Giuseppe Sollazzo | 27 Oct 11:46 2009
Picon

Authentication failure: PT not validated ("no response from the CAS server")

Hi all
I was just wondering if anyone had any hint on this problem - logs are helpful but I guess I'm missing something.

What happens here I think is that the ticket is not valid - but I don't know why. In this scenario I have "setNoCasServerValidation". Here's the log, questions following:

4306 .START ****************** [CAS.php:414]
4306 .=> phpCAS::setNoCasServerValidation() [auth.php:152]
4306 .<= ''
4306 .=> phpCAS::checkAuthentication() [auth.php:165]
4306 .|    => CASClient::checkAuthentication() [CAS.php:885]
4306 .|    |    => CASClient::isAuthenticated() [client.php:738]
4306 .|    |    |    => CASClient::wasPreviouslyAuthenticated() [client.php:797]
4306 .|    |    |    |    no user found [client.php:909]
4306 .|    |    |    <= false
4306 .|    |    |    PT `ST-1-2jUZQ9YulTTTMWCwUZdL-cas' is present [client.php:819]
4306 .|    |    |    => CASClient::validatePT('', NULL, NULL) [client.php:820]
4306 .|    |    |    |    => CASClient::getURL() [client.php:396]
4306 .|    |    |    |    <= 'https://moodleserver/devmoodle/login/index.php'
4306 .|    |    |    |    => CASClient::readURL('https://tomtomserver:8443/cas-server-webapp-3.3.4/proxyValidate?service=https%3A%2F%2Fmoodleserver%2Fdevmoodle%2Flogin%2Findex.php&ticket=ST-1-2jUZQ9YulTTTMWCwUZdL-cas', '', NULL, NULL, NULL) [client.php:2104]
4306 .|    |    |    |    |    curl_exec() failed [client.php:1867]
4306 .|    |    |    |    <= false
4306 .|    |    |    |    could not open URL 'https://tomtomserver:8443/cas-server-webapp-3.3.4/proxyValidate?service=https%3A%2F%2Fmoodleserver%2Fdevmoodle%2Flogin%2Findex.php&ticket=ST-1-2jUZQ9YulTTTMWCwUZdL-cas' to validate (CURL error #7: couldn't connect to host) [client.php:2105]
4306 .|    |    |    |    => CASClient::authError('PT not validated', 'https://tomtomserver:8443/cas-server-webapp-3.3.4/proxyValidate?service=https%3A%2F%2Fmoodleserver%2Fdevmoodle%2Flogin%2Findex.php&ticket=ST-1-2jUZQ9YulTTTMWCwUZdL-cas', true) [client.php:2108]
4306 .|    |    |    |    |    => CASClient::getURL() [client.php:2289]
4306 .|    |    |    |    |    <= 'https://moodleserver/devmoodle/login/index.php'
4306 .|    |    |    |    |    CAS URL: https://tomtomserver:8443/cas-server-webapp-3.3.4/proxyValidate?service=https%3A%2F%2Fmoodleserver%2Fdevmoodle%2Flogin%2Findex.php&ticket=ST-1-2jUZQ9YulTTTMWCwUZdL-cas [client.php:2290]
4306 .|    |    |    |    |    Authentication failure: PT not validated [client.php:2291]
4306 .|    |    |    |    |    Reason: no response from the CAS server [client.php:2293]
4306 .|    |    |    |    |    exit()
4306 .|    |    |    |    |    -
4306 .|    |    |    |    -
4306 .|    |    |    -
4306 .|    |    -
4306 .|    -

What I see here is a series of not really clear messages.
For example, curl_exec fails with a "couldn't connect to host" message. However, if I cut and paste the url, including the ticket, I actually get an error message - but related to the ticket itself rather than to the server:

<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationFailure code='INVALID_TICKET'> ticket &#039;ST-1-2jUZQ9YulTTTMWCwUZdL-cas&#039; not recognized </cas:authenticationFailure> </cas:serviceResponse>
Yale? :-) Is this maybe the problem? Maybe it's just the namespace definition, but I wonder if it actually does try to validate the ticket using the yale server? (But if so, where is this specified?)

Moreover, it's not completely clear to me why " PT `ST-1-2jUZQ9YulTTTMWCwUZdL-cas' is present"

Any help is greatly appreciated. I think I'm getting to the point with your help, so thanks a lot!

Giuseppe

Marvin Addison wrote:
This is a very common scenario. The CAS logs merely mention that the service ticket has been granted and a redirect sent to the requesting service; the client has yet to validate it. It sounds like a connection timeout from Moodle to CAS. If you don't see an entry for the connection from Moodle to the CAS server in the CAS server-side Tomcat access logs, I would think that would confirm some sort of connection problem. I believe it would be helpful to enable debugging in the phpCAS client to get more information on the cause of failure: phpCAS::setDebug(); That creates a /tmp/phpCAS.log file on Unix that contains an execution trace that should help identify problems. Post excerpts from that log if you continue to have trouble. (You can provide a path argument if you want the logs going somewhere else.) M


-- Giuseppe Sollazzo Systems Developer / Administrator Computing Services St. George's, University of London -- -- You are currently subscribed to cas-user-jWNxllRMWAwHG1RT7HeJTg@public.gmane.org as: gsollazz-VYDNT20+6pi1Qrn1Bg8BZw@public.gmane.org To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user --
You are currently subscribed to cas-user-jWNxllRMWAwHG1RT7HeJTg@public.gmane.org as: gcjjcu-cas-Uylq5CNFT+jYtjvyW6yDsg@public.gmane.org
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Marvin Addison | 27 Oct 14:19 2009
Picon

Re: Authentication failure: PT not validated ("no response from the CAS server")

> 4306 .|    |    |    |    could not open URL
> 'https://tomtomserver:8443/cas-server-webapp-3.3.4/proxyValidate?service=https%3A%2F%2Fmoodleserver%2Fdevmoodle%2Flogin%2Findex.php&ticket=ST-1-2jUZQ9YulTTTMWCwUZdL-cas'
> to validate (CURL error #7: couldn't connect to host) [client.php:2105]
> 4306 .|    |    |    |    => CASClient::authError('PT not validated',
> What I see here is a series of not really clear messages.
> For example, curl_exec fails with a "couldn't connect to host" message.

I think this is what it appears to be, a connection problem.  The fact
that you can get there via a browser is really unimportant; CURL can't
get there, and therefore ticket validation fails.  I would search for
debugging CURL problems to see if there are methods for producing more
detailed debug output for a CURL connection.  Also, network
troubleshooting tools like tcpdump might provide further information.

> <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
> 	<cas:authenticationFailure code='INVALID_TICKET'>
> 		ticket &#039;ST-1-2jUZQ9YulTTTMWCwUZdL-cas&#039; not recognized
> </cas:authenticationFailure>
> </cas:serviceResponse>
>
> Yale? :-) Is this maybe the problem? Maybe it's just the namespace
> definition, but I wonder if it actually does try to validate the ticket
> using the yale server?

No.  Yale is simply an XML namespace definition, nothing more.

M

--

-- 
You are currently subscribed to cas-user@... as: gcjjcu-cas@...
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user


Gmane