TicketValidationException in Saml11TicketValidationFilter

I'm getting the following exception in my client app when I try to authenticate against my CAS server

I'm running CAS server 3.3.2 and CAS client 3.1.6. Running in a debugger I can see that it is failing in the CAS client code, any ideas as to why this is happening?


[2009-10-14 15:23:39,779] [resin-http-10.28.121.60:8080-1] Saml11TicketValidationFilter - org.jasig.cas.client.validation.TicketValidationException: org.opensaml.SAMLException: Success
sig.cas.client.validation.TicketValidationException: org.opensaml.SAMLException: Success
  at org.jasig.cas.client.validation.Saml11TicketValidator.parseResponseFromServer(Saml11TicketValidator.java:92)
  at org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:188)
  at org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:132)
  at com.caucho.server.dispatch.FilterFilterChain.doFilter(FilterFilterChain.java:76)
  at org.jasig.cas.client.authentication.AuthenticationFilter.doFilter(AuthenticationFilter.java:121)
  at com.caucho.server.dispatch.FilterFilterChain.doFilter(FilterFilterChain.java:76)
  at com.caucho.server.webapp.WebAppFilterChain.doFilter(WebAppFilterChain.java:178)
  at com.caucho.server.dispatch.ServletInvocation.service(ServletInvocation.java:241)
  at com.caucho.server.http.HttpRequest.handleRequest(HttpRequest.java:268)
  at com.caucho.server.port.TcpConnection.run(TcpConnection.java:586)
  at com.caucho.util.ThreadPool$Item.runTasks(ThreadPool.java:690)
  at com.caucho.util.ThreadPool$Item.run(ThreadPool.java:612)
  at java.lang.Thread.run(Thread.java:619)
 by: org.opensaml.SAMLException: Success
  at org.opensaml.SAMLException.getInstance(Unknown Source)
  at org.opensaml.SAMLResponse.fromDOM(Unknown Source)
  at org.opensaml.SAMLResponse.<init>(Unknown Source)
--
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user

> [2009-10-14 15:23:39,779] [resin-http-10.28.121.60:8080-1] Saml11TicketValidationFilter - org.jasig.cas.client.validation.TicketValidationException: org.opensaml.SAMLException: Success
> sig.cas.client.validation.TicketValidationException: org.opensaml.SAMLException: Success

Despite the exception message "Success," this is a general SAML error
message for ticket validation failure.  The most common cause of SAML
validation failure is clock drift.  If the system time on your client
and server differ than more than a few seconds, this is likely the
cause.  For a number of reasons it's preferable to fix the clock drift
problem (e.g. using NTP), but if you must you can increase the
"tolerance" init param of the Saml11TicketValidationFilter to a value
larger than the time deltas between machines.

M

--
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user

Back to this question...

In my environment I'm running two CAS instances behind a load balancer. I'm seeing this exception when both instances are running, but if I turn off one of the CAS instances the exception goes away.

Currently I've got CAS setup to use ehcache for the ticket registry but I have not setup the ticket registry cache to be clustered.  I did ask my SysOp guys to set up the load balancer to enforce sticky sessions but this does not fix the problem.

So..., if I configure the CAS instances to use a clustered cache for the ticket registry will this problem go away?

Marvin Addison wrote:

> [2009-10-14 15:23:39,779] [resin-http-10.28.121.60:8080-1] Saml11TicketValidationFilter - org.jasig.cas.client.validation.TicketValidationException: org.opensaml.SAMLException: Success
> sig.cas.client.validation.TicketValidationException: org.opensaml.SAMLException: Success

Despite the exception message "Success," this is a general SAML error
message for ticket validation failure.  The most common cause of SAML
validation failure is clock drift.  If the system time on your client
and server differ than more than a few seconds, this is likely the
cause.  For a number of reasons it's preferable to fix the clock drift
problem (e.g. using NTP), but if you must you can increase the
"tolerance" init param of the Saml11TicketValidationFilter to a value
larger than the time deltas between machines.

M

--
You are currently subscribed to cas-user@lists.jasig.org as: lists@nabble.com
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user

> So..., if I configure the CAS instances to use a clustered cache for the
> ticket registry will this problem go away?

The fact that disabling one of the nodes resolves the problems
suggests that it will go away once you use a shared, distributed
ticket registry across both nodes.  That is absolutely a requirement
of a clustered CAS deployment.

M

--
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user

If you're not using a distributed registry then you're validations are going to fail on average half the time (and at most all the time depending on how your load balancer is set up).

Sticky sessions is relatively useless outside of that initial login flow.  CAS doesn't store anything useful in the Http Session once the login flow has ended.

Cheers,
Scott

-- 
You are currently subscribed to [hidden email] as: [hidden email]
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user