Sharepoint 2010 authentication fails after upgrade to AM 3.1 SP3 with an unhandled exception - "Specified argument was out of the range of valid values. Parameter name: validFrom"

  • Document ID:7008941
  • Creation Date:04-Jul-2011
  • Modified Date:26-Apr-2012
    • Micro Focus Products:
      Access Manager (NAM)

Environment

Novell Access Manager 3.1 Windows Novell Identity Server
Novell Access Manager 3.1 Linux Novell Identity Server
Novell Access Manager 3.1 SUpport Pack 3 applied
Sharepoint 2010 running on Windows 2008 server

Situation

Configured a SharePoint 2010 application as a claims based application using email as the authentication claim and roles as the authorization mechanism. This configuration worked well when using Access Manager 3.1.1 and 3.1.2, but after applying the3.1.3 patch the authentication fails with an unhandled exception error on the Sharepoint server -
 
"Specified argument was out of the range of valid values.  Parameter name: validFrom."
 
Looking at the contents of the assertion/claim generated from the Novell wsfed Identity server to the Sharepoint wsfed service provider after applying SP3, the saml:conditions statement included the same timestamp in the NotBefore and NotOnOrAfter tags. The end result was that the claim was valid for a window of 0 seconds! The following snippet from the catalina.out file on the IDP server shows the error:
 
  <saml:Assertion AssertionID="idwyX7t3lNMh5QNSRvm1CP1GRDkLs"
IssueInstant="2011-06-20T11:03:48Z"
Issuer="https://neilidp.lab.novell.com:8443/nidp/wsfed/" MajorVersion="1"
MinorVersion="1" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
         <saml:Conditions NotBefore="2011-06-20T10:58:48Z"
NotOnOrAfter="2011-06-20T10:58:48Z">

Resolution

Apply the Access Manager 3.1 Support Pack 3 Interim Release 2 build (3.1.3-292) or greater. By default assertion validity will be kept for 15 mins, although it is possible to increase that beyond the default by modifying the IDP server web.xml file and including the following wsfedAssertionValidity entry with a timeout value just below the ldapLoadThreshold parameter eg.

 <context-param>
                <param-name>ldapLoadThreshold</param-name>
                <param-value>10</param-value>
        </context-param>
 
       <context-param>
                <param-name>wsfedAssertionValidity</param-name>
                <param-value>600</param-value>
   </context-param>

Excerpts of the log with web.xml entry having 300 it will have 5 mins of
Assertion validtiy

  <saml:Assertion AssertionID="idwyX7t3lNMh5QNSRvm1CP1GRDkLs"
IssueInstant="2011-06-20T11:03:48Z"
Issuer="https://sl222.mssp2.lab.tst:8443/nidp/wsfed/" MajorVersion="1"
MinorVersion="1" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
         <saml:Conditions NotBefore="2011-06-20T10:58:48Z"
NotOnOrAfter="2011-06-20T11:08:48Z">