Users accessing proteced applications behind the Linux Access Gateway authenticating as other users

  • 7008916
  • 30-Jun-2011
  • 26-Apr-2012

Environment

Novell Access Manager 3.1 Linux Access Gateway
Novell Access Manager 3.1 Support Pack 3 applied
Web servers front ended by Citrix Netscalar server for load balancing
HTTP persistence enabled between Linux Access Gateway and Web servers

Situation

Linux Access Gateway (LAG) setup to accelerate back end web applications. All working fine for the most part ie. users hitting the back end application protected resources are redirected to the Identity (IDP) server to login and get redirected back to the application after successfully having credentials validated. WHen accessing a particular application however, it appears that some session stealing is going on. For example

- User1 accesses the application behind the LAG, authenticates to the IDP successfully, and then gets redirected to the application where they single sign on as user1
- User2 accesses the same application a few seconds later, authenticates as user2 and gets redirected back to the application. However, they are logged into the application as user1 and not user2.

It appears that user2 has stolen user1's session.

The main difference between this application and the other working applications is that we go through a netscalar load balancer. Removing this load balancer and going direct to the application works fine.

Users cannot duplicate it at will at all - it seems to happen when multiple users login and hit application very close to one another timewise e.g. the second user would first get into a citrix ICA session -> launch an citrix app -> click a link or a button -> SSO to NAM to their First Access application - then if the problem happens it will say that the user is logged in as the first user.  

Resolution

Disable persistence between the proxy and Web server for this Netscalar fronted Web server.

Additional Information

To confirm that there is no session stealing caused by the LAG, one can track the following:

1. enable debug logging for LAG and IDP so the ics_dyn.log file and catalina.out log files include all session details
2. identify the two problem users session ID from the JSESSIONID cookie value on the browser HTTP logs
3. follow these user sessions and make sure that the continuously reference the unique user in the logs
4. follow any policy evaluations and make sure that the values returned match what is ecpected for that user, and not that another users credentials are returned. The LAG can run tcpdump on the loopback interface to see the user attribute values returned to the proxy in the policy evaluation responses.

From these, we confirmed that there was not session stealing on the LAG side.