CAS: Unable to validate ProxyTicketValidator

I'm currently trying to setup a CAS server and use it to login at several local applications.

Cas Server(https): localhost:8443 (this is working correctly)

Application: localhost:82

When i go to localhost:82, it instantly redirects to localhost:8443. When i try to login, it returns to localhost:82/?ticket=ST-7-THoxHvfK5FoZZsejrSLh-cas01.example.org, but it shows this error:

edu.yale.its.tp.cas.client.CASAuthenticationException: Unable to validate ProxyTicketValidator [[edu.yale.its.tp.cas.client.ProxyTicketValidator proxyList=[null] [edu.yale.its.tp.cas.client.ServiceTicketValidator casValidateUrl=[https://localhost:8443/cas/serviceValidate] ticket=[ST-5-oYvT4kciKnE3Ibx1CtRd-cas01.example.org] service=[http%3A%2F%2Flocalhost%3A82%2F] renew=false entireResponse=[
..(complete page's HTML code)..
]]]]
edu.yale.its.tp.cas.client.CASReceipt.getReceipt(CASReceipt.java:52)
edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java:455)
edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:378)

When I am trying to login, Tomcat shows the following in the server log. This indicates to me that localhost:82 is authenticated, right?

2015-04-03 09:22:40,544 INFO                     [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] -   <AcceptUsersAuthenticationHandler successfully authenticated admin+password>
2015-04-03 09:22:40,544 INFO  [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - <Authenticated admin with credentials [admin+password].>
2015-04-03 09:22:40,544 INFO  [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail   record BEGIN
=============================================================
WHO: audit:unknown
WHAT: supplied credentials: [admin+password]
ACTION: AUTHENTICATION_SUCCESS
APPLICATION: CAS
WHEN: Fri Apr 03 09:22:40 CEST 2015
CLIENT IP ADDRESS: 127.0.0.1
SERVER IP ADDRESS: 127.0.0.1
=============================================================

>
2015-04-03 09:22:40,545 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: TGT-3-I53UgV3LJICJLLtxgKcAIgSmLniIGCuPZsqWs0jLa146Secypw-cas01.example.org
ACTION: TICKET_GRANTING_TICKET_CREATED
APPLICATION: CAS
WHEN: Fri Apr 03 09:22:40 CEST 2015
CLIENT IP ADDRESS: 127.0.0.1
SERVER IP ADDRESS: 127.0.0.1
=============================================================

>
2015-04-03 09:22:40,546 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket [ST-7-THoxHvfK5FoZZsejrSLh-cas01.example.org] for service [http://localhost:82/] for user [admin]>
2015-04-03 09:22:40,546 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: admin
WHAT: ST-7-THoxHvfK5FoZZsejrSLh-cas01.example.org for http://localhost:82/
ACTION: SERVICE_TICKET_CREATED
APPLICATION: CAS
WHEN: Fri Apr 03 09:22:40 CEST 2015
CLIENT IP ADDRESS: 127.0.0.1
SERVER IP ADDRESS: 127.0.0.1
=============================================================

>
2015-04-03 09:22:40,622 INFO [org.jasig.cas.CentralAuthenticationServiceImpl] - <Granted service ticket [ST-8-ISpe32fFhErzCeFcfUgJ-cas01.example.org] for service [http://localhost:82/favicon.ico] for user [admin]>
2015-04-03 09:22:40,622 INFO [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
=============================================================
WHO: admin
WHAT: ST-8-ISpe32fFhErzCeFcfUgJ-cas01.example.org for http://localhost:82/favicon.ico
ACTION: SERVICE_TICKET_CREATED
APPLICATION: CAS
WHEN: Fri Apr 03 09:22:40 CEST 2015
CLIENT IP ADDRESS: 127.0.0.1
SERVER IP ADDRESS: 127.0.0.1
=============================================================

>

I created a SSL certificate according to wiki.jasig.org/display/CASUM/Demo. I have done keytool -genkey -alias tomcat -keypass changeit -keyalg RSA (with first/last name = localhost), keytool -export -alias tomcat -keypass changeit -file server.crt and keytool -import -file server.crt -keypass changeit -keystore ..\jre\lib\security\cacerts

And in the Tomcat server.xml i added

<Connector port="8443" maxHttpHeaderSize="8192"maxThreads="150" minSpareThreads="25" 
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
keystoreFile="C:\workspace\.keystore"
keystorePass="changeit"
truststoreFile="C:/Program Files/Java/jdk1.7.0_76/jre/lib/security/cacerts" 
SSLEnabled="true" protocol="org.apache.coyote.http11.Http11Protocol" />

Can anyone give me a clue where to find the solution for this problem? Any help would be appreciated!

Whenever you request serviceValidate with pgtUrl CAS will attempt to create a pgt and send it to your pgtUrl.

Checkout the walkthrough here.

If your application does not have a service at pgtUrl CAS will log these errors. If you are not implementing proxy ticketing in your application then you should not make requests with pgtUrl as a parameter. This can usually be done by not setting a proxy callback url.

If you are implementing proxy ticketing then the callback needs to be an https URL. You can then use the parameters to get the proxy ticket.

In my case I was using the spring-security-cas plugin in grails. The documentation recommends to set cas.proxyCallbackUrl and cas.proxyReceptorUrl, but when these are set the CAS log filled with errors. I found out that pgtUrl was set because the configuration was set. Once I removed this configuration the errors went away.

I recommend not sending pgtUrl to serviceValidate and see if the error goes away.