Environment
NetIQ Access Manager 3.2
NetIQ Access Manager 3.2 Support Pack 1 applied
NetIQ Access Manager 3.2 Identity Server
NetIQ Access Manager 3.2 Support Pack 1 applied
NetIQ Access Manager 3.2 Identity Server
Situation
Access Manager setup and working fine - users can access protected resources behind the Access Gateway after authenticating successfully to the Identity (IDP) server.
Customer then rolled out a custom Phone Factor authentication class that does the following:
- asks for username and pwssword which user submits
- back end app talks to a phone server and sends a token to the user - user submits token in response to challenge
- user successfulyl authenticated
At the moment, all works fine IF the user submits the token within 15 secs of the initial LDAP bind. If we take more than 15 secs, the IDP server issues an LDAP unbind request and the authentication fails. Increasing all LDAP timeouts in the IDP User store configuration makes no difference - anything greater than 15 seconds of a delay causes the authentication to fail.
The log file entries show the error:
Customer then rolled out a custom Phone Factor authentication class that does the following:
- asks for username and pwssword which user submits
- back end app talks to a phone server and sends a token to the user - user submits token in response to challenge
- user successfulyl authenticated
At the moment, all works fine IF the user submits the token within 15 secs of the initial LDAP bind. If we take more than 15 secs, the IDP server issues an LDAP unbind request and the authentication fails. Increasing all LDAP timeouts in the IDP User store configuration makes no difference - anything greater than 15 seconds of a delay causes the authentication to fail.
The log file entries show the error:
<amLogEntry> 2012-12-12T07:39:19Z INFO NIDS Application: AM#500105014: AMDEVICEID#DC31078D41009B18: AMAUTHID#3E98195B544527F25CF38DEAFFC3E2DA: Attempt ing to authenticate user CN=ncashell, ou=Users,dc=wpo,dc=com with provided credentials. </amLogEntry> <amLogEntry> 2012-12-12T07:39:19Z DEBUG NIDS Application: Method: JNDILogEventListener.accept Thread: http-219.46.37.219-8443-Processor10 Connection: c703ee71-21a6-4129-a1c5-4d6ae408c78a, Environment Parameters for InitialDirContext() method call: Key: java.naming.factory.initial, Value: com.sun.jndi.ldap.LdapCtxFactory Key: java.naming.provider.url, Value: ldap://100.118.52.138 Key: com.sun.jndi.ldap.connect.timeout, Value: 0 Key: java.naming.security.principal, Value: CN=ncashell, ou=Users,dc=wpo,dc=com Key: java.naming.security.authentication, Value: simple Key: java.naming.security.credentials, Value: ***** Key: java.naming.referral, Value: follow Key: java.naming.ldap.factory.socket, Value: com.novell.nidp.common.util.net.client.NIDP_SocketFactory </amLogEntry>
// 15 secs later
<amLogEntry> 2012-12-12T07:39:34Z DEBUG NIDS Application: Method: JNDILogEventListener.accept Thread: http-219.46.37.219-8443-Processor10 NamingException: Connection: c703ee71-21a6-4129-a1c5-4d6ae408c78a, Attempting to create InitialDirContext for replica: x220230apss3003 </amLogEntry> <amLogEntry> 2012-12-12T07:39:34Z DEBUG NIDS Application: Method: JNDILogEventListener.accept Thread: http-209.46.37.219-8443-Processor10 Exception while attempting to create ldap connection! </amLogEntry> <amLogEntry> 2012-12-12T07:39:34Z VERBOSE NIDS Application: Authentication contract 'AAAW_PhoneFactor' failed in method 'Name/Password/PhoneFactor - Fo rm' for session 3E98195B544527F25CF38DEAFFC3E2DA. NIDPMAIN.1536CN=ncashell,ou=Users,dc=wpou,dc=com </amLogEntry> <amLogEntry> 2012-12-12T07:39:34Z WARNING NIDS Application: Event Id: 3014668, Target: AAAW_PhoneFactor, Note 1: 3E98195B544527F25CF38DEAFFC3E2DA, Note 2: NIDPMAIN.1536CN=WPONETKG,OU=Kaplan Inc,OU=TWPC Users,dc=wpouatusi,dc=com, Note 3: Name/Password/PhoneFactor - Form, Numeric 1: 0, Data: 10.216.0.76 </amLogEntry>
Resolution
Fixed in 3.2 SP2. The TCP timeout specified on IDP main configuration page will now apply to TCP connections used for the LDAP bind operation.