Kerberos authentication fails when IDP server proxies authnrequest after users session times out

  • 7008939
  • 04-Jul-2011
  • 26-Apr-2012

Environment

Novell Access Manager 3.1 Linux Novell Identity Server
Novell Access Manager 3.1 Windows Novell Identity Server
Novell Access Manager 3.1 Support Pack 3 applied
Multiple Identity Servers in a cluster
Load Balancer between browsers and Identity servers, and Access Gateways and Identity Servers
Users authenticating to Identity Server using Kerberos authentication class

Situation

Load Balancer configured to proxy requests based on IP address with a persistent timeout
set to 20 mins. All protected resources on Access Gateway configured with kerberos authentication.
All works fine - users can authenticate and access the protested resources without problems when the
sessions remain active. Problem occuring when user sessions at the Identity (IDP) server has expired AND the subsequent authentication
request to the IDP server is sent to an IDP server in the cluster that the user has not previously accessed,
This non authoritative IDP server knows via the JGroups clustering protocol running on all IDP server that the
new authentication must be proxied to the original IDP server that the user was authenticated to. In this scenario,
the original IDP server responds to the proxy'ing IDP server with a HTTP 401 response, which the proxy'ing IDP server
errors out on.
Use case: 1.User is authenticated by IDP Server #1. 2.User goes off on lunch break and returns after the user IDP Session timeout has occurred. The load balancer
session persistence also times out for this user session 3.User is then sent to IDP Server#2 for authentication after the session timeout
4.User cannot login
In terms of the logs, we can see the following in the IDP server catalina.out files:
1. the AuthnRequest from ESP is sent to IDP2 (where user did not initially authenticate)
2. IDP2 recognises that IDP1 owns the sessionID and therefor tries to proxy it
to IDP1. 
3. IDP1 gets the proxy request and sends the 401 authentication request back to the originating IDP server IDP2 and not the incoming Kerberos client. The IDP server is always checking
for the HTTP status response and assumes it will get a 200 OK back. With the 401 response, the IDP errors
out with "Server returned HTTP response code: 401 for URL" as shown below:<amLogEntry> 2010-07-01T03:13:02Z VERBOSE NIDS AM#600105004: AMDEVICEID#4A67F6409E73FAE7: AMAUTHID#B224D0DD79221D4699DA4A8056265B9B: Obtained ip address of cluster member handling this users requests from HTTP cookie. Address: 192.168.120.100 </amLogEntry><amLogEntry> 2010-07-01T03:13:02Z VERBOSE NIDS AM#600105006: AMDEVICEID#4A67F6409E73FAE7: AMAUTHID#B224D0DD79221D4699DA4A8056265B9B: Must proxy HTTP request to other cluster member. This cluster member : 192.168.120.101, cluster member for this user: 192.168.120.100. </amLogEntry><amLogEntry> 2010-07-01T03:13:02Z INFO NIDS AM#500105001: AMDEVICEID#4A67F6409E73FAE7: AMAUTHID#B224D0DD79221D4699DA4A8056265B9B: Forwarding HTTP request to cluster member at URL:http://192.168.120.100:8080/nidp/idff/sso?RequestID=idUGB6n7iRvUmSQ4xXKUxyqC0wFbA&MajorVersion=1&MinorVersion=2&IssueInstant=2010-07-01T03%3A12%3A59Z&ProviderID=http%3A%2F%2Fda.am31.com%3A80%2Fnesp%2Fidff%2Fmetadata&RelayState=MA%3D%3D&consent=urn%3Aliberty%3Aconsent%3Aunavailable&ForceAuthn=false&IsPassive=false&NameIDPolicy=onetime&ProtocolProfile=http%3A%2F%2Fprojectliberty.org%2Fprofiles%2Fbrws-art&target=http%3A%2F%2Fda.am31.com%2F&AuthnContextStatementRef=kerberos%2Fcontract</amLogEntry><amLogEntry> 2010-07-01T03:13:02Z DEBUG NIDS : Method: NIDPProxyableServlet.A Thread: http-192.168.120.101-8080-Processor22 Proxy: Request: added header: Name: accept, Value: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */* Proxy: Request: added header: Name: accept-language, Value: ja Proxy: Request: added header: Name: accept-encoding, Value: gzip, deflate Proxy: Request: added header: Name: user-agent, Value: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Proxy: Request: added header: Name: host, Value: idp001.am31.com:8080 Proxy: Request: added header: Name: connection, Value: Keep-Alive Proxy: Request: added header: Name: cookie, Value: JSESSIONID=32A52277DC07DF39D06796BC8E8BDC52; UrnNovellNidpClusterMemberId=~03~0Bslo~0A~0B~14oon~0A~ 0A~08k; urn:novell:nidp:cluster:member:id=~03~0Bslo~0A~0B~14oon~0A~0A~08k; IPCZQX03a36c6c0a=00000000c0a86e6c72f801869164b96dc02355c0 Proxy: Request: added new Via header: HTTP/1.1 192.168.120.101 Proxy: Request: added new custom NIDPProxiedRequest http header: 192.168.120.101;gb30szvkfsp1c1;gb30szvlg2r1c2 Proxy: Response: The Cluster Proxy Request List has 0 members!</amLogEntry><amLogEntry> 2010-07-01T03:13:02Z DEBUG NIDS Method: NIDPProxyableServlet.myDoGetWithProxy Thread: http-192.168.120.101-8080-Processor22 Exception message: "Server returned HTTP response code: 401 for URL:http://192.168.120.100:8080/nidp/idff/sso?RequestID=idUGB6n7iRvUmSQ4xXKUxyqC0wFbA&MajorVersion=1&MinorVersion=2&IssueInstant=2010-07-01T03%3A12%3A59Z&ProviderID=http%3A%2F%2Fda.am31.com%3A80%2Fnesp%2Fidff%2Fmetadata&RelayState=MA%3D%3D&consent=urn%3Aliberty%3Aconsent%3Aunavailable&ForceAuthn=false&IsPassive=false&NameIDPolicy=onetime&ProtocolProfile=http%3A%2F%2Fprojectliberty.org%2Fprofiles%2Fbrws-art&target=http%3A%2F%2Fda.am31.com%2F&AuthnContextStatementRef=kerberos%2Fcontract" HttpURLConnection.java, Line: 1290, Method: getInputStream y, Line: 1480, Method: A y, Line: 397, Method: myDoGetWithProxy y, Line: 1358, Method: myDoGet y, Line: 2431, Method: myDoGet y, Line: 2823, Method: doGet HttpServlet.java, Line: 627, Method: service HttpServlet.java, Line: 729, Method: service ApplicationFilterChain.java, Line: 269, Method: internalDoFilter ApplicationFilterChain.java, Line: 188, Method: doFilter

Resolution

Apply Access Manager 3.1 Support Pack 3 Interim Release 2 or greater.
 
Note that the same issue will be visible with NetIdentity based authentication, which also leverages the HTTP 401 status response for authentication.