Uploaded image for project: 'CAS Server'
  1. CAS-1394

pgtInit returns null pgtIou due to pgtUrl readTimeout (less than 1% occurrence)

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.5.2
    • Fix Version/s: 4.0, 4.0 RC4
    • Component/s: ClearPass
    • Labels:
      None
    • Environment:
      CAS 3.5.2 with ClearPass / Couchbase with replication

      Description

      This occurs about once out of perhaps every 500-600 logins (from what we've seen) and is probably the last bug that needs to be addressed in order to achieve 100% service availability. Please see the following ClearPass transaction (includes proxy ticket request, etc).

      Service Ticket: ST-1234

      pgtInit Request
      https://cas.example.com/serviceValidate?ticket=ST-1234&pgtUrl=https%3A%2F%2Fwww%2Eexample%2Ecom%2FpgtUrl%2Easp%3FproxyResponse%3DTrue&service=https%3A%2F%2Fwww%2Eexample%2Ecom%2Fclearpass.asp

      pgtInit Response
      <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationSuccess> <cas:user>jdoe</cas:user> </cas:authenticationSuccess> </cas:serviceResponse>

      pgtIou
      null

      pgtId
      0 chars

      Proxy Ticket Response
      <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:proxyFailure code='INVALID_REQUEST'> 'pgt' and 'targetService' parameters are both required </cas:proxyFailure> </cas:serviceResponse>

      Request:
      https://cas.example.com/clearPass?ticket= (proxy ticket)

      casUsername
      jdoe

      casPassword
      0 chars

      ClearPass Response
      <cas:clearPassResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:clearPassFailure>No authentication information provided.</cas:clearPassFailure> </cas:clearPassResponse>

      This doesn't happen often, but it has happened to 7 people in the past 5 hours, one of which I've found to be associated with a SocketTimeoutException which led to additional exceptions resulting in error.authentication.credentials.bad. Others, however, show no signs of such exceptions.

      Granted, it's a less than 1% failure rate, but fails nonetheless for some users under certain circumstances. The observed result in the pgtInit response is that the pgtInit response doesn't return a PGT-IOU, even though we are still getting a cas:authenticationSuccess XML response.

      Could this be caused due to replication latency as we are currently storing tickets in a replicated memcached environment?

        Attachments

          Activity

            People

            • Assignee:
              mmoayyed Misagh Moayyed
              Reporter:
              mborja Matt Borja
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: