Login with custom authentication classes fails after upgrade to Access Manager 3.1 Support Pack 3

  • 7008674
  • 01-Jun-2011
  • 26-Apr-2012

Environment

Novell Access Manager 3.1 Linux Novell Identity Server
Novell Access Manager 3.1 Windows Novell Identity Server
Novell Access Manager 3.1 Support Pack 3 applied
Custom authentication class performing LDAP operations enabled on protected resources

Situation

Access Manager 3.1 Support Pack 2 setup and working fine - users hitting protected resources on the Linux Access Gateway and getting redirected to authenticate successfully at the Identity (IDP) server. The contracts being executed are using custom developed authentication classes available via the SDK (https://www.novell.com/developer/ndk/novell_access_manager_developer_tools_and_examples.html). The custom classes leverage the JNDI APIs for LDAP communication.


Resolution

Recompile the custom authentication classes with the SP3 modules. Only custom auth classes using JNDI calls will need to change their classes and recompile with Access Manager 3.1 SP3.

The problem stems from LDAP performance enhancements introduced with SP3. The original nidp.jar functionality was replaced with two modules - the nidp.jar and NAMCommon.jar files.

Additional Information

WHen the IDP initialises all the authentication contracts, the custom contracts would fail to get 
initialised and the catalina.out file would report the following 'Failed to load/execute authentication
class' error:

Failed to load/execute authentication class CNBUserAuthentication. Error:
com.novell.sso.connector.auth.AuthenticationClass

Failed to load/execute authentication class CNBTricipherAuthentication. Error:
com.novell.sso.connector.auth.TricipherAuthClass


When the user actually performed the authentication at the IDP server and the IDP logging was set
to DEBUG for APplication and Liberty components, the following output would also show a failure
to execute the contract/method:

<amLogEntry seq="10467" d="2011-03-31T18:43:36Z" lg="Application" lv="DEBUG"
th="41"><msg>Method: CommonHandler.handleRequest
Thread: http-10.20.151.76-443-Processor12
Handling request: login</msg></amLogEntry>
<amLogEntry seq="10468" d="2011-03-31T18:43:36Z" lg="Application" lv="INFO"
th="41" ids="AM#500105015: AMDEVICEID#26F65D1ED622C872:
AMAUTHID#5F7CFBF1F51AECE9C3AFDFC159E6D0F8: "><msg>Processing login request
with TARGET = http://portal.sit.novell.com/protected/auth1.aspx, saved TARGET =
http://portal.sit.novell.com/protected/auth1.aspx.</msg></amLogEntry>
<amLogEntry seq="10469" d="2011-03-31T18:43:36Z" lg="Application" lv="INFO"
th="41" ids="AM#500105009: AMDEVICEID#26F65D1ED622C872:
AMAUTHID#5F7CFBF1F51AECE9C3AFDFC159E6D0F8: "><msg>Executing contract IDP
Select.</msg></amLogEntry>
<amLogEntry seq="10470" d="2011-03-31T18:43:36Z" lg="Application" lv="VERBOSE"
th="41"><msg>Session has consumed authentications: false</msg></amLogEntry>
<amLogEntry seq="10471" d="2011-03-31T18:43:36Z" lg="Application" lv="VERBOSE"
th="41"><msg>Executing authentication method Introduction</msg></amLogEntry>
<amLogEntry seq="10472" d="2011-03-31T18:43:36Z" lg="Application" lv="VERBOSE"
th="41"><msg>Authentication method Introduction failed.</msg></amLogEntry>
<amLogEntry seq="10473" d="2011-03-31T18:43:36Z" lg="Application" lv="VERBOSE"
th="41"><msg>Session has consumed authentications: false</msg></amLogEntry>
<amLogEntry seq="10474" d="2011-03-31T18:43:36Z" lg="Application" lv="VERBOSE"
th="41"><msg>Session has consumed authentications: false</msg></amLogEntry>
<amLogEntry seq="10475" d="2011-03-31T18:43:36Z" lg="Application" lv="VERBOSE"
th="41"><msg>Executing authentication method IDP Select</msg></amLogEntry>
<amLogEntry seq="10476" d="2011-03-31T18:43:36Z" lg="Application" lv="VERBOSE"
th="41"><msg>Authentication method IDP Select requires additional
interaction.</msg></amLogEntry>