Troubleshooting cheat sheet - howto Troubleshoot Access Manager 3.1 100101044 or 100101043 errors during authentication

  • 7006049
  • 19-May-2010
  • 26-Apr-2012

Environment

Novell Access Manager 3.1 Linux Access Gateway
Novell Access Manager 3.1 Linux Novell Identity Server
Novell Access Manager 3.1 Windows Novell Identity Server

Situation

Functionality: To quickly resolve 100101043 and 100101044 errors.

100101043 and 100101044 are some of the most common errors seen in a new NAM configuration.
These errors simply mean that metadata cannot be read.

100101043 (abbreviated 043) means: IDP could not load the SP's metadata
100101044 (abbreviated 044) means: SP could not load the IDP's metadata



Log settings required to capture all relevant info:

Set the DEBUG levels: Identity Servers > Edit > Logging

Under "File Logging"...
 - make sure "Enabled" is checked, and also "Echo To Console" (sends logging to "catalina.out")

Under "Component File Logger Levels"...
 - set the "Application" drop-down box to "debug"
 - set the "Liberty" drop-down box to "debug"

Under "Trace Logging"...
 - make sure "Enabled" is checked
 - make sure the NO other checkboxes under "Trace Logging" are enabled

BE SURE to Update the IDP's and LAG's!



Info to request

*** NOTE: the tests below MUST be done with a hostname and not an IP address!

1. From IDP, obtain "wget" output (can the IDP access the SP's metadata URL):

# wget https://<esp_hostname>/nesp/idff/metadata
(SP "Metadata URL" at: Access Gateways > Edit > Reverse Proxy/Authentication)


2. From LAG, obtain "curl" output (can the SP access the IDP's metadata URL):

# curl -k https://<idp_hostname>:8443/nidp/idff/metadata
(IDP "Base URL" at: Identity Servers > Edit > "Base URL")


3. You want the "catalina.out" on both the IDP and LAG.

BEFORE obtaining logs: (1) set the DEBUG levels, and (2) DELETE the logs.

DELETE (zero-out) the logs with ">"...for example:
# > /var/opt/novell/tomcat5/logs/catalina.out


If using HTTPS for the IDP "Base URL" or the SP "Metadata URL", verify cert info with the next two items:
4. Security > Certificates

Make sure that the IDP cert "Subject" name, matches the IDP "Base URL" hostname.
Make sure that the SP cert "Subject" name, matches the SP "Metadata URL" hostname.

The IDP cert should be in: "NIDP-connector"
The SP cert should be in: "Proxy Key Store"

5. Security > Trusted Roots

The SP cert Trusted Root (and all intermediates) must be in: "NIDP-truststore"
The IDP cert Trusted Root (and all intermediates) must be in: "ESP Trust Store"



What to look for in log files:

Look for the "error: ...." reason above the "100101043" or "100101044" log entry.

(If the error is 100101044, look at the "catalina.out" on the SP/LAG).

EXAMPLE (044): The SP cannot resolve the IDP server base URL

<amLogEntry> 2007-08-06T16:24:56Z SEVERE NIDS IDFF: AM#100106001:
AMDEVICEID#esp- Unable to load metadata for Embedded Service Provider: https://idpcluster.lab.novell.com/nidp/idff/metadata, error:
....Attempted to connect to a url with an unresolvable host name
</amLogEntry>
<amLogEntry> 2007-08-06T16:24:56Z INFO NIDS Application: AM#500105039:
....error 100101044-esp-09C720981EEE4EB4, Unable to authenticate. AM#100101044:
....Embedded Provider failed to load Identity Provider metadata
</amLogEntry>


EXAMPLE (044): Trusted roots are not imported into appropriate trusted root containers

<amLogEntry> 2007-08-05T16:07:53Z SEVERE NIDS IDFF: AM#100106001:
AMDEVICEID#esp- Unable to load metadata for Embedded Service Provider: https://idpcluster.lab.novell.com/nidp/idff/metadata, error:
....java.security.cert.CertificateException: Untrusted Certificate-chain
</amLogEntry>
<amLogEntry> 2007-08-05T16:07:53Z INFO NIDS Application: AM#500105039:
....error 100101044-esp-09C720981EEE4EB4, Unable to authenticate. AM#100101044:
....Embedded Provider failed to load Identity Provider metadata
</amLogEntry>


(If the error is 100101043, look at the "catalina.out" file on the IDP).

EXAMPLE (043): DNS/hostname resolution problem (IDP cannot reach SP)

<amLogEntry> 2010-04-26T18:20:36Z SEVERE NIDS IDFF: AM#100106001: AMDEVICEID#0EEE1E2661C5DFE9:  Unable to load metadata for Embedded Service Provider: ....http://test10.lab.novell.com:80/nesp/idff/metadata, error: Connection refused
</amLogEntry>
<amLogEntry> 2010-04-26T18:20:36Z INFO NIDS Application: AM#500105039:
....Unable to complete authentication request.  AM#100101043: AMDEVICEID#0EEE1E2661C5DFE9:
....Identity Provider failed to load Embedded Provider metadata
</amLogEntry>



Useful TID's:

1. Novell Cool Solutions (AppNote):
"Troubleshooting 100101043 and 100101044 Errors in Access Manager"
https://www.novell.com/coolsolutions/appnote/19456.html

2. KB 3539104: "Access Manager error 100101043 - IDP is unable to load ESP metadata"
Resolution: Make sure that the base URL on the Access Gateway is resolvable by the IDP server.
https://support.microfocus.com/kb/doc.php?id=3539104&sliceId=1&docTypeID=DT_TID_1_1&dialogID=138005892&stateId=0%200%20138009173