300101010 error on browser when accessing a protected resource on the Linux Access Gateway

  • 7004754
  • 28-Oct-2009
  • 26-Apr-2012


Novell Access Manager 3.1 Linux Access Gateway


Access Manager 3.1 Support Pack 1 installed. Clustered setup of  two Identity (IDP) and Linux Access Gateway (LAG) servers. Everything was working fine ie. all users could hit protected resources and authenticate to the IDP servers.

A few configuration changes were made and applied them to all LAGs in cluster - main of one changes was to enable the 'Enable Caching of Objects with CGI in The Path' option under the caching options. This parameter is disabled by default.

Users started reporting random 300101010 error. This indicates that an assertion was received whose InResponseTo ID did not match that of the authentication request. This would only happen when the ESP would proxy one request to another LAG in the cluster. Looking at the log files when the problem occured, we could see was that the LAG would set 2 JSESSIONID cookies with different values.

HTTP/1.x 302 Moved Temporarily
Server: Apache-Coyote/1.1, Apache-Coyote/1.1
Set-Cookie: JSESSIONID=4EC09B5AA6794A7A239B430B5A40220E; Path=/nesp
Set-Cookie: JSESSIONID=269D6DC871AADD170128FD5851CC8911; Path=/nesp

When the LAG processeses the cookie it is sees two JSESSIONIDs instead of the original one it had set, and invalidates 
the original session. This causes the incoming assertion to be invalid as the InResponseTo ID did not
match an authentication request RequestID.


Add a PIN list entry for the /nesp/* URL path.

The LAG was caching the 302 redirects from previous sessions and causing the two JSESSIONID cookies to be set.