Ticket Validation Failure

[pernin]

Hi to all,
I've a problem during the ticket validation: when the shib-cas-authn call the cas/serviceValidate I obtain an error. The log is:
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
<cas:authenticationFailure code='INVALID_TICKET'>
Il ticket ''{0}'' non � stato riconosciuto
</cas:authenticationFailure>
</cas:serviceResponse>

But if I look at the CAS logs, I obtain that the service ticket has been correctly validated. So, what is the problem?
Thank you in advance.

[mmoayyed]

Is there more in the CAS logs? Do you have it at DEBUG level?

[pernin]

The CAS logs are regular:

2018-01-10 18:32:15,245 DEBUG [org.jasig.cas.CentralAuthenticationServiceImpl] - Attribute policy [org.jasig.cas.services.ReturnAllowedAttributeReleasePolicy@56d3d58e[attributeFilter=<null>,principalAttributesRepository=org.jasig.cas.authentication.principal.DefaultPrincipalAttributesRepository@7dfc7ddc[],authorizedToReleaseCredentialPassword=false,authorizedToReleaseProxyGrantingTicket=false,allowedAttributes=[]]] is associated with service [id=0,name=HTTPS and IMAPS,description=Allows HTTPS and IMAPS protocols, serviceId=^https://****************/idp/Authn/ExtCas.*, usernameAttributeProvider=org.jasig.cas.services.DefaultRegisteredServiceUsernameProvider@d, theme=cas, evaluationOrder=0, logoutType=BACK_CHANNEL, attributeReleasePolicy = org.jasig.cas.services.ReturnAllowedAttributeReleasePolicy@56d3d58e[attributeFilter = null>, principalAttributesRepository = org.jasig.cas.authentication.principal.DefaultPrincipalAttributesRepository@7dfc7ddc[], authorizedToReleaseCredentialPassword=false, authorizedToReleaseProxyGrantingTicket=false, allowedAttributes=[]],accessStrategy=org.jasig.cas.services.DefaultRegisteredServiceAccessStrategy@4bab3722[enabled=true,ssoEnabled=true,requireAllAttributes=true,requiredAttributes={}],publicKey=<null>,proxyPolicy=org.jasig.cas.services.RefuseRegisteredServiceProxyPolicy@55b0c6be,logo=<null>,logoutUrl=<null>,requiredHandlers=[],<null>]
2018-01-10 18:32:15,257 DEBUG [org.jasig.cas.ticket.registry.MemCacheTicketRegistry] - Deleting ticket ST-736-qgjtO9HI63nL3LEkGElF
2018-01-10 18:32:15,273 DEBUG [org.jasig.cas.CentralAuthenticationServiceImpl] - Ticket [ST-736-qgjtO9HI63nL3LEkGElF] by type [Ticket] cannot be found in the ticket registry.
2018-01-10 18:32:15,275 INFO [org.jasig.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: ST-736-qgjtO9HI63nL3LEkGElF
ACTION: SERVICE_TICKET_VALIDATED
APPLICATION: CAS
WHEN: Wed Jan 10 18:32:15 CET 2018
CLIENT IP ADDRESS: 127.0.0.1
SERVER IP ADDRESS: 127.0.0.1
=============================================================

But when Shib try to use the ST to obtain the attributes, the CAS response is

<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
    <cas:authenticationFailure code='INVALID_TICKET'>
            Il ticket &#039;&#039;{0}&#039;&#039; non � stato riconosciuto
    </cas:authenticationFailure>
</cas:serviceResponse>

2018-01-10 12:57:13,116 - ERROR [net.unicon.idp.externalauth.ShibcasAuthServlet:?] - Ticket validation failed, returning InvalidTicket
org.jasig.cas.client.validation.TicketValidationException:
            Il ticket ''{0}'' non � stato riconosciuto

The strangest thing is that this behaviour happens only when there is already a session active for the user (so the SSO feature is exploited without the insertion of credentials) and only for a few Service Providers...

[mmoayyed]

Please reformat the logs so they are easier to read and review.

[nebtag]

Hello,
Did you find a solution for this problem? I have the same behaviour

[pernin]

I don't remember it exactly, but you should try to force the "renew" parameter to true value to bypass the problem.

[auxepaul]

We identify a similar problem with IdP 3.4 and CAS 6.0 with shib-cas-authn3. In our case, empty attributes sent by CAS to Shib-cas-auth3 produce "InvalidTIcket" errors and it breaks authentication workflow.