Environment
Novell Access Manager 3.1 Access Gateway Service running on SLES 11 x86-64 SP1 platform
Novell Access Manager 3.1 Access Manager SUpport Pack 3 Interim Release 2 applied
Novell Access Manager 3.1 Access Gateway Service cluster containing 4 nodes
Novell Access Manager 3.1 Access Manager SUpport Pack 3 Interim Release 2 applied
Novell Access Manager 3.1 Access Gateway Service cluster containing 4 nodes
Situation
Access Manager 3.1.3 IR1 setup and working with Web applications proxied by Access Gateway Service (AGS) servers. These AGS servers, running on SLES 11 Linux platform, are clustered and fronted by a load balancer. AFter upgrading to Access Manager 3.1.3 IR2, some users started getting Redirect loop errors in their browsers when trying to login. Most users however appeared to be working fine.
During troubleshooting, the issue was narrowed down to a load balancer persistence issue. The issue stems from the fact that the AGS cluster includes multiple domains, and that the load balancer is not grouping these domains together for persistence. The following use case triggered the redirect looping error:
1. user has the ESP proxy resolving to AGS1 (ie. Load balancer would redirect user to AGS1 for ESP proxy service)
2. user has the non ESP proxy (in a different cookie domain) resolving to AGS2
3. the protected resources on AGS1/AGS2 have different contracts of same weight assigned but have the 'satisfiable by contract of equal or ...' enabled
4. user hits non ESP domain on AGS1 and gets redirected to the ESP domain on AGS2 before finally being redirected to the IDP server.
5. User authenticates at the IDP server and gets redirected back to the non ESP domain
6. user will start looping until browser returns an error
During troubleshooting, the issue was narrowed down to a load balancer persistence issue. The issue stems from the fact that the AGS cluster includes multiple domains, and that the load balancer is not grouping these domains together for persistence. The following use case triggered the redirect looping error:
1. user has the ESP proxy resolving to AGS1 (ie. Load balancer would redirect user to AGS1 for ESP proxy service)
2. user has the non ESP proxy (in a different cookie domain) resolving to AGS2
3. the protected resources on AGS1/AGS2 have different contracts of same weight assigned but have the 'satisfiable by contract of equal or ...' enabled
4. user hits non ESP domain on AGS1 and gets redirected to the ESP domain on AGS2 before finally being redirected to the IDP server.
5. User authenticates at the IDP server and gets redirected back to the non ESP domain
6. user will start looping until browser returns an error
Resolution
Modify the /var/opt/novell/tomcat5/webapps/agm/WEB-INF/agm.properties file on all AGS devices and add the following statement:
agm.lagmode=false
and restart novell-tomcat5. This parameter, added for compatibility between users accessing both an AGS and Linux Access Gateway environment was added in IR2 and caused the issue.
agm.lagmode=false
and restart novell-tomcat5. This parameter, added for compatibility between users accessing both an AGS and Linux Access Gateway environment was added in IR2 and caused the issue.