Users cannot access non ESP protected resource when authentication requests bounced between Access Gateway Service servers in cluster

  • 7009277
  • 01-Sep-2011
  • 26-Apr-2012


Novell Access Manager 3.1 Access Gateway Service running on SLES 11 x86-64 SP1 platform
Novell Access Manager 3.1 Access Manager SUpport Pack 3 Interim Release 2 applied
Novell Access Manager 3.1 Access Gateway Service cluster containing 4 nodes


Access Manager 3.1.3 IR1 setup and working with Web applications proxied by Access Gateway Service (AGS) servers. These AGS servers, running on SLES 11 Linux platform, are clustered and fronted by a load balancer. AFter upgrading to Access Manager 3.1.3 IR2, some users started getting Redirect loop errors in their browsers when trying to login. Most users however appeared to be working fine.

During troubleshooting, the issue was narrowed down to a load balancer persistence issue. The issue stems from the fact that the AGS cluster includes multiple domains, and that the load balancer is not grouping these domains together for persistence. The following use case triggered the redirect looping error:

1. user has the ESP proxy resolving to AGS1 (ie. Load balancer would redirect user to AGS1 for ESP proxy service)
2. user has the non ESP proxy (in a different cookie domain) resolving to AGS2
3. the protected resources on AGS1/AGS2 have different contracts of same weight assigned but have the 'satisfiable by contract of equal or ...' enabled
4. user hits non ESP domain on AGS1 and gets redirected to the ESP domain on AGS2 before finally being redirected to the IDP server.
5. User authenticates at the IDP server and gets redirected back to the non ESP domain
6. user will start looping until browser returns an error


Modify the /var/opt/novell/tomcat5/webapps/agm/WEB-INF/ file on all AGS devices and add the following statement:


and restart novell-tomcat5. This parameter, added for compatibility between users accessing both an AGS and Linux Access Gateway environment was added in IR2 and caused the issue.