Access Manager Appliance reports the error NIDPMAIN.144 An error has occured which may have Invalidated your authentication randomly

  • 7017205
  • 29-Jan-2016
  • 25-Apr-2016

Environment

  • NetIQ Access Manager 4.2.1
  • NetIQ Access Manager 4.1.2
  • NetIQ Access Manager Appliance 4.2.1
  • NetIQ Access Manager Appliance 4.1.2


Situation

  • Four NetIQ Access Manager Appliances have been installed in a cluster

  • A Layer 4 Switch has been configured to load balance between cluster nodes

  • Each Appliance has two network interface cards

  • The Management IP address has been configured at an IP address assigned to eth1

  • All other services (NDIP Server, Access Gateway Reverse Proxy)
    have been configured fo IP addresses assigned to eth0

  • Users randomly receive the error message:

    Error: NIDPMAIN.114
    (An error has occurred which may have Invalided your authentication. Please try refreshing the browser page. If this error persists close this browser windows, open a new browser, and login again.)

Resolution

There are two different ways to solve this problem:

  • Option 1)  review the NetIQ Access Manager admin guild section: "Configuring a Specific IP Address for Proxied Requests".  Basically you can modify the web.xml file used by the NIDP server in order to add a proxyAddessMap parameter entry to the file.
<context-param>
    <param-name>proxyAddressMap</param-name>
    <param-value>Managament_IP, unused, Proxied_Request_IP
        </param-value>
</context-param>
  • Option 2) modify the server.xml "Connector NIDP_Name" in order to listen on all assigned IP addresses by completely removing the address directive

    Example:

    <Connector NIDP_Name="connector" port="2443" maxThreads="1000" minSpareThreads="5" enableLookups="false" acceptCount="100" scheme="https" secure="true" disableUploadTimeout="true" URIEncoding="utf-8" sslProtocol="TLS" clientAuth="false" sslImplementationName="com.novell.nidp.common.util.net.server.NIDPSSLImplementation" keystoreFile="/opt/novell/devman/jcc/certs/nam/nam.keystore" keystorePass="changit" SSLEnabled="true" ciphers="SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_KRB5_WITH_3DES_EDE_CBC_SHA, TLS_KRB5_WITH_RC4_128_SHA" />

  • modify create an init script which will implement an iptables rule redirecting requests from the management interface from destination port 443 to destination port 2443 completely removing the address directive simlar to what has been documented in the NetIQ Access Manager "install_upgrade" documentation section: "Changing the Port on a Linux Identity Server" except that the redirection should not be done from port destination port 443 to 8443 (2443 is required with the NAM appliance)

    Example:

    # ### BEGIN INIT INFO
    # Provides: idp_2443_redirect
    # Required-Start:
    # Required-Stop:
    # Default-Start: 2 3 5
    # Default-Stop: 0 1 6
    # Description: Redirect 2443 to 443 for Novell IDP
    ### END INIT INFO #

    # Environment-specific variables.
    IPT_BIN=/usr/sbin/iptables
    INTF=eth0
    ADDR=10.10.0.1

    . /etc/rc.status


    # First reset status of this service
    rc_reset

    case "$1" in
        start)
            echo -n "Starting IP Port redirection"
            $IPT_BIN -t nat --flush
            $IPT_BIN -t nat -A PREROUTING -i $INTF -p tcp --dport 443 -j DNAT --to ${ADDR}:2443
            $IPT_BIN -t nat -A OUTPUT -p tcp -d $ADDR --dport 443 -j DNAT --to ${ADDR}:2443
            rc_status -v
            ;;
        stop)
            echo -n "Flushing all IP Port redirection rules"
            $IPT_BIN -t nat --flush
            rc_status -v
            ;;
        restart)
            $0 stop
            $0 start
            rc_status
            ;;
        *)
            echo "Usage: $0 {start|stop|restart}"
            exit 1
            ;;
    esac
    rc_exit

Cause

Due to the fact that the management IP address has been assigned to another interface as the NIDP server any NIDP proxy request in order to retrieve user information for a given user which started or was already logged in to another cluster node the wrong IP address has been used. This got visible from the catalina.out

INFO NIDS Application: AM#500105001: AMDEVICEID#06E563D7A77FA4E6: AMAUTHID#A5920AF06F75273408CF000DD5C73BD2:
  Forwarding HTTP request to cluster member at URL: https://[IP address of Management Interface not hosting the NIDP server]:443/nidp/saml2/sso?sid=0&sid=0

SEVERE NIDS Application: AM#100105001: AMDEVICEID#06E563D7A77FA4E6: AMAUTHID#A5920AF06F75273408CF000DD5C73BD2:
  An error happened while forwarding a request to a cluster member. Error: Connection refused. Unable to forward request to cluster member.

Additional Information

Troubleshooting:

  • use the following NIDP cluster logging options:
       enable: File Logging
       enable: Echo To Console
       enable:  Component File logger Levels: Application+Liberty = Info"

  • clear up the NIDP server catalina.out file
    "echo >/var/opt/novell/nam/logs/idp/tomcat/catalina.out"

  • Install a browser header trace tool in order to follow a particular user session and match this with the

  • Use a fresh browser session in order to reproduce the problem

Feedback service temporarily unavailable. For content questions or problems, please contact Support.