Token decode error authenticating to Access Manager with Kerberos

  • 7003248
  • 12-May-2009
  • 26-Apr-2012

Environment

Novell Access Manager 3 Linux Novell Identity Server
Novell Access Manager 3 Support Pack 4 Interim Release2 applied
Kerberos authentication class enabled for single sign on to Identity Server
Active Directory on Win2k3 SP2 server
Kerberos over TCP

Situation

Kerberos authentication enabled on Identity Server (IDP) so that users authenticated to Active Directory on the desktop can single sign on (SSO) to the Access Manager IDP server. All users could SSO successfully but randomly (max 5% of the time) users do not get SSO to the IDP server. They would be prompted for credentials via the basic auth popup and end up either looping in this login window, or getting an error that the NTLM token type was not supported.

The log files indicate that there is an issue decoding the kerberos token. The catalina.out file shows

<amLogEntry> 2009-03-10T07:29:47Z SEVERE NIDS Application: AM#200104101:
AMDEVICEID#9749CD8D23EF1829: Error processing SPNEGO/Kerberos : Error while
decoding </amLogEntry>

If, when the problem happens, the user shuts down IE and starts it back up again, it is probable that the user will be able to SSO to the IDP server using kerberos. The problem is not specific to a workstation or a user. It just happens randomly.

Resolution

Apply 3.0 SP4 IR4. For some reason, in this specific environment, the token from client was not properly base 64 encoded. Changing the base64 decoding library fixed the issue.