Environment
Novell Access Manager 3.1 Support Pack 3 installed
Novell Access Manager 3.1 Linux based Access Gateway Service
Novell Access Manager 3.1 Linux based Access Gateway Service
Situation
Access Manager setup and working fine - users can authenticate to the Identity (IDP) server and access protected resources on the Linux based Access Gateway Service (AGS). Some users however report 404 errors on their browser after authenticating to the IDP server, and do not get redirected to the protected resource they originally attempted to hit.
Log files indicated the following use case:
1. User hits AGS protected resource
2. User is redirected to the login page on IDP server
3. User waits at the login page for 5+ minutes before entering credentials
4. User eventually submits credentials
5. User gets the 404 error
Log files indicated the following use case:
1. User hits AGS protected resource
2. User is redirected to the login page on IDP server
3. User waits at the login page for 5+ minutes before entering credentials
4. User eventually submits credentials
5. User gets the 404 error
Resolution
Apply Access Manager Support Pack 3 IR2 (build 3.1.3-292) or greater.
Additional Information
when he submits credentials immediately, the issue rarely happens
After the user authenticates to the IDP server, and the artifact is sent back
to the AG, the AG correctly sends that artifact back to the IDP server. The IDP
server responds with the assertion for that user. The AG then tries to update
it's local auth table with info about that user but fails:
2011-05-26T11:59:42Z VERBOSE NIDS Application: Attempting to connect to URL:
http://127.0.0.1:8181/ via POST
2011-05-26T11:59:42Z VERBOSE NIDS Application: Posting data to
http://127.0.0.1:8181/
cn=LGUSTA34,ou=Internal,ou=users,o=vccsecu
re/form/password/vrc2authenticated<
/SOAP-ENV:Envelope>
2011-05-26T11:59:42Z DEBUG NIDS Application:
Method: URLUtil.connectToURL
Thread: TP-Processor20
Response code 404 from connection
2011-05-26T11:59:42Z WARNING NIDS Application: AM#300105002:
AMDEVICEID#esp-5194391484173753: Error sending SOAP message to
Access Gateway: NIDPMAIN.405
All looks fine for the request but we should not be getting a 404 response code
back. The only possible issue that I can see if that we have 2 cookies in the
initial request for the AGS proxy ... see IPCZQX03xxxxxxxx cookie below. If you
purge cookies on your browser, do you get the issue with the first
authentication after the purging of cookies? I wonder if we are somehow getting
missed up with the cookies?
GET / HTTP/1.1
Host: vrc2.qa.volvocars.biz
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.17)
Gecko/20110420 Firefox/3.6.17
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Cookie: IPCZQX03fa7322b3=0100fe00139046e8b497047df15f8078e76d5d01;
IPCZQX03a1f40423=01001100139046e810bb506cc0ad0403a278dc97