Scott, We figured it out, the web server was also upgraded from windows 2003 to 2008. App pool in iis was configured with wrong queue value. Increasing it from 1000 to 4000 had fixed the issue. The cluster is running in Active Passive mode.
Thanks On Wed, Jun 26, 2013 at 11:09 AM, Scott <[email protected]> wrote: > Are you using any of the ASP.NET SQL providers/univeral providers that > are hooked into the SQL back-end? Maybe a cache provider that stores the > cache in the SQL database? The reason I ask is that in the out-of-the-box > CAS client setup, there is no dependency on a database. However, there is > a dependency on caching and I think there are providers for the caching > subsystem that put the cache in the database, so in that case, your CAS > client may have an indirect dependency on SQL for the ticket manager > features. > > Is the cluster active-passive or active-active? I an active-passive > configuration, you shouldn't see any weirdness happen after 15-20 minutes, > but rather maybe during or after a failover. Can you possibly see if there > is a correlation? Even still, the only thing that comes to mind would be > if your cluster isn't replicating data properly, though I imagine you would > have seen symptoms of that elsewhere. > > Are you using single sign-out, generating proxy tickets, or using the CAS > ticket revocation features? If not, your easiest bet would just be to turn > off those ticket manager features by removing them from the > casClientConfig. The error logs seem to indicate that the proxy ticket > manager is causing issues so if you aren't generating or accepting proxy > tickets, I would suggest removing the > proxyTicketManager="CacheProxyTicketManager" line from web.config and see > if it solves your problem (or if it starts generating errors about the > ServiceTicketManager). > > If you can reproduce this in a development environment, it might be worth > checking out the .NET CAS client from github and adding it as a project > reference. Then you can set breakpoints and attach a debugger to catch the > exception as it happens (or turn on Debugging -> Exceptions -> Common > Language Runtime Exceptions -> Thrown in VS if you don't know where to put > the breakpoint--though you will likely pick up some noise about handled > exceptions). > > -ScottH > > > On Wed, Jun 26, 2013 at 1:38 AM, Faisal Memon <[email protected]> wrote: > >> Hello Scott, >> That is the strange thing, application is running on standalone web >> server, it is the SQL database that went in clustered CONFIG. CAS client >> authenticates against the SQL cluster. It works fine for 15 to 20 minutes >> after running iisreset. Are there specific permissions needed in IIS7 >> becasue CAS client went from stand alone windows 2003 to windows 2008 web >> server >> >> Thanks >> >> >> On Wed, Jun 26, 2013 at 1:36 AM, Faisal Memon <[email protected]> wrote: >> >>> Hello Scott, >>> The application is running on standalone webserver, it is the SQL >>> database that went in clustered CONFIG. CAS client authenticates against >>> the SQL cluster. It works fine for 15 to 20 minutes after running iisreset. >>> Are there specific permissions needed in IIS7 becasue CAS client went from >>> stand alone windows 2003 to windows 2008 web server >>> >>> Thanks >>> >>> >>> On Tue, Jun 25, 2013 at 11:10 PM, Scott <[email protected]> wrote: >>> >>>> Your CAS client is currently setup in a mode where it needs to be >>>> stateful. The proxyTicketManager and serviceTicketManager implementations >>>> that ship with the CAS client maintain state in the ASP.NET cache, >>>> which isn't web farm/cluster friendly (it lives in memory in each web >>>> server). If you don't require proxy ticket supports, single sign-out >>>> support, or the ability to revoke outstanding formsAuthentication tickets, >>>> you can remove both of those attributes from the casClientConfig attribute >>>> in your web.config and your CAS client will be stateless (web farm/cluster >>>> friendly). If you do require them, you will need to implement the >>>> IProxyTicketManager and IServiceTicketManager interfaces using some kind of >>>> back-end storage mechanism that all of your web servers share. I believe >>>> you can then replace CacheProxyTicketManager and CacheServiceTicketManager >>>> in the web.config with standard the .NET config-style assembly references >>>> (ex. Namespace.Type, Assembly, Version=1.0.0, Culture=neutral, >>>> PublicKeyToken=etc) >>>> >>>> One other thing to be aware of. The .NET CAS Client uses a lot of the >>>> FormsAuthentication API for creating and validating tickets/cookies on the >>>> clients. The Forms authentication encryption, decryption, and validation >>>> is typically performed using the machine key. All of your clustered web >>>> servers should be configured to have the same machine key. Otherwise, >>>> you'll find that you run into a lot of the same weirdness with Forms >>>> Authentication with or without the CAS client involved. >>>> >>>> -ScottH >>>> >>>> On Tue, Jun 25, 2013 at 7:21 PM, Faisal Memon <[email protected]>wrote: >>>> >>>>> Hello, >>>>> We have third party .net portal, the portal has been running with CAS >>>>> since 2011. Last weekend the portal application database was clustered and >>>>> since then we have very unstable SSO in place. Attached is the Error >>>>> message we see in Event viewer, anyone had experienced this issue before. >>>>> >>>>> Thanks >>>>> >>>>> Faisal >>>>> >>>>> -- >>>>> You are currently subscribed to [email protected] as: >>>>> [email protected] >>>>> To unsubscribe, change settings or access archives, see >>>>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>>>> >>>>> >>>> -- >>>> You are currently subscribed to [email protected] as: >>>> [email protected] >>>> To unsubscribe, change settings or access archives, see >>>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>>> >>>> >>> >> > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
