Urgent help - 401 Unauthorized for ST : CAS

Skip to first unread message

Morning Star (vidivelli)

Oct 3, 2022, 1:09:51 PM10/3/22
to CAS Community
Hi all,

We are developing new 5 test environments for existing CAS. 
With same CAS configuration and code, in one environment we are getting 401 unauthorized for ST. 
  1. Request URL:
  2. Request Method:
  3. Status Code:
    401 Unauthorized
  4. Remote Address:
  5. Referrer Policy:

Can someone help me how to get this resolved?
Whether this is CAS side issue or web server issue? How to investigate it further.

Any help appreciated!


Ray Bon

Oct 3, 2022, 1:25:01 PM10/3/22
to cas-...@apereo.org

What is in the cas logs?
You may have to increase to debug.


On Mon, 2022-10-03 at 10:09 -0700, Morning Star (vidivelli) wrote:
Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

Morning Star (vidivelli)

Oct 3, 2022, 1:54:23 PM10/3/22
to CAS Community, Ray Bon
Hi Ray,
After enabling logger,
2022-10-03 10:43:36 [DEBUG] org.apereo.cas.services.RegisteredServiceAccessStrategyUtils  Current authentication via ticket [TGT-1-*****S7zelhSYVY- brqalxyz300  ] allows service [https://qa7-cp.example.com/home/] to participate in the existing SSO session
2022-10-03 10:43:36 [DEBUG] org.apereo.cas.authentication.policy.RequiredHandlerAuthenticationPolicyFactory  Required authentication handlers for this service [web] are [[]]
2022-10-03 10:43:36 [DEBUG] org.apereo.cas.ticket.factory.DefaultServiceTicketFactory  Looking up service ticket id generator for [org.apereo.cas.authentication.principal.SimpleWebApplicationServiceImpl]
2022-10-03 10:43:36 [DEBUG] org.apereo.cas.ticket.registry.HazelcastTicketRegistry  Adding ticket [TGT-1-*****S7zelhSYVY- brqalxyz300  ] with ttl [9223372036854775807s]
2022-10-03 10:43:36 [DEBUG] org.apereo.cas.ticket.registry.HazelcastTicketRegistry  Locating map name [ticketGrantingTicketsCache] for ticket definition [DefaultTicketDefinition(implementationClass=class org.apereo.cas.ticket.TicketGrantingTicketImpl, prefix=TGT, properties=DefaultTicketDefinitionProperties(cascadeRemovals=false, storageName=ticketGrantingTicketsCache, storageTimeout=28800, storagePassword=null, excludeFromCascade=false), order=2147483647)]
2022-10-03 10:43:36 [DEBUG] org.apereo.cas.ticket.registry.HazelcastTicketRegistry  Located Hazelcast map instance [ticketGrantingTicketsCache]
2022-10-03 10:43:36 [DEBUG] org.apereo.cas.ticket.registry.HazelcastTicketRegistry  Added ticket [TGT-1-*****S7zelhSYVY-brqalxyz300] with ttl [9223372036854775807s]
2022-10-03 10:43:36 [DEBUG] org.apereo.cas.ticket.registry.HazelcastTicketRegistry  Adding ticket [ST-1-JxIpepiwAy7W0nkTT9cgLlDUnoE- brqalxyz300  ] with ttl [10s]
2022-10-03 10:43:36 [DEBUG] org.apereo.cas.ticket.registry.HazelcastTicketRegistry  Locating map name [serviceTicketsCache] for ticket definition [DefaultTicketDefinition(implementationClass=class org.apereo.cas.ticket.ServiceTicketImpl, prefix=ST, properties=DefaultTicketDefinitionProperties(cascadeRemovals=false, storageName=serviceTicketsCache, storageTimeout=10, storagePassword=null, excludeFromCascade=false), order=-2147483648)]
2022-10-03 10:43:36 [DEBUG] org.apereo.cas.ticket.registry.HazelcastTicketRegistry  Located Hazelcast map instance [serviceTicketsCache]
2022-10-03 10:43:36 [DEBUG] org.apereo.cas.ticket.registry.HazelcastTicketRegistry  Added ticket [ST-1-JxIpepiwAy7W0nkTT9cgLlDUnoE- brqalxyz300  ] with ttl [10s]
2022-10-03 10:43:36 [INFO] org.apereo.cas.DefaultCentralAuthenticationService  Granted service ticket [ST-1-JxIpepiwAy7W0nkTT9cgLlDUnoE- brqalxyz300  ] for service [https://qa7-cp.example.com/home/] and principal [CA00...@test.com]

2022-10-03 10:43:36 [DEBUG] org.springframework.webflow.engine.Transition  Completed transition execution.  As a result, the flow execution has ended
2022-10-03 10:43:36 [DEBUG] org.springframework.webflow.mvc.servlet.FlowHandlerAdapter  Sending external redirect to 'https://qa7-xyz.fdfffce.com/customer/?ticket=ST-1-JxIpepiwyy7W0nkTT9cgLlDUnoE-brqalint300'
2022-10-03 10:43:36 [DEBUG] org.springframework.web.servlet.DispatcherServlet  Completed 302 FOUND

2022-10-03 10:43:41 [DEBUG] com.hazelcast.internal.partition.InternalPartitionService  [localhost]:5701 [dev] [4.0.1] Checking partition state, version: 272
2022-10-03 10:43:41 [DEBUG] org.apache.http.impl.conn.PoolingHttpClientConnectionManager  Connection manager is shutting down
2022-10-03 10:43:41 [DEBUG] org.apache.http.impl.conn.DefaultManagedHttpClientConnection  http-outgoing-0: Close connection
2022-10-03 10:43:41 [DEBUG] org.apache.http.impl.conn.PoolingHttpClientConnectionManager  Connection manager shut down

In browser, I could see 401 unauthorized error :-(

Ray Bon

Oct 3, 2022, 2:55:41 PM10/3/22
to anusu...@gmail.com, cas-...@apereo.org

It looks like cas redirects the browser with the service ticket (ST...). But there are no cas logs about validating the service ticket.
This indicates that the target application is not processing the the service ticket correctly or is unable to connect to the cas server.
Check target application configuration and logs.

Reply all
Reply to author
0 new messages