Invalid service ticket

[glennbarrett]

After upgrading from 5.0 to 5.1, trying to login with admin produces the error “Invalid service ticket. It was either unrecognized or has expired.”

[thebleucheese]

Can you walk me through which upgrade process you used and how it went?

Additionally, check sudo docker logs -f <vectr_tomcat_container_name> for any clear exception log entries. (There's a lot of noise in there related to the auth layer for debugging that you can ignore)

We've seen this a few times for a variety of reasons, each having its own individual solution including things like clearing browser cache, needing to modify configuration files, restarting both docker containers, permissions changes, or docker compose file updates. We'll work towards figuring out which path to take here.

[ssnkhan]

I am getting the same error though my thought was that it was related to https://github.com/SecurityRiskAdvisors/VECTR/issues/14

[thebleucheese]

ssnkhan, can you try an install with the default settings to see if that works? I have a feeling the installer will cause problems if used with localhost rather than some other host name. The installation scripts should add an entry to /etc/hosts for whatever you choose as a hostname.

I ran into some complications with generating certs and using localhost and I havent resolved those issues just yet.

[ssnkhan]

This is as default/vanilla installation as they come; I did not change any values at all. At what stage would I be prompted to specify a hostname? I don't recall being given an option ...

[glennbarrett]

I am using the parallel deployment upgrade.

I had entered an IP address as the host name during the install. I did a fresh install with just the defaults and when trying to authenticate by browsing to the IP address I get “Application Not Authorized to Use CAS”. If I add a hosts entry for sravectr.internal on my client, then authentication works, but I need to be able to authenticate by only using the IP address on the browser.

How can I use the IP and still have CAS work properly?

[thebleucheese]

CAS requires HTTPS. There are challenges issuing and using CA type certs with private IP addresses. CAS' cert verification won't accept a private IP cert.

I don't think we can currently support an installation of that type. Is there a way you can get around the IP only requirement? Using a VM if the issue is that you're unable to modify your local hosts file?

[glennbarrett]

I've been able to just have users modify their host file as a requirement of access. Thank you.

[sekar5in]

same issue

[SRAPSpencer]

@sekar5in Are you also upgrading from 5.0 to 5.1? The latest version is 5.5. Unless you are in an identical situation please open a new issue. There are many things that can cause this error and we need much more information about your running environment.

[pathetiq]

Same issue here and the only changes I d id are the password and keys in .env file which are rather long 20/30 characters. I got a timeout in the error :

• mongo_1 | 2020-05-27T15:52:03.196+0000 I ACCESS [conn8] Successfully authenticated as principal admin on admin from client 10.0.27.3:60970
• mongo_1 | 2020-05-27T15:53:25.119+0000 I NETWORK [conn8] end connection 10.0.27.3:60970 (5 connections now open)
• tomcat_1 | 2020-05-27 15:54:19,756 ERROR [org.jasig.cas.client.util.CommonUtils] - Error getting response from host: [MY EXTERNAL IP] with path: [/cas/p3/serviceValidate] and protocol: [https] Error Message: Connection timed out (Connection timed out)
• tomcat_1 | java.net.ConnectException: Connection timed out (Connection timed out)

[SRAPSpencer]

@pathetiq Were you also upgrading from prior versions or is this a new install?

[pathetiq]

@SRAPSpencer Fully new install an hour ago.

[SRAPSpencer]

@pathetiq Then lets start a new issue. Invalid service ticket can be caused by many things. Two things of note.

VECTR needs a URL as hostname for HTTPS purposes. Your VECTR_HOSTNAME in env should reflect the name you are using to navigate to it.

If that doesn't resolve your issue open a new ticket and we'll assist.

[pathetiq]

Thanks, hostname does fix this error. May I suggest to add a note about hostname only no ip and setting up the /etc/hosts if no hostname is possible through aws or some remote server, etc? (Here I guess: https://docs.vectr.io/Installation/)?