6.1 put into production, CAS_AuthenticationException thrown.

[Rod B]

Hi All,

We are attempting to put  our new 6.1 server (we can't move to 6.4.x for the moment) into production and came across an error from two of our WordPress sites- the strange thing is, we have tested them in staging and this error did not present itself.

Any ideas what is a foot?

http://lowresgradstudios.our-domain.ca/wp-login.php?redirect_to=http%3A%2F%2Flowresgradstudios.our-domain.ca%2Fwp-admin%2F&reauth=1&ticket=ST-90-aoVDVDJ3AOl-yrBGcQO0uUpHIR4-Furan

CAS_AuthenticationException thrown

CAS URL: https://cas.our-domain.ca/cas/serviceValidate?service=http%3A%2F%2Flowresgradstudios.our-domain.ca%2Fwp-login.php%3Fredirect_to%3Dhttp%253A%252F%252Flowresgradstudios.our-domain.ca%252Fwp-admin%252F%26reauth%3D1&ticket=ST-90-aoVDVDJ3AOl-yrBGcQO0uUpHIR4-Furan Authentication failure: Ticket not validated Reason: [INVALID_TICKET] CAS error: ticket 'ST-90-aoVDVDJ3AOl-yrBGcQO0uUpHIR4-Furan' not recognized CAS response: ticket 'ST-90-aoVDVDJ3AOl-yrBGcQO0uUpHIR4-Furan' not recognized

I checked the time on both servers and they are in sync. I'm not sure what else to do.

Thanks for your help!

Rod

[Rod B]

P.S. we are running log4j2 2.17.0 on it. I should have mentioned that to set everyone's mind at ease!

[Rod B]

Please ignore this post, I think we had a DNS propagation issue.

Thanks for your time,

Rod

[Rod]

No. Sigh. DNS ruled out.

It's so strange. Works fine in test but not in production. 

-Rod

[Mike Osterman]

Hi Rod,

Are you seeing that same ticket ID being issued to the service earlier on in the logs?

Also, do test and production share identical cas properties settings (apart from server name, that is)?

I found a small mention of the INVALID_TICKET message in the Troubleshooting guide, and it links to ticket expiration policies: 

https://apereo.github.io/cas/6.1.x/ticketing/Configuring-Ticket-Expiration-Policy.html

There are some potentially helpful per service configuration settings you could try to see if any of those settings move the needle. 

What I read is that you'll get that message if the ticket doesn't exist or it's expired, so you may want to try turning on DEBUG logging if you can get the classpath(?) specific enough so as to not clobber the logs. Maybe "org.apereo.cas.ticket" might be a good place to start to see if you can see more about the cause of the invalid ticket?

Good luck!

Mike

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAOz46ZT-pG8hrLG9VR%2Bu%3DQgDQ2XfKM2OgDxxCXdmgE%2B%3DnGgRnA%40mail.gmail.com.

[Rod]

Hi Mike,

Thanks for getting me to focus on the issue. I was seeing other errors in our Web logs that were unrelated to the ticket not existing. It led me down a rabbit hole.

When we upgraded we changed the CNAME of the CAS service to point to our new server. Unfortunately there was an issue with DNS caching and although the tickets were generated on the new CAS server but were being looked up on the old CAS server!

Thanks for being my sounding board. I really appreciate it!

Happy Holidays,

Rod

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAEdMQHWgh-yugM6b2GOC0_ptJ98itJ4GaeNmp7hMKHOS9%2Bu2%2Bg%40mail.gmail.com.