Environment
NetIQ Access Manager 4.0.1
NetIQ Access Manager 4.1
NetIQ Access Manager 4.1
Situation
Access Manager 4.0.1 installed and working fine. After upgrading to 4.1, some users complained about access to back end applications (eg. SSPR) after they were asked to re-authenticate. Looking at these applications, the users always submitted data with a POST HTTP method. ANalysing the back end application, no POST data was received by the back end despite the browser sending it.
Resolution
Make sure that the following Advanced Option is enabled
NAGGlobalOptions NAGRenameCookie=off
WIth 4.1, a fix was added for session fixation where the pre and post authentication AG cookie was different. This change caused the AG to lose the POST data that it had stored prior to redirecting the user to re-authenticate at the IDP server. A bug has been opened to address the issue but for the time being, the workaround above will allow 4.1 to behave in the same manner as 4.0.
NAGGlobalOptions NAGRenameCookie=off
WIth 4.1, a fix was added for session fixation where the pre and post authentication AG cookie was different. This change caused the AG to lose the POST data that it had stored prior to redirecting the user to re-authenticate at the IDP server. A bug has been opened to address the issue but for the time being, the workaround above will allow 4.1 to behave in the same manner as 4.0.
Cause
SInce the AG sessionID changes during the authentication cycle, the data stored pre-authentication is not accessed correctly post authentication.
Additional Information
Use case
- User logs in and accesses app without issues
- User goes off and remains idel for period greater than session timeout
- User comes back and generates a POSt request with application data
- AG parks this data and redirects the user to login
- user logs in again and generates a GET request for original URL (normal as the AG should recognise that this must be converted to a POST and submit data to web server)
- user gets an application error as no data is posted
Logs clearly show that we do NOT POST the data to the web server after the user re-authenitcates
May 12 09:42:36 nam41sba httpd[15020]: ID:11126:2318:creq [149.44.166.79:49601->147.2.35.57:443] GET /servlets-examples/servlet/RequestParamExample
May 12 09:42:36 nam41sba httpd[15020]: ID:11126:2318:creq Accept: text/html, application/xhtml+xml, */*
May 12 09:42:36 nam41sba httpd[15020]: ID:11126:2318:creq X-HttpWatch-RID: 87027-10106
May 12 09:42:36 nam41sba httpd[15020]: ID:11126:2318:creq Referer: https://nam41sba.lab.novell.com/nidp/idff/sso?sid=1&sid=1
May 12 09:42:36 nam41sba httpd[15020]: ID:11126:2318:creq Accept-Language: en-US
May 12 09:42:36 nam41sba httpd[15020]: ID:11126:2318:creq User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
May 12 09:42:36 nam41sba httpd[15020]: ID:11126:2318:creq Accept-Encoding: gzip, deflate
May 12 09:42:36 nam41sba httpd[15020]: ID:11126:2318:creq Host: nam41sba.lab.novell.com
May 12 09:42:36 nam41sba httpd[15020]: ID:11126:2318:creq Connection: Keep-Alive
May 12 09:42:36 nam41sba httpd[15020]: ID:11126:2318:creq Cookie: __utma=64554544.1740367655.1419011835.1419011835.1420713262.2; __utmz=64554544.141
9011835.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=64554544.employee; IPCZQX033a6c0fc6=01001a00952ca64f2d5aef1371eff2b39792c203; nove
ll_language=en-us; novell_country=IE|Ie; _ga=GA1.2.1962491083.1429809181
May 12 09:42:36 nam41sba httpd[15020]: ID:11126:2318:to-ws [147.2.35.57:58891->147.2.16.154:8080] GET /servlets-examples/servlet/RequestParamExample
HTTP/1.1
May 12 09:42:36 nam41sba httpd[15020]: ID:11126:2318:to-ws Host: ncsles10.lab.novell.com:8080
May 12 09:42:36 nam41sba httpd[15020]: ID:11126:2318:to-ws Accept: text/html, application/xhtml+xml, */*
May 12 09:42:36 nam41sba httpd[15020]: ID:11126:2318:to-ws X-HttpWatch-RID: 87027-10106
May 12 09:42:36 nam41sba httpd[15020]: ID:11126:2318:to-ws Referer: http://ncsles10.lab.novell.com:8080/nidp/idff/sso?sid=1&sid=1
May 12 09:42:36 nam41sba httpd[15020]: ID:11126:2318:to-ws Accept-Language: en-US
May 12 09:42:36 nam41sba httpd[15020]: ID:11126:2318:to-ws User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
May 12 09:42:36 nam41sba httpd[15020]: ID:11126:2318:to-ws Accept-Encoding: gzip
May 12 09:42:36 nam41sba httpd[15020]: ID:11126:2318:to-ws Cookie: __utma=64554544.1740367655.1419011835.1419011835.1420713262.2; __utmz=64554544.14
19011835.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=64554544.employee; novell_language=en-us; novell_country=IE|Ie; _ga=GA1.2.1962491
083.1429809181
May 12 09:42:36 nam41sba httpd[15020]: ID:11126:2318:to-ws Via: 1.1 nam41sba.lab.novell.com (Access Gateway-ag-F56A35AAEC96A36D-11126)
May 12 09:42:36 nam41sba httpd[15020]: ID:11126:2318:to-ws X-Forwarded-For: 149.44.166.79
May 12 09:42:36 nam41sba httpd[15020]: ID:11126:2318:to-ws X-Forwarded-Host: ncsles10.lab.novell.com:8080
The AG shows that the POST data is parked before the redirect, but never re-added
May 12 09:42:31 nam41sba httpd[15020]: [info] AM#504600000 AMDEVICEID#ag-F56A35AAEC96A36D: AMAUTHID#: AMEVENTID#11115: validateCookie:received cooki
e not generated by this cluster. Will clear this cookie..
May 12 09:42:31 nam41sba httpd[15020]: [info] AM#504600100 AMDEVICEID#ag-F56A35AAEC96A36D: AMAUTHID#: AMEVENTID#11115: Restricted URL
May 12 09:42:31 nam41sba httpd[15020]: [info] AM#504600000 AMDEVICEID#ag-F56A35AAEC96A36D: AMAUTHID#: AMEVENTID#11115: matched PR:servlets-examples-
pr
May 12 09:42:31 nam41sba httpd[15020]: [notice] PostParking Size fetched:36
May 12 09:42:31 nam41sba httpd[15020]: [info] AM#504600404 AMDEVICEID#ag-F56A35AAEC96A36D: AMAUTHID#: AMEVENTID#11115: subreq nam41sba.lab.novell.co
m:/nesp/app/cookiebroker
May 12 09:42:31 nam41sba httpd[15020]: [info] AMEVENTID#11115: Cache miss
May 12 09:42:31 nam41sba httpd[15020]: [info] AM#504600308 AMDEVICEID#ag-F56A35AAEC96A36D: AMAUTHID#: AMEVENTID#11115: sbAdd <01001900952ca64f506c7b
61e50a979a9792c203>
May 12 09:42:31 nam41sba httpd[15020]: [info] AM#504600000 AMDEVICEID#ag-F56A35AAEC96A36D: AMAUTHID#: AMEVENTID#11115: stored POST data of len 36 of
content-type application/x-www-form-urlencoded for url /servlets-examples/servlet/RequestParamExample
May 12 09:42:31 nam41sba httpd[15020]: [info] AM#504600401 AMDEVICEID#ag-F56A35AAEC96A36D: AMAUTHID#: AMEVENTID#11115: lredir1:https://nam41sba.lab.
novell.com:443/nesp/app/plogin?c=secure/name/password/uri&%22https://nam41sba.lab.novell.com/servlets-examples/servlet/RequestParamExample%22
- User logs in and accesses app without issues
- User goes off and remains idel for period greater than session timeout
- User comes back and generates a POSt request with application data
- AG parks this data and redirects the user to login
- user logs in again and generates a GET request for original URL (normal as the AG should recognise that this must be converted to a POST and submit data to web server)
- user gets an application error as no data is posted
Logs clearly show that we do NOT POST the data to the web server after the user re-authenitcates
May 12 09:42:36 nam41sba httpd[15020]: ID:11126:2318:creq [149.44.166.79:49601->147.2.35.57:443] GET /servlets-examples/servlet/RequestParamExample
May 12 09:42:36 nam41sba httpd[15020]: ID:11126:2318:creq Accept: text/html, application/xhtml+xml, */*
May 12 09:42:36 nam41sba httpd[15020]: ID:11126:2318:creq X-HttpWatch-RID: 87027-10106
May 12 09:42:36 nam41sba httpd[15020]: ID:11126:2318:creq Referer: https://nam41sba.lab.novell.com/nidp/idff/sso?sid=1&sid=1
May 12 09:42:36 nam41sba httpd[15020]: ID:11126:2318:creq Accept-Language: en-US
May 12 09:42:36 nam41sba httpd[15020]: ID:11126:2318:creq User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
May 12 09:42:36 nam41sba httpd[15020]: ID:11126:2318:creq Accept-Encoding: gzip, deflate
May 12 09:42:36 nam41sba httpd[15020]: ID:11126:2318:creq Host: nam41sba.lab.novell.com
May 12 09:42:36 nam41sba httpd[15020]: ID:11126:2318:creq Connection: Keep-Alive
May 12 09:42:36 nam41sba httpd[15020]: ID:11126:2318:creq Cookie: __utma=64554544.1740367655.1419011835.1419011835.1420713262.2; __utmz=64554544.141
9011835.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=64554544.employee; IPCZQX033a6c0fc6=01001a00952ca64f2d5aef1371eff2b39792c203; nove
ll_language=en-us; novell_country=IE|Ie; _ga=GA1.2.1962491083.1429809181
May 12 09:42:36 nam41sba httpd[15020]: ID:11126:2318:to-ws [147.2.35.57:58891->147.2.16.154:8080] GET /servlets-examples/servlet/RequestParamExample
HTTP/1.1
May 12 09:42:36 nam41sba httpd[15020]: ID:11126:2318:to-ws Host: ncsles10.lab.novell.com:8080
May 12 09:42:36 nam41sba httpd[15020]: ID:11126:2318:to-ws Accept: text/html, application/xhtml+xml, */*
May 12 09:42:36 nam41sba httpd[15020]: ID:11126:2318:to-ws X-HttpWatch-RID: 87027-10106
May 12 09:42:36 nam41sba httpd[15020]: ID:11126:2318:to-ws Referer: http://ncsles10.lab.novell.com:8080/nidp/idff/sso?sid=1&sid=1
May 12 09:42:36 nam41sba httpd[15020]: ID:11126:2318:to-ws Accept-Language: en-US
May 12 09:42:36 nam41sba httpd[15020]: ID:11126:2318:to-ws User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
May 12 09:42:36 nam41sba httpd[15020]: ID:11126:2318:to-ws Accept-Encoding: gzip
May 12 09:42:36 nam41sba httpd[15020]: ID:11126:2318:to-ws Cookie: __utma=64554544.1740367655.1419011835.1419011835.1420713262.2; __utmz=64554544.14
19011835.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmv=64554544.employee; novell_language=en-us; novell_country=IE|Ie; _ga=GA1.2.1962491
083.1429809181
May 12 09:42:36 nam41sba httpd[15020]: ID:11126:2318:to-ws Via: 1.1 nam41sba.lab.novell.com (Access Gateway-ag-F56A35AAEC96A36D-11126)
May 12 09:42:36 nam41sba httpd[15020]: ID:11126:2318:to-ws X-Forwarded-For: 149.44.166.79
May 12 09:42:36 nam41sba httpd[15020]: ID:11126:2318:to-ws X-Forwarded-Host: ncsles10.lab.novell.com:8080
The AG shows that the POST data is parked before the redirect, but never re-added
May 12 09:42:31 nam41sba httpd[15020]: [info] AM#504600000 AMDEVICEID#ag-F56A35AAEC96A36D: AMAUTHID#: AMEVENTID#11115: validateCookie:received cooki
e not generated by this cluster. Will clear this cookie..
May 12 09:42:31 nam41sba httpd[15020]: [info] AM#504600100 AMDEVICEID#ag-F56A35AAEC96A36D: AMAUTHID#: AMEVENTID#11115: Restricted URL
May 12 09:42:31 nam41sba httpd[15020]: [info] AM#504600000 AMDEVICEID#ag-F56A35AAEC96A36D: AMAUTHID#: AMEVENTID#11115: matched PR:servlets-examples-
pr
May 12 09:42:31 nam41sba httpd[15020]: [notice] PostParking Size fetched:36
May 12 09:42:31 nam41sba httpd[15020]: [info] AM#504600404 AMDEVICEID#ag-F56A35AAEC96A36D: AMAUTHID#: AMEVENTID#11115: subreq nam41sba.lab.novell.co
m:/nesp/app/cookiebroker
May 12 09:42:31 nam41sba httpd[15020]: [info] AMEVENTID#11115: Cache miss
May 12 09:42:31 nam41sba httpd[15020]: [info] AM#504600308 AMDEVICEID#ag-F56A35AAEC96A36D: AMAUTHID#: AMEVENTID#11115: sbAdd <01001900952ca64f506c7b
61e50a979a9792c203>
May 12 09:42:31 nam41sba httpd[15020]: [info] AM#504600000 AMDEVICEID#ag-F56A35AAEC96A36D: AMAUTHID#: AMEVENTID#11115: stored POST data of len 36 of
content-type application/x-www-form-urlencoded for url /servlets-examples/servlet/RequestParamExample
May 12 09:42:31 nam41sba httpd[15020]: [info] AM#504600401 AMDEVICEID#ag-F56A35AAEC96A36D: AMAUTHID#: AMEVENTID#11115: lredir1:https://nam41sba.lab.
novell.com:443/nesp/app/plogin?c=secure/name/password/uri&%22https://nam41sba.lab.novell.com/servlets-examples/servlet/RequestParamExample%22