Environment
Novell Access Manager 3.1 Windows Novell Identity Server
Novell Access Manager 3.1 Linux Access Gateway
Novell Access Manager 3.1 Linux Access Gateway
Situation
Administrator wanted to combine X509 and Secure Name/Password form authentication classes together. To do this, two seperate methods were created (each method including one of the two classes above), and these two methods were ANDed together in a new contract. The X509 authentication class on the Identity Server has the Attribute mapping set as “Subject Name”.
After applying the new contract to a Linux Access Gateway protected resource, all users accessing this protected resource would get correctly prompted for their X509 certificate initially. After submitting the certificate, the user is presented with the following error:
Error:Your session has been logged out. Please Restart the Browser.
Note:
a) Contracts with X509 only work fine.
b) Above issue only occurs if the X509 Authentication method is initial authentication on the contract; if secure Name/Password method is the initially executed method on the contract, all works fine
c) this problem will occur with any contract including an x509 method and another method, and not just name-password form. We would get the same error if the above name-password form was replaced with a radius method.
After applying the new contract to a Linux Access Gateway protected resource, all users accessing this protected resource would get correctly prompted for their X509 certificate initially. After submitting the certificate, the user is presented with the following error:
Error:Your session has been logged out. Please Restart the Browser.
Note:
a) Contracts with X509 only work fine.
b) Above issue only occurs if the X509 Authentication method is initial authentication on the contract; if secure Name/Password method is the initially executed method on the contract, all works fine
c) this problem will occur with any contract including an x509 method and another method, and not just name-password form. We would get the same error if the above name-password form was replaced with a radius method.
Resolution
Known issue with development. Two workarounds exist:
1. disable the 'Force browser restart on logout' option in the properties tab of the x509 class
2. specify the x509 authentication method AFTER the name/password form method in the contract
1. disable the 'Force browser restart on logout' option in the properties tab of the x509 class
2. specify the x509 authentication method AFTER the name/password form method in the contract