Identity Injection for credentials to the back-end failed.

  • 7003296
  • 18-May-2009
  • 26-Apr-2012

Environment

Novell Access Manager 3 Linux Novell Identity Server
Novell Access Manager 3 Linux Access Gateway
Novell Access Manager 3 Identity Injection
Novell Access Manager SP4 IR2 applied

Situation

User was prompted to provide credentials for accelerated back-end webserver while injection of credentials was enabled.
This happened after some time while the session was in progress.
The ics_dyn log on the LAG showed the following at around that time:
"Browser IP address does not match with the IAUser "
Created new IAUser

At that time the session tight to the injection of the credentials was lost causing the request for credentials to show.

Resolution

A load balancer was responsible for the source address change in the middle of the session.
Once this was configured correctly this was no longer seen.

Additional Information

There is a check for source IP address when the cookie is set and at the time a new request within the same session comes in via a different source address this will cause a new IAuser to be created causing the problems seen.

What can be done is to disable this check or to resolve the communication issue.
A way to disable the IP address check is the following:
Create the following touch file.
lagDisableAuthIPCheck  Located in the /etc directory on the LAG.
Enabling this touch file switches off the proxy authentication cookie binding to client IP.
Use this in a set up where two L4s are configured in parallel and the browser requests get bounced between the these L4s.

Creating the  File
To create a file, use the following command as a root user:
touch <pathname>/<filename>
For Example, touch /etc/lagDisableAuthIPCheck

Feedback service temporarily unavailable. For content questions or problems, please contact Support.