servlet.service() for servlet RemoteUserAuthHandler threw exception
>org.jasig.cas.client.validation.TicketValidationException:
>                ticket 'ST-1044245-1GMdZ1PhU6id3JaHf2IU-cas' not recognized
>        [...]
>######
>
>Every subsequent authentication attempt by the IdP generated a similar
>pair. I haven't found any other forensic evidence yet though. A review
>of previous logs show this sort of thing happens occasionally, but not
>to the point where it fails consistently like this.
>
>Any ideas on what might have happened or suggestions for further
>troubleshooting?
>
>IdP: 2.4.0
>CAS client: 3.2.1
>
>Aloha,
>-baron
>-- 
>Baron Fujimoto <baron at hawaii.edu> :: UH Information Technology Services
>minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
>--
>To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list