...
CAS 2.0 ServiceTickets are ServiceTickets the GrantingTicket of which has a Principal that is a user – an authenticated netid – and which itself has a grantor of null. Implementations of the CAS 2.0 "serviceValidate" and "validate" web targets will need to verify that the CAS 3.0 ServiceTicket they are validating in fact has a single GrantingTicket in the chain of grantors and that the Principal of that single grantor represents an authenticated netid.
Understanding traditional ProxyTickets in this new scheme
...