X509 Authentication with IE6 does not work with Access Manager SP1 Beta 1

  • 3313853
  • 29-May-2007
  • 26-Apr-2012

Environment


Novell Access Management 3 Linux Access Gateway
Novell Access Manager 3 Support Pack 1 beta 1 applied

Situation

Customer running IR2 code and had mutual authentication working fine
Upgraded to SP1 beta 1 and mutual auth worked with Firefox and IE7 but not with IE6 - users would get a blank page!

Everything configured correctly but customer had enabled the switches

SSL Listen Options
Enforce 128-Bit Encryption between Browser and Access Gateway
Enforce 128-Bit Encryption between Access Gateway and Web Server

When the IE6 browser went to Access the LAG PR, it got redirected to the eSP but that 302 redirect never came back over the wire.

May 24 11:34:04 OAJODEVWAC21 : 504503 0: 14AF: 0: 1: Process request 1
'wac-ag1.dev.jnet.state.pa.us''/AccessManager/' [10.1.224.222:12698 ->10.1.225.230:443]
OAJODEVWAC21 :      DATASTREAM :        1 :Search success for the resource =
/AccessManager/
OAJODEVWAC21 : 504504 0: 14AF: 0: 1: AuthEventManager - Process auth event
AUTHENTICATION_COOKIE_VALIDATION
OAJODEVWAC21 : 504504 0: 14AF: 0: 1: Browser has not sent any cookie, redirect
for authentication
OAJODEVWAC21 : 504504 0: 14AF: 0: 0: Created new IAUser (a0be8e8c)
OAJODEVWAC21 : 504504 0: 14AF: 0: 1: REDIRECT_TO_ESP
OAJODEVWAC21 : PROFILER : 1 :Browser req/resp[113, 0, 0]
[timeToResp:-1 respDuration:-1] curTime:113 ~ServerRequest [auth:0 acl:0
II:0] [rewrite 0 :0 0 0] [origin: 0, 0, 0,0 retry:0 0]

The ieHTTPHeaders trace shows that we never got the 302 redirect

When it works for me I see ...
May 24 13:38:53 www : 504504 0: 12AA: 0: 963: Browser has not sent any cookie,
redirect for authentication
May 24 13:38:53 www : 504504 0: 12AA: 0: 0: Created new IAUser (aa3e8dc8)
May 24 13:38:53 www : 504504 0: 12AA: 0: 0: IAUser created by another
VM/Device
exist at the same index, add to the list with the same index
May 24 13:38:53 www : 504504 0: 12AA: 0: 963: REDIRECT_TO_ESP
May 24 13:38:53 www : PROFILER : 963 :Browser req/resp[870785, 0,
0]
[timeToResp:-1 respDuration:-1] curTime:870785 ~ServerRequest [auth:0
a
cl:0 II:0] [rewrite 0 :0 0 0] [origin: 0, 0, 0,0 retry:0 0]
May 24 13:38:53 www : 504503 0: 12AA: 0: 965: Path based child service
resoluti
on is successful
May 24 13:38:53 www : 504503 0: 12AA: 0: 965: Process request 1
'www.mylag.com'

'/nesp/app/plogin?c=name/password/uri&%22http://www.mylag.com/formfill/rlInitia
lChangePassword1.html%22' [147.2.36.199:2173 -> 147.2.16.159:80]


Also noticed the following entry in the log file!!

May 24 11:22:20 OAJODEVWAC21 : TIES : 2695794244 :No low encryption
ciphers option is enabled

This is generated when the force high 128 bit security is enabled on the LAG
and the browser doesn't issue 128 bit ciphers. LAN traces show that there was
128 bit ciphers sent in the client hello request ... and all worked fine with
IR2.

Resolution

Disable the SSL Listen Options

- Enforce 128-Bit Encryption between Browser and Access Gateway
- Enforce 128-Bit Encryption between Access Gateway and Web Server

A defect has been filed against this and will be addressed in SP1 release.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.