Identity Injection for credentials to the back-end failed.

Document ID:7003296
Creation Date:18-May-2009
Modified Date:26-Apr-2012
- Micro Focus Products:
  Access Manager (NAM)

Environment

Novell Access Manager 3 Linux Novell Identity Server

Novell Access Manager 3 Linux Access Gateway

Novell Access Manager 3 Identity Injection

Novell Access Manager SP4 IR2 applied

Situation

User was prompted to provide credentials for accelerated back-end webserver while injection of credentials was enabled.
This happened after some time while the session was in progress.
The ics_dyn log on the LAG showed the following at around that time:

"Browser IP address does not match with the IAUser "
Created new IAUser

At that time the session tight to the injection of the credentials was lost causing the request for credentials to show.

Resolution

A load balancer was responsible for the source address change in the middle of the session.
Once this was configured correctly this was no longer seen.

Additional Information

There is a check for source IP address when the cookie is set and at the time a new request within the same session comes in via a different source address this will cause a new IAuser to be created causing the problems seen.

What can be done is to disable this check or to resolve the communication issue.
A way to disable the IP address check is the following:
Create the following touch file.
lagDisableAuthIPCheck Located in the /etc directory on the LAG.
Enabling this touch file switches off the proxy authentication cookie binding to client IP.

Use this in a set up where two L4s are configured in parallel and the browser requests get bounced between the these L4s.

Creating the File
To create a file, use the following command as a root user:
touch <pathname>/<filename>
For Example, touch /etc/lagDisableAuthIPCheck