No principal was found in the response from the CAS server.

13 views
Skip to first unread message

Narasimha A

unread,
Jan 28, 2020, 10:39:32 AM1/28/20
to uPortal Community
Hi All,

Currently, I'm facing uPortal login issue in the cloud environment.

I have imported https certificate in server JVM. 


Below are the logins steps from starting:

1) open the URL in browser http://mydoamin.com/uPortal/Login

Clicked on the sign-in button

2)Redirected to CAS login url

entered below credential in the login page
user name: admin
password:admin

3)After clicking on login button, it has redirected to the following URL with ticket 
https://mydomain.com/uPortal/Login?ticket=ST-31-SyVB6bxS1yGiXKxYPaiK-mydomain.com

HTTP Status 403 – Forbidden

Type Status Report

Message No principal was found in the response from the CAS server.

Description The server understood the request but refuses to authorize it.




I could see the authentication success in the CAS logs and it has created service ticket in CAS server (Below are CAS application logs)

After checking the CAS seriveValidate URL, I'm getting an authentication failure error in XML. Could you please help here where I am doing wrong?


<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
	<cas:authenticationFailure code='INVALID_REQUEST'>
		&#039;service&#039; and &#039;ticket&#039; parameters are both required
	</cas:authenticationFailure>
</cas:serviceResponse>


CAS.log:
-----------

2020-01-28 15:04:57,951 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - org.apereo.portal.cas.authentication.handler.support.PersonDirAuthenticationHandler successfully authenticated [username: admin]
2020-01-28 15:04:57,951 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - org.apereo.portal.cas.authentication.handler.support.PersonDirAuthenticationHandler successfully authenticated [username: admin]
2020-01-28 15:04:57,951 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - Resolved principal admin
2020-01-28 15:04:57,951 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - Resolved principal admin
2020-01-28 15:04:57,951 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - org.apereo.portal.cas.authentication.handler.support.PersonDirAuthenticationHandler@35b60f90 authenticated admin with credential [username: admin].
2020-01-28 15:04:57,951 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - org.apereo.portal.cas.authentication.handler.support.PersonDirAuthenticationHandler@35b60f90 authenticated admin with credential [username: admin].
2020-01-28 15:04:57,951 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN
=============================================================
WHO: [username: admin]
WHAT: supplied credentials: [username: admin]
ACTION: AUTHENTICATION_SUCCESS
APPLICATION: CAS
WHEN: Tue Jan 28 15:04:57 GMT 2020
CLIENT IP ADDRESS: 192.168.31.2
SERVER IP ADDRESS: 192.168.24.165
=============================================================


2020-01-28 15:04:57,951 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN
=============================================================
WHO: [username: admin]
WHAT: supplied credentials: [username: admin]
ACTION: AUTHENTICATION_SUCCESS
APPLICATION: CAS
WHEN: Tue Jan 28 15:04:57 GMT 2020
CLIENT IP ADDRESS: 192.168.31.2
SERVER IP ADDRESS: 192.168.24.165
=============================================================


2020-01-28 15:04:57,951 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN
=============================================================
WHO: [username: admin]
WHAT: TGT-14-oyOEBffhhQDKl9eZuLgtj73OidPtiY2liUdKF11soO7G1bRvh6-mydomain.com
ACTION: TICKET_GRANTING_TICKET_CREATED
APPLICATION: CAS
WHEN: Tue Jan 28 15:04:57 GMT 2020
CLIENT IP ADDRESS: 192.168.31.2
SERVER IP ADDRESS: 192.168.24.165
=============================================================


2020-01-28 15:04:57,951 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN
=============================================================
WHO: [username: admin]
WHAT: TGT-14-oyOEBffhhQDKl9eZuLgtj73OidPtiY2liUdKF11soO7G1bRvh6-mydomain.com
ACTION: TICKET_GRANTING_TICKET_CREATED
APPLICATION: CAS
WHEN: Tue Jan 28 15:04:57 GMT 2020
CLIENT IP ADDRESS: 192.168.31.2
SERVER IP ADDRESS: 192.168.24.165
=============================================================


2020-01-28 15:04:57,952 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service ticket [ST-31-SyVB6bxS1yGiXKxYPaiK-mydomain.com] for service [https://mydomain.com/uPortal/Login] for user [admin]
2020-01-28 15:04:57,952 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service ticket [ST-31-SyVB6bxS1yGiXKxYPaiK-mydomain.com] for service [https://mydomain.com/uPortal/Login] for user [admin]
2020-01-28 15:04:57,952 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN
=============================================================
WHO: admin
WHAT: ST-31-SyVB6bxS1yGiXKxYPaiK-mydomain.com for https://mydomain.com/uPortal/Login
ACTION: SERVICE_TICKET_CREATED
APPLICATION: CAS
WHEN: Tue Jan 28 15:04:57 GMT 2020
CLIENT IP ADDRESS: 192.168.31.2
SERVER IP ADDRESS: 192.168.24.165
=============================================================


2020-01-28 15:04:57,952 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN
=============================================================
WHO: admin
WHAT: ST-31-SyVB6bxS1yGiXKxYPaiK-mydomain.com for https://mydomain.com/uPortal/Login
ACTION: SERVICE_TICKET_CREATED
APPLICATION: CAS
WHEN: Tue Jan 28 15:04:57 GMT 2020
CLIENT IP ADDRESS: 192.168.31.2
SERVER IP ADDRESS: 192.168.24.165
=============================================================


2020-01-28 15:05:06,696 INFO [org.jasig.cas.services.DefaultServicesManagerImpl] - Reloading registered services.
2020-01-28 15:05:06,696 INFO [org.jasig.cas.services.DefaultServicesManagerImpl] - Reloading registered services.
2020-01

Andrey Postoyanets

unread,
Jan 30, 2020, 11:31:14 AM1/30/20
to Narasimha A, uPortal Community

Greetings,

 

From what I see, the CAS Service Validate URL is not being put together correctly. There should be an ampersand before the “ticket” parameter, not the question mark. This is why your CAS server sends back the INVALID_REQUEST message.

 

I.e.:

Wrong: https://mydomain.com/cas/serviceValidate?service=https://mydomain.com/uPortal/Login?ticket=ST-31-SyVB6bxS1yGiXKxYPaiK-mydomain.com

Correct:  https://mydomain.com/cas/serviceValidate?service=https://mydomain.com/uPortal/Login&ticket=ST-31-SyVB6bxS1yGiXKxYPaiK-mydomain.com

 

What is the version of CAS client that you use? And what is the CAS Client class that you use as a ticketValidator?

 

Thanks,

 

Andrey P, Brooklyn College

 

From: uporta...@apereo.org [mailto:uporta...@apereo.org] On Behalf Of Narasimha A
Sent: Tuesday, January 28, 2020 10:40 AM
To: uPortal Community
Subject: [uportal-user] No principal was found in the response from the CAS server.

 

CAUTION: This email is from outside BC, so examine it closely before opening attachments or clicking on links

 

--
You received this message because you are subscribed to the Google Groups "uPortal Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to uportal-user...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/uportal-user/4bf107dd-d367-4a15-9a8d-8b1225e590ba%40apereo.org.

Lauren Anderson

unread,
Jan 30, 2020, 2:30:17 PM1/30/20
to Narasimha A, uPortal Community

Based on the error messages, it looks like CAS is not returning a Ticket Granting Ticket (TGT) or Service Ticket (ST), likely because it’s not authorizing the user. The message “The server understood the request but refuses to authorize it” tells us this. So the request for authorization returns an empty token as the next message indicates: “No principal was found in the response from the CAS server.”

 

Check with your CAS administrator that your uPortal instance (https://my.uportal.server) is registered as an application that CAS will provide tickets to. If not, have it added.

 

See the CAS Protocol Web flow diagram to get an idea of the process flow.

 

 

Sincerely,

Lauren Anderson

Brigham Young University

--

Lauren Anderson

unread,
Jan 30, 2020, 2:39:04 PM1/30/20
to Lauren Anderson, Narasimha A, uPortal Community

Sorry, I didn’t read the part that the TGT is being created. How do you have access to the CAS log? Are you using the CAS that ships with uPortal or is this an enterprise version that your organization uses and you are a CAS administrator?

 

If you are using the CAS that comes with uPortal, we never tried to use it in the cloud. I wouldn’t know how to tell you to get that to work properly. We used our enterprise CAS, and installed a digital certificate with the organization (Brigham Young University) in the keychain that both CAS and uPortal belong to.

 

I hope that helps.

 

Sincerely,

Lauren

Lauren Anderson

unread,
Jan 30, 2020, 2:46:56 PM1/30/20
to Narasimha A, uPortal Community

You may want to check that your serviceValidate request is correct, as Andrey pointed out. There are some examples on the CAS Protocol Specification page.

 

URL examples of /serviceValidate

 

-Lauren

Reply all
Reply to author
Forward
0 new messages