Client Login Extensions (CLE) 3.9
Self Service Password Reset 3.2
Access Manager setup and working well. To improve the password management framework, SSPR was installed and accelerated by the Access Gateway. All SSPR URLs are all listed as public resources under the NAM configuration and therefor not requiring authentication.
When users access the SSPR links from the client machine using any browser (including IE 8), the user as expected sees the page without being prompted to authentication and can perform any allowed action on the password.
When the same
users use CLE 3.9 (which includes an embedded IE8 browser) to access the page,
the restricted browser returns the following error (not a NAM branded error but a local browser error)
"Navigation to webpage was cancelled"
Bypassing the AG (by changing local HOSTS file) and going straight to the SSPR links from the CLE 3.9 client, the pages are rendered correctly.
The LAN trace shows an issue with the SSL handshake between CLE client and AG. After negotiating the cipher and compression algorithms successfully, the AG correctly sends back the certificate and server hello done SSL messages. The browser immediately issues a TCP reset and the connection is closed immediately causing the problem. The SSL handshake initiates using TLS 1.2 (newly supported with CLE 3.9 - https://www.netiq.com/documentation/client-login-extension/release_notes/data/release_notes.html) but the server responds with TLS 1.0 response as it does not support 1.2. This is very common and should not cause any issues normally.
CLE logs also indicates an issue with the session as it references the ieframe.dll as a target host as shown below:
OnBeforeNavigate2 Redirection to the site[https://idm.company.com/sspr/public/ForgottenPassword]
15/09/01 16:41:25 SetIEZoneMap The machine is not Server OS. So adding sites to the IE Trusted Zone is skipped
15/09/01 16:41:25 GetHostFromURL Hostname is ieframe.dll
15/09/01 16:41:25 GetHostFromURL Url is not HTTPS
15/09/01 16:41:25 ValidateUrl Comparing host idm.company.com<http://idm.company.com><http://idm.company.com> with target host ieframe.dll
Disabling the CLE 'Enabled TLS 1.2' option only causes CLE to fallback to TLS 1.1, and did not help. To fix the issue, do the following:
a) enable TLS 1.1/1.2 support on Access Manager 4.0 (https://www.netiq.com/documentation/netiqaccessmanager4/enable_tls_nam40/data/enable_tls_nam40.html)
b) upgrade to NAM
4.1. NAM 4.1 has TLS 1.1/1.2 support enabled by default and no issues was ever seen with this SSL protocol as CLE always got it's response with the protocol it started with.