Redirection (?) loop of "Granting service ticket"

15 messages

Redirection (?) loop of "Granting service ticket"

Reply Threaded

Hi all,
I'm still trying to deal with this issue: when I try to authenticate
over CAS via moodle, I get a sequence of (incrementally numbered)
"Granting service tickets" that lead to nowhere (infinite loop on
Explorer) or to a "Redirect loop" error on Firefox.

Has anyone any idea of where this originates? I've read somewhere that
it could depend of the self-signed certificate I'm currently using for
testing, but found no hint about this on the wiki.

Any help would be highly appreciated!

Thanks,
Giuseppe

--
Giuseppe Sollazzo
Systems Developer / Administrator

Computing Services
St. George's, University of London

--
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user

Diego Benedicto

Re: Redirection (?) loop of "Granting service ticket"

Reply Threaded

Hi,

I had the same problem CASifying Wordpress and Dokuwiki with phpCAS 1.0.1, but using phpCAS 1.0.0 it works perfectly

Which phpCAS version are you using?

Giuseppe Sollazzo-2 wrote:

Hi all,
I'm still trying to deal with this issue: when I try to authenticate
over CAS via moodle, I get a sequence of (incrementally numbered)
"Granting service tickets" that lead to nowhere (infinite loop on
Explorer) or to a "Redirect loop" error on Firefox.

Has anyone any idea of where this originates? I've read somewhere that
it could depend of the self-signed certificate I'm currently using for
testing, but found no hint about this on the wiki.

Any help would be highly appreciated!

Thanks,
Giuseppe

--
Giuseppe Sollazzo
Systems Developer / Administrator

Computing Services
St. George's, University of London

--
You are currently subscribed to cas-user@lists.jasig.org as: lists@nabble.com
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user

Giuseppe Sollazzo-2

Re: Redirection (?) loop of "Granting service ticket"

Reply Threaded

Hi Diego,
interesting question - I'm actually not sure as I think it came with
CAS? How can I check it?

My setup was:
1) install moodle
2) install tomcat
3) deploy the CAS webapp

Thanks,
Giuseppe

Diego Benedicto wrote:

> Hi,
>
> I had the same problem CASifying Wordpress and Dokuwiki with phpCAS 1.0.1,
> but using phpCAS 1.0.0 it works perfectly
>
> Which phpCAS version are you using?
>
>
>
>
>
>
> Giuseppe Sollazzo-2 wrote:
>
>> Hi all,
>> I'm still trying to deal with this issue: when I try to authenticate
>> over CAS via moodle, I get a sequence of (incrementally numbered)
>> "Granting service tickets" that lead to nowhere (infinite loop on
>> Explorer) or to a "Redirect loop" error on Firefox.
>>
>> Has anyone any idea of where this originates? I've read somewhere that
>> it could depend of the self-signed certificate I'm currently using for
>> testing, but found no hint about this on the wiki.
>>
>> Any help would be highly appreciated!
>>
>> Thanks,
>> Giuseppe
>>
>> --
>> Giuseppe Sollazzo
>> Systems Developer / Administrator
>>
>> Computing Services
>> St. George's, University of London
>>
>>
>> --
>> You are currently subscribed to [hidden email] as:
>> [hidden email]
>> To unsubscribe, change settings or access archives, see
>> http://www.ja-sig.org/wiki/display/JSG/cas-user
>>
>>
>>
>
>

--
Giuseppe Sollazzo
Systems Developer / Administrator

Computing Services
St. George's, University of London

--
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user

Diego Benedicto

Re: Redirection (?) loop of "Granting service ticket"

Reply Threaded

phpCAS downloads are in http://www.ja-sig.org/downloads/cas-clients/php/

You have a phpCAS configured in Moodle to CASifiy it, right?
So, you can try it with phpCAS 1.0.0 to check if your problem remains...

Giuseppe Sollazzo-2 wrote:

Hi Diego,
interesting question - I'm actually not sure as I think it came with
CAS? How can I check it?

My setup was:
1) install moodle
2) install tomcat
3) deploy the CAS webapp

Thanks,
Giuseppe

Diego Benedicto wrote:
> Hi,
>
> I had the same problem CASifying Wordpress and Dokuwiki with phpCAS 1.0.1,
> but using phpCAS 1.0.0 it works perfectly
>
> Which phpCAS version are you using?
>
>
>
>
>
>
> Giuseppe Sollazzo-2 wrote:
>
>> Hi all,
>> I'm still trying to deal with this issue: when I try to authenticate
>> over CAS via moodle, I get a sequence of (incrementally numbered)
>> "Granting service tickets" that lead to nowhere (infinite loop on
>> Explorer) or to a "Redirect loop" error on Firefox.
>>
>> Has anyone any idea of where this originates? I've read somewhere that
>> it could depend of the self-signed certificate I'm currently using for
>> testing, but found no hint about this on the wiki.
>>
>> Any help would be highly appreciated!
>>
>> Thanks,
>> Giuseppe
>>
>> --
>> Giuseppe Sollazzo
>> Systems Developer / Administrator
>>
>> Computing Services
>> St. George's, University of London
>>
>>
>> --
>> You are currently subscribed to cas-user@lists.jasig.org as:
>> lists@nabble.com
>> To unsubscribe, change settings or access archives, see
>> http://www.ja-sig.org/wiki/display/JSG/cas-user
>>
>>
>>
>
>

--
Giuseppe Sollazzo
Systems Developer / Administrator

Computing Services
St. George's, University of London

--
You are currently subscribed to cas-user@lists.jasig.org as: lists@nabble.com
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user

Giuseppe Sollazzo-2

Re: Redirection (?) loop of "Granting service ticket"

Reply Threaded

Ok - as you said I verified I was running phpCAS 1.0.1. Changed it to
phpCAS 1.0.0 and what I got is a new error:

phpCAS error: phpCAS::checkAuthentication(): one of the methods
phpCAS::setCasServerCert(), phpCAS::setCasServerCACert() or
phpCAS::setNoCasServerValidation() must be called. in
/www/moodle/auth/cas/auth.php on line 111

The output of the CAS server looks "normal", in a way:

2009-10-19 12:03:38,323 INFO
[org.jasig.cas.authentication.AuthenticationManagerImpl] -
<AuthenticationHandler:
org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler successfully
authenticated the user which provided the following credentials:
[username: user]>
2009-10-19 12:03:38,328 INFO
[org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service
ticket [ST-1-s0gQhWMEptjvmuXN0Igy-cas] for service
[https://myserver/devmoodle/login/index.php] for user [user]>

Line 111 of auth.php is simply the check on authentication method:
if (phpCAS::checkAuthentication()) {
$frm->username=phpCAS::getUser();
// if (phpCAS::getUser()=='esup9992')
// $frm->username='erhar0062';
$frm->password="passwdCas";
return;
}

I wonder here if there's some issue with my certificate. Any idea?

Thanks a lot for any help!

Giuseppe

Diego Benedicto wrote:

> phpCAS downloads are in http://www.ja-sig.org/downloads/cas-clients/php/
>
> You have a phpCAS configured in Moodle to CASifiy it, right?
> So, you can try it with phpCAS 1.0.0 to check if your problem remains...
>
>
>
> Giuseppe Sollazzo-2 wrote:
>
>> Hi Diego,
>> interesting question - I'm actually not sure as I think it came with
>> CAS? How can I check it?
>>
>> My setup was:
>> 1) install moodle
>> 2) install tomcat
>> 3) deploy the CAS webapp
>>
>>
>> Thanks,
>> Giuseppe
>>
>> Diego Benedicto wrote:
>>
>>> Hi,
>>>
>>> I had the same problem CASifying Wordpress and Dokuwiki with phpCAS
>>> 1.0.1,
>>> but using phpCAS 1.0.0 it works perfectly
>>>
>>> Which phpCAS version are you using?
>>>
>>>
>>>
>>>
>>>
>>>
>>> Giuseppe Sollazzo-2 wrote:
>>>
>>>
>>>> Hi all,
>>>> I'm still trying to deal with this issue: when I try to authenticate
>>>> over CAS via moodle, I get a sequence of (incrementally numbered)
>>>> "Granting service tickets" that lead to nowhere (infinite loop on
>>>> Explorer) or to a "Redirect loop" error on Firefox.
>>>>
>>>> Has anyone any idea of where this originates? I've read somewhere that
>>>> it could depend of the self-signed certificate I'm currently using for
>>>> testing, but found no hint about this on the wiki.
>>>>
>>>> Any help would be highly appreciated!
>>>>
>>>> Thanks,
>>>> Giuseppe
>>>>
>>>> --
>>>> Giuseppe Sollazzo
>>>> Systems Developer / Administrator
>>>>
>>>> Computing Services
>>>> St. George's, University of London
>>>>
>>>>
>>>> --
>>>> You are currently subscribed to [hidden email] as:
>>>> [hidden email]
>>>> To unsubscribe, change settings or access archives, see
>>>> http://www.ja-sig.org/wiki/display/JSG/cas-user
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>> --
>> Giuseppe Sollazzo
>> Systems Developer / Administrator
>>
>> Computing Services
>> St. George's, University of London
>>
>>
>> --
>> You are currently subscribed to [hidden email] as:
>> [hidden email]
>> To unsubscribe, change settings or access archives, see
>> http://www.ja-sig.org/wiki/display/JSG/cas-user
>>
>>
>>
>
>

Ryan Fox

Re: Redirection (?) loop of "Granting service ticket"

Reply Threaded

In reply to this post by Giuseppe Sollazzo-2

----- "Giuseppe Sollazzo" <[hidden email]> wrote:

> Ok - as you said I verified I was running phpCAS 1.0.1. Changed it to
>
> phpCAS 1.0.0 and what I got is a new error:
>
>
> phpCAS error: phpCAS::checkAuthentication(): one of the methods
> phpCAS::setCasServerCert(), phpCAS::setCasServerCACert() or
> phpCAS::setNoCasServerValidation() must be called. in
> /www/moodle/auth/cas/auth.php on line 111

The user's interaction with the cas server was successful. The problem is between the phpCAS client and CAS, when phpCAS is trying to verify the service ticket the user presented.

Specifically, phpCAS wants you to either call phpCAS::setCasServerCert() to give it a certificate which it should validate against the cert presented by the CAS server; or, call phpCAS::setNoCasServerValidation() to not do that check. It's a much better idea to have the cas client check the cert properly.

Ryan

--
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user

Giuseppe Sollazzo-2

Re: Redirection (?) loop of "Granting service ticket"

Reply Threaded

Ryan Fox wrote:
>
> The user's interaction with the cas server was successful. The problem is between the phpCAS client and CAS, when phpCAS is trying to verify the service ticket the user presented.
>
> Specifically, phpCAS wants you to either call phpCAS::setCasServerCert() to give it a certificate which it should validate against the cert presented by the CAS server; or, call phpCAS::setNoCasServerValidation() to not do that check. It's a much better idea to have the cas client check the cert properly.
>
> Ryan
>
>
Uhm... this is something obscure to me so sorry if I ask more details.
What do you mean when you say "phpCAS wants you to call ..."? I guess
it's moodle that should call one of these functions, or does the
implementation of CAS into moodle pass through writing code? "What must
be called by who, and where?" :-)
Or is it maybe a configuration issue? Do I have to activate the
certificate check somewhere?

No tutorial mentioned this, so I guess there's something wrong about
this function call but can't tell what...

Thanks,
Giuseppe

--
Giuseppe Sollazzo
Systems Developer / Administrator

Computing Services
St. George's, University of London

--
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user

Marvin Addison

Re: Redirection (?) loop of "Granting service ticket"

Reply Threaded

> Or is it maybe a configuration issue? Do I have to activate the certificate
> check somewhere?

Yes. Hopefully someone with Moodle experience can chime in here -- I
didn't even realize Moodle used phpCAS. Once you find the right place
in Moodle to configure the phpCAS client,
http://www.ja-sig.org/wiki/display/CASC/phpCAS+examples give examples
of both disabling the cert check (not recommended) and enabling an
explicity trust check.

M

--
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user

Giuseppe Sollazzo-2

Re: Redirection (?) loop of "Granting service ticket"

Reply Threaded

Hi Marvin,
I gave a look at the phpCAS examples and it's funny.

The phpCAS methods have no explicit call of any of the certificate
dealing functions.

So I just added a

phpCAS::setNoCasServerValidation();

immediately before of the call to:
if (phpCAS::checkAuthentication()) {
$frm->username=phpCAS::getUser();
// if (phpCAS::getUser()=='esup9992')
// $frm->username='erhar0062';
$frm->password="passwdCas";
return;
}

What happens is:
- withouth the call to setNoCasServerValidation(), I get the error

phpCAS error: phpCAS::checkAuthentication(): one of the methods
phpCAS::setCasServerCert(), phpCAS::setCasServerCACert() or
phpCAS::setNoCasServerValidation() must be called. in
/www/moodle/auth/cas/auth.php on line 111

- with the call, the browser seems to take the eternity to check it and
either stays in "waiting for
https://moodle.myserver.../devmoodle/login/index.php" or - after over
4-5 minutes - "CAS Authentication failed" (despite seeing from the logs that

2009-10-20 10:14:57,978 INFO
[org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service
ticket [ST-3-MzeLUrYcohZvMaBLBbny-cas] for service
[https://moodle.myserver.../devmoodle/login/index.php] for user [user]>

2009-10-20 10:15:08,169 INFO
[org.jasig.cas.services.DefaultServicesManagerImpl] - <Reloading
registered services.>
2009-10-20 10:15:08,169 INFO
[org.jasig.cas.services.DefaultServicesManagerImpl] - <Loaded 0 services.>

I start being really puzzled -_-

Giuseppe

Marvin Addison wrote:

>> Or is it maybe a configuration issue? Do I have to activate the certificate
>> check somewhere?
>>
>
> Yes. Hopefully someone with Moodle experience can chime in here -- I
> didn't even realize Moodle used phpCAS. Once you find the right place
> in Moodle to configure the phpCAS client,
> http://www.ja-sig.org/wiki/display/CASC/phpCAS+examples give examples
> of both disabling the cert check (not recommended) and enabling an
> explicity trust check.
>
> M
>
>

Marvin Addison

Re: Redirection (?) loop of "Granting service ticket"

Reply Threaded

> - with the call, the browser seems to take the eternity to check it and
> either stays in "waiting for
> https://moodle.myserver.../devmoodle/login/index.php" or - after over 4-5
> minutes - "CAS Authentication failed" (despite seeing from the logs that
>
> 2009-10-20 10:14:57,978 INFO
> [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket
> [ST-3-MzeLUrYcohZvMaBLBbny-cas] for service
> [https://moodle.myserver.../devmoodle/login/index.php] for user [user]>

This is a very common scenario. The CAS logs merely mention that the
service ticket has been granted and a redirect sent to the requesting
service; the client has yet to validate it. It sounds like a
connection timeout from Moodle to CAS. If you don't see an entry for
the connection from Moodle to the CAS server in the CAS server-side
Tomcat access logs, I would think that would confirm some sort of
connection problem.

I believe it would be helpful to enable debugging in the phpCAS client
to get more information on the cause of failure:

phpCAS::setDebug();

That creates a /tmp/phpCAS.log file on Unix that contains an execution
trace that should help identify problems. Post excerpts from that log
if you continue to have trouble. (You can provide a path argument if
you want the logs going somewhere else.)

M

--
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user

Giuseppe Sollazzo-2

Re: Redirection (?) loop of "Granting service ticket"

Reply Threaded

Hi Marvin,
thanks for your support!

Actually, I had already tried with the setDebug directive. I entered it
into auth.php at the following point (as shown on the examples)

$this->connectCAS();

// initialize phpCAS debug
phpCAS::setDebug();
// no SSL validation for the CAS server
// phpCAS::setNoCasServerValidation();

if (isset($_REQUEST['logout'])) {
phpCAS::logout();
}
if (isset($_REQUEST['login'])) {
phpCAS::forceAuthentication();
}

if (phpCAS::checkAuthentication()) {
$frm->username=phpCAS::getUser();
...

No matter if I have the setNoCasServerValidation directive or not
(getting the usual error "one of the methods... must be called") I can't
get anything into the logs. /tmp/phpCAS.log is empty (access rights
verified), and even trying passing a file name to
setDebug($filename='/mydir/logfile') returns nothing.

Am I in need of exorcism or can anyone help me find an explanation to
this? :-)

Giuseppe

Marvin Addison wrote:

>
> This is a very common scenario. The CAS logs merely mention that the
> service ticket has been granted and a redirect sent to the requesting
> service; the client has yet to validate it. It sounds like a
> connection timeout from Moodle to CAS. If you don't see an entry for
> the connection from Moodle to the CAS server in the CAS server-side
> Tomcat access logs, I would think that would confirm some sort of
> connection problem.
>
> I believe it would be helpful to enable debugging in the phpCAS client
> to get more information on the cause of failure:
>
> phpCAS::setDebug();
>
> That creates a /tmp/phpCAS.log file on Unix that contains an execution
> trace that should help identify problems. Post excerpts from that log
> if you continue to have trouble. (You can provide a path argument if
> you want the logs going somewhere else.)
>
> M
>
>

Giuseppe Sollazzo-2

Re: Redirection (?) loop of "Granting service ticket"

Reply Threaded

Giuseppe Sollazzo wrote:
>
> No matter if I have the setNoCasServerValidation directive or not
> (getting the usual error "one of the methods... must be called") I
> can't get anything into the logs. /tmp/phpCAS.log is empty (access
> rights verified), and even trying passing a file name to
> setDebug($filename='/mydir/logfile') returns nothing.
What I meant is that phpCAS.loh (or logfile) is not created at all, not
that it's empty

--
Giuseppe Sollazzo
Systems Developer / Administrator

Computing Services
St. George's, University of London

--
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user

Giuseppe Sollazzo-2

Re: Redirection (?) loop of "Granting service ticket"

Reply Threaded

In reply to this post by Marvin Addison

Some javascript/style in this post has been disabled (why?)

Hi Marvin and hi all!

Ok - I managed to get the phpCAS logs to work. What happens here I think is that the ticket is not valid - but I don't know why. In this scenario I have a "setNoCasServerValidation". For the moment I think this is the easiest scenario I can create.This is the log:

4306 .START ****************** [CAS.php:414] 4306 .=> phpCAS::setNoCasServerValidation() [auth.php:152] 4306 .<= '' 4306 .=> phpCAS::checkAuthentication() [auth.php:165] 4306 .| => CASClient::checkAuthentication() [CAS.php:885] 4306 .| | => CASClient::isAuthenticated() [client.php:738] 4306 .| | | => CASClient::wasPreviouslyAuthenticated() [client.php:797] 4306 .| | | | no user found [client.php:909] 4306 .| | | <= false 4306 .| | | PT `ST-1-2jUZQ9YulTTTMWCwUZdL-cas' is present [client.php:819] 4306 .| | | => CASClient::validatePT('', NULL, NULL) [client.php:820] 4306 .| | | | => CASClient::getURL() [client.php:396] 4306 .| | | | <= 'https://moodleserver/devmoodle/login/index.php' 4306 .| | | | => CASClient::readURL('https://tomtomserver:8443/cas-server-webapp-3.3.4/proxyValidate?service=https%3A%2F%2Fmoodleserver%2Fdevmoodle%2Flogin%2Findex.php&ticket=ST-1-2jUZQ9YulTTTMWCwUZdL-cas', '', NULL, NULL, NULL) [client.php:2104] 4306 .| | | | | curl_exec() failed [client.php:1867] 4306 .| | | | <= false 4306 .| | | | could not open URL 'https://tomtomserver:8443/cas-server-webapp-3.3.4/proxyValidate?service=https%3A%2F%2Fmoodleserver%2Fdevmoodle%2Flogin%2Findex.php&ticket=ST-1-2jUZQ9YulTTTMWCwUZdL-cas' to validate (CURL error #7: couldn't connect to host) [client.php:2105] 4306 .| | | | => CASClient::authError('PT not validated', 'https://tomtomserver:8443/cas-server-webapp-3.3.4/proxyValidate?service=https%3A%2F%2Fmoodleserver%2Fdevmoodle%2Flogin%2Findex.php&ticket=ST-1-2jUZQ9YulTTTMWCwUZdL-cas', true) [client.php:2108] 4306 .| | | | | => CASClient::getURL() [client.php:2289] 4306 .| | | | | <= 'https://moodleserver/devmoodle/login/index.php' 4306 .| | | | | CAS URL: https://tomtomserver:8443/cas-server-webapp-3.3.4/proxyValidate?service=https%3A%2F%2Fmoodleserver%2Fdevmoodle%2Flogin%2Findex.php&ticket=ST-1-2jUZQ9YulTTTMWCwUZdL-cas [client.php:2290] 4306 .| | | | | Authentication failure: PT not validated [client.php:2291] 4306 .| | | | | Reason: no response from the CAS server [client.php:2293] 4306 .| | | | | exit() 4306 .| | | | | - 4306 .| | | | - 4306 .| | | - 4306 .| | - 4306 .| -
What I see here is a series of not really clear messages.
For example, curl_exec fails with a "couldn't connect to host" message. However, if I cut and paste the url, including the ticket, I actually get an error message - but related to the ticket itself rather than to the server:

<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
	<cas:authenticationFailure code='INVALID_TICKET'>
		ticket &#039;ST-1-2jUZQ9YulTTTMWCwUZdL-cas&#039; not recognized
</cas:authenticationFailure>
</cas:serviceResponse>

Yale? :-) Is this maybe the problem? Does it try to validate the ticket using the yale server? (But if so, where is this specified?)

Moreover, it's not completely clear to me why "PT `ST-1-2jUZQ9YulTTTMWCwUZdL-cas' is present"
Any help is greatly appreciated. I think I'm getting to the point with your help, so thanks a lot!

Giuseppe
Marvin Addison wrote:

This is a very common scenario.  The CAS logs merely mention that the
service ticket has been granted and a redirect sent to the requesting
service; the client has yet to validate it.  It sounds like a
connection timeout from Moodle to CAS.  If you don't see an entry for
the connection from Moodle to the CAS server in the CAS server-side
Tomcat access logs, I would think that would confirm some sort of
connection problem.

I believe it would be helpful to enable debugging in the phpCAS client
to get more information on the cause of failure:

phpCAS::setDebug();

That creates a /tmp/phpCAS.log file on Unix that contains an execution
trace that should help identify problems.  Post excerpts from that log
if you continue to have trouble.  (You can provide a path argument if
you want the logs going somewhere else.)

M

-- 
Giuseppe Sollazzo
Systems Developer / Administrator

Computing Services
St. George's, University of London

-- 
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user

Giuseppe Sollazzo-2

Authentication failure: PT not validated ("no response from the CAS server")

Reply Threaded

In reply to this post by Marvin Addison

Some javascript/style in this post has been disabled (why?)

Hi all
I was just wondering if anyone had any hint on this problem - logs are helpful but I guess I'm missing something.

What happens here I think is that the ticket is not valid - but I don't know why. In this scenario I have "setNoCasServerValidation". Here's the log, questions following:

4306 .START ****************** [CAS.php:414] 4306 .=> phpCAS::setNoCasServerValidation() [auth.php:152] 4306 .<= '' 4306 .=> phpCAS::checkAuthentication() [auth.php:165] 4306 .| => CASClient::checkAuthentication() [CAS.php:885] 4306 .| | => CASClient::isAuthenticated() [client.php:738] 4306 .| | | => CASClient::wasPreviouslyAuthenticated() [client.php:797] 4306 .| | | | no user found [client.php:909] 4306 .| | | <= false 4306 .| | | PT `ST-1-2jUZQ9YulTTTMWCwUZdL-cas' is present [client.php:819] 4306 .| | | => CASClient::validatePT('', NULL, NULL) [client.php:820] 4306 .| | | | => CASClient::getURL() [client.php:396] 4306 .| | | | <= 'https://moodleserver/devmoodle/login/index.php' 4306 .| | | | => CASClient::readURL('https://tomtomserver:8443/cas-server-webapp-3.3.4/proxyValidate?service=https%3A%2F%2Fmoodleserver%2Fdevmoodle%2Flogin%2Findex.php&ticket=ST-1-2jUZQ9YulTTTMWCwUZdL-cas', '', NULL, NULL, NULL) [client.php:2104] 4306 .| | | | | curl_exec() failed [client.php:1867] 4306 .| | | | <= false 4306 .| | | | could not open URL 'https://tomtomserver:8443/cas-server-webapp-3.3.4/proxyValidate?service=https%3A%2F%2Fmoodleserver%2Fdevmoodle%2Flogin%2Findex.php&ticket=ST-1-2jUZQ9YulTTTMWCwUZdL-cas' to validate (CURL error #7: couldn't connect to host) [client.php:2105] 4306 .| | | | => CASClient::authError('PT not validated', 'https://tomtomserver:8443/cas-server-webapp-3.3.4/proxyValidate?service=https%3A%2F%2Fmoodleserver%2Fdevmoodle%2Flogin%2Findex.php&ticket=ST-1-2jUZQ9YulTTTMWCwUZdL-cas', true) [client.php:2108] 4306 .| | | | | => CASClient::getURL() [client.php:2289] 4306 .| | | | | <= 'https://moodleserver/devmoodle/login/index.php' 4306 .| | | | | CAS URL: https://tomtomserver:8443/cas-server-webapp-3.3.4/proxyValidate?service=https%3A%2F%2Fmoodleserver%2Fdevmoodle%2Flogin%2Findex.php&ticket=ST-1-2jUZQ9YulTTTMWCwUZdL-cas [client.php:2290] 4306 .| | | | | Authentication failure: PT not validated [client.php:2291] 4306 .| | | | | Reason: no response from the CAS server [client.php:2293] 4306 .| | | | | exit() 4306 .| | | | | - 4306 .| | | | - 4306 .| | | - 4306 .| | - 4306 .| -
What I see here is a series of not really clear messages.
For example, curl_exec fails with a "couldn't connect to host" message. However, if I cut and paste the url, including the ticket, I actually get an error message - but related to the ticket itself rather than to the server:

<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
	<cas:authenticationFailure code='INVALID_TICKET'>
		ticket &#039;ST-1-2jUZQ9YulTTTMWCwUZdL-cas&#039; not recognized
</cas:authenticationFailure>
</cas:serviceResponse>

Yale? :-) Is this maybe the problem? Maybe it's just the namespace definition, but I wonder if it actually does try to validate the ticket using the yale server? (But if so, where is this specified?)

Moreover, it's not completely clear to me why "PT `ST-1-2jUZQ9YulTTTMWCwUZdL-cas' is present"
Any help is greatly appreciated. I think I'm getting to the point with your help, so thanks a lot!

Giuseppe
Marvin Addison wrote:

This is a very common scenario.  The CAS logs merely mention that the
service ticket has been granted and a redirect sent to the requesting
service; the client has yet to validate it.  It sounds like a
connection timeout from Moodle to CAS.  If you don't see an entry for
the connection from Moodle to the CAS server in the CAS server-side
Tomcat access logs, I would think that would confirm some sort of
connection problem.

I believe it would be helpful to enable debugging in the phpCAS client
to get more information on the cause of failure:

phpCAS::setDebug();

That creates a /tmp/phpCAS.log file on Unix that contains an execution
trace that should help identify problems.  Post excerpts from that log
if you continue to have trouble.  (You can provide a path argument if
you want the logs going somewhere else.)

M

-- 
Giuseppe Sollazzo
Systems Developer / Administrator

Computing Services
St. George's, University of London

-- 
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user

-- 
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user

Marvin Addison

Re: Authentication failure: PT not validated ("no response from the CAS server")

Reply Threaded

> 4306 .| | | | could not open URL
> 'https://tomtomserver:8443/cas-server-webapp-3.3.4/proxyValidate?service=https%3A%2F%2Fmoodleserver%2Fdevmoodle%2Flogin%2Findex.php&ticket=ST-1-2jUZQ9YulTTTMWCwUZdL-cas'
> to validate (CURL error #7: couldn't connect to host) [client.php:2105]
> 4306 .| | | | => CASClient::authError('PT not validated',
> What I see here is a series of not really clear messages.
> For example, curl_exec fails with a "couldn't connect to host" message.

I think this is what it appears to be, a connection problem. The fact
that you can get there via a browser is really unimportant; CURL can't
get there, and therefore ticket validation fails. I would search for
debugging CURL problems to see if there are methods for producing more
detailed debug output for a CURL connection. Also, network
troubleshooting tools like tcpdump might provide further information.

> <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
> <cas:authenticationFailure code='INVALID_TICKET'>
> ticket 'ST-1-2jUZQ9YulTTTMWCwUZdL-cas' not recognized
> </cas:authenticationFailure>
> </cas:serviceResponse>
>
> Yale? :-) Is this maybe the problem? Maybe it's just the namespace
> definition, but I wonder if it actually does try to validate the ticket
> using the yale server?

No. Yale is simply an XML namespace definition, nothing more.

M

--
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user