Users looping when accessing protected resource after upgrading to Access Manager 3.1 Support Pack 2

  • 7007000
  • 05-Oct-2010
  • 26-Apr-2012

Environment

Novell Access Manager 3.1 Linux Novell Identity Server
Novell Access Manager 3.1 Windows Novell Identity Server
Novell Access Manager 3.1 Linux Access Gateway

Situation

Access Manager setup on 3.1 Support Pack 1 and working fine - all users can access the protected resources on the Linux Access Gateway (LAG), authenticating to the Identity Server (IDP). After upgrading to 3.1 Support Pack 2, users could not authenticate to certain resources - users would hit the protected resource on the LAG, get redirected to the IDP server where they would appear to authenticate successfully before being redirected back to the protected resource. At this point, the user would get redirected between the protected resource and ESP over and over again until the browser detected the loop and threw an error.

Resolution

Remove some invalid lines from the Admin Console LAG configuration. An authentication procedure was added in the 3.1 Support Pack 1 environment that caused the 3.1 Support Pack 2 code to throw an error. The Authentication procedure actually caused an XML validation error.

The easiest way of confirming the issue is look at the /var/log/ics_dyn.log file after the looping has occured (making sure that debug logging is enabled). There will be a un unknwon string outlining an issue with one of the contracts:

Sep 2 11:38:56 sapnam01 : AM#104504000: AMDEVICEID#ag-7D0D8AF30AFAB-0:
AMAUTHID#4252FDB71C065C6EEDABE93623997D0C: AMEVENTID#0: loggedin0(0x92c03a20:43:cn=star,ou=StarDub,ou=Users,o=novell)(0/0/0) [1-]
'/staralliancelogin/custom2' is unknown

Another tell tale sign is the error when the novell-vmc services are coming up and initialising the contracts (see 'Failed to read NIDPAuth element' error):

Aug 19 10:15:38 mtdevlvieds110 : AM#104504000: AMDEVICEID#ag-3E259CCD7C075-0: AMAUTHID#readContract: AMEVENTID#0: contract:basic/name/password/uri:C11 key:cc1f0a7c timeout:258 refresh:1a4 [Name/Password - Basic]
Aug 19 10:15:38 mtdevlvieds110 : AM#204502000: AMDEVICEID#ag-3E259CCD7C075-0: AMAUTHID#0: AMEVENTID#0: NIDPauth: Failed to read NIDPAuth element. method:Secure Name/Password - Basic


Looking at the ldif file exported by amdiagcfg.sh (/opt/novell/devman/bin/ dir on Admin Console), locate the problem contract and note that there are a few entries in there that are not formatted correctly. The config will show that most of the entries are valid ... but there will be a few that are not. For example

<AuthenticationProcedure AuthProcedureID="authprocedure_brandbookcontract" Name="brandbookcontract" SelectedOption="idp" UserInterfaceID="authprocedure_brandbookcontract" LastModified="4294967295" LastModifiedBy="String" AuthContractTimeout="60" AuthContractRefreshRate="42" />

 <AuthenticationProcedure AuthProcedureID="authprocedure_starcontract" Name="starcontract" SelectedOption="idp" UserInterfaceID="authprocedure_starcontract" LastModified="4294967295" LastModifiedBy="String" AuthContractTimeout="60" AuthContractRefreshRate="42"/>

 <AuthenticationProcedure AuthProcedureID="authprocedure_contractcustom" Name="contractcustom" SelectedOption="idp" UserInterfaceID="authprocedure_contractcustom" LastModified="4294967295" LastModifiedBy="String" AuthContractTimeout="60" AuthContractRefreshRate="42" />

 <AuthenticationProcedure AuthProcedureID="authprocedure_contractcustom1" Name="contractcustom1" SelectedOption="idp" UserInterfaceID="authprocedure_contractcustom1" LastModified="4294967295" LastModifiedBy="String" AuthContractTimeout="60" AuthContractRefreshRate="42" />

 <AuthenticationProcedure AuthProcedureID="authprocedure_contractcustom2" Name="contractcustom2" SelectedOption="idp" UserInterfaceID="authprocedure_contractcustom2" LastModified="4294967295" LastModifiedBy="String" AuthContractTimeout="60" AuthContractRefreshRate="42" />

 <AuthenticationProcedure AuthProcedureID="authprocedure_customcontarct1" Name="customcontarct1" SelectedOption="idp" UserInterfaceID="authprocedure_customcontarct1" LastModified="4294967295" LastModifiedBy="String" AuthContractTimeout="60" AuthContractRefreshRate="42">

Each of these invalid contracts sit just above the '/staralliancelogin/custom2' which was considered unknown. Each  <AuthenticationProcedure> should include a corresponding <NIDPAuthentication> tag, but these entries did not eg.

<AuthenticationProcedure Name="Any Contract"LastModified="4294967295"LastModifiedBy="String"SelectedOption="idp"AuthProcedureID="authprocedure_Any_Contract"UserInterfaceID="authprocedure_Any_Contract"AuthContractTimeout="10"AuthContractRefreshRate="7">
          <NIDPAuthentication ContractName="/uri/anyauthentication"/>
</AuthenticationProcedure>

To fix, delete all contracts that do not have the <NIDPAuthentication> - either manually via iManager or by using the methods defined at https://www.novell.com/coolsolutions/feature/19455.html to manually edit the LAG configuration.