Environment
Novell Access Manager 3 Linux Access Gateway
Novell Access Manager 3.1 Linux Access Gateway
Novell Access Manager 3.1 Linux Access Gateway
Situation
Linux Access Gateway (LAG) configured to accelerate a Microsoft Sharepoint Portal server. Single sign on to the Portal server was available using the Integrated Windows Authentication (IWA) functionality, where the user credentials are sent in the Basic authentication header from the browser to the Portal.
With Access Manager SP4 (3.0.4.38), this basic auth header would get forwarded by the LAG to the back end Portal server. After applying Access Manager SP4IR2 (3.0.4.60), Single sign on to the Sharepoint Portal serverwould no longer be possible - users would always get prompted to enter their credentials in the basic auth popup screen, even though the credentials were correct.
With Access Manager SP4 (3.0.4.38), this basic auth header would get forwarded by the LAG to the back end Portal server. After applying Access Manager SP4IR2 (3.0.4.60), Single sign on to the Sharepoint Portal serverwould no longer be possible - users would always get prompted to enter their credentials in the basic auth popup screen, even though the credentials were correct.
Resolution
Make sure that the following touch file exists on the LAG.
With Access Manager SP4 IR2, the Authorization header sent by browser is being overwritten by the Authorization header, that the LAG is injecting based on the configured Identity Injection policy. To avoid this overwrite, and return to the functionality of the previous build, create the /var/novell/.overwrite_AuthHeader_With_IIData on the LAG server.
/var/novell/.overwrite_AuthHeader_With_IIData
With Access Manager SP4 IR2, the Authorization header sent by browser is being overwritten by the Authorization header, that the LAG is injecting based on the configured Identity Injection policy. To avoid this overwrite, and return to the functionality of the previous build, create the /var/novell/.overwrite_AuthHeader_With_IIData on the LAG server.
If the Auth header is maintained from the browser to the Portal, and the log level is set to INFO (or 7 in /etc/laglogs.conf), we would see
the following log entry in /var/log/ics_dyn.log :
"Authorization header is sent by Browser. Overwriting it."