Environment
NetIQ Access Manager 4.1
Risk Based Authentication enabled
Risk Based Authentication enabled
Situation
Access Manager setup and working well. Administrator wanted to test out risk based authentication and created a risk based setup. After protecting one of the Access Gateway protected resources with this risk based contract, users accessing that contract would see the following error on the browser:
Error:Authentication failed (200104403-C136F71C6489AD8E)
where C136F71C6489AD8E is the sessionID for that user and will change with every new user.
Looking at the catalina log files, one could see the following exception:
Error:Authentication failed (200104403-C136F71C6489AD8E)
where C136F71C6489AD8E is the sessionID for that user and will change with every new user.
Looking at the catalina log files, one could see the following exception:
the same output ...
<amLogEntry> 2015-09-07T12:52:18Z DEBUG NIDS
Application:
Method: RiskBasedAuthenticationClass.A
Thread: ajp-bio-127.0.0.1-9019-exec-16
User found and validating token for - ncashell </amLogEntry>
Method: RiskBasedAuthenticationClass.A
Thread: ajp-bio-127.0.0.1-9019-exec-16
User found and validating token for - ncashell </amLogEntry>
<amLogEntry> 2015-09-07T12:52:18Z SEVERE NIDS Application:
AM#200104403: AMDEVICEID#C136F71C6489AD8E:
AMAUTHID#21532E59FA415CB1CB8D92E1FDFABE39: Error during authentication process:
Unexpected error in processing </amLogEntry>
<amLogEntry> 2015-09-07T12:52:18Z INFO NIDS Application:
AM#500105039: AMDEVICEID#C136F71C6489AD8E:
AMAUTHID#21532E59FA415CB1CB8D92E1FDFABE39: Error on session id
21532E59FA415CB1CB8D92E1FDFABE39, error 200104403-C136F71C6489AD8E,
Authentication failed:Error during authentication process: AM#500105039:
AMDEVICEID#C136F71C6489AD8E: AMAUTHID
#21532E59FA415CB1CB8D92E1FDFABE39: :java.lang.NullPointerException </amLogEntry>
#21532E59FA415CB1CB8D92E1FDFABE39: :java.lang.NullPointerException </amLogEntry>
<amLogEntry> 2015-09-07T12:52:18Z VERBOSE NIDS Application:
Authentication method risk_method failed while executing the class com.novell.nam.nidp.risk.RiskBasedAuthenticationClass@5367ae9b
</amLogEntry>
Resolution
Make sure that the contract associated with the protected resource includes a user identifying method eg. name/password form method, along with the risk based method. The risk based method must have the 'identify user' flag disabled.