Cannot login to SSLVPN server in Enterprise or Kiosk mode when multiple roles assigned to authenticated user

  • 7000157
  • 21-Apr-2008
  • 26-Apr-2012

Environment

Novell Access Management 3 SSLVPN Server
Novell Access Management 3 Support Pack 2 applied

Situation

Customer had SSLVPN server configured and users trying to access it in Enterprise mode. Most users were able to connect and work fine but some users could never get 'connected'. No error message was reported on the SSLVPN portal page. After comparing working and non working users, we realised that the non working users had a large amount of roles associated with them. The novell-openvpn.log file on the server showed the following entry when the user failed to connect:

Thu Dec 20 17:27:52 2007 us=166569 189.0.194.34:1957 Role returned by connman:
108online,bkprice,cap,cob,cominter,equipfer,fmbi,geddipm,mes,metaframe,newcooracle,portalrh,prebi,projuris,risknavigator,siop,sispm,valery
Thu Dec 20 17:28:44 2007 us=753499 OpenVPN 2.0.9 i686-suse-linux [SSL] [EPOLL]
built on Aug 27 2007

We never get the user authentication to succeed as one would expect below (this is what follows in a setup where all works fine)

Wed May 9 13:14:53 2007 us=644699 147.2.36.196:2322 Role returned by connman: geddipm,metaframe,projuris,siop
Wed May 9 13:14:53 2007 us=644699 147.2.36.196:2322 TLS: Username/Password authentication succeeded for username 'b'
Wed May 9 13:14:53 2007 us=644880 147.2.36.196:2322 Data Channel Encrypt:
Cipher 'AES-256-CBC' initialized with 256 bit key
Wed May 9 13:14:53 2007 us=644902 147.2.36.196:2322 Data Channel Encrypt:
Using 160 bit message hash 'SHA1' for HMAC authentication
Wed May 9 13:14:53 2007 us=644924 147.2.36.196:2322 Data Channel Decrypt:
Cipher 'AES-256-CBC' initialized with 256 bit key
Wed May 9 13:14:53 2007 us=644945 147.2.36.196:2322 Data Channel Decrypt:
Using 160 bit message hash 'SHA1' for HMAC authentication


Resolution

Apply Access Manager 3 Support Pack 3.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.