IDP server reports the error NIDPMAIN.144 for users switching between two NAM environments using the same cookie domain

  • 7017235
  • 09-Feb-2016
  • 09-Feb-2016

Environment

NetIQ Access Manager 4.1
NetIQ Access Manager 4.2

Situation

  • Two Access Manager Systems have been configured with the same cookie domain during the phase of migrating from an old NAM 3.1 environment to a new NAM 4.1 setup.

  • Users accessing the NAM 3.1 setup and later on access the new NAM 4.1 system fail to authenticate with the error: "Access Manager Appliance reports the error NIDPMAIN.144 An error has occurred which may have Invalidated your authentication.

Resolution

  • setup your NAM environments using unique cookie domains

  • if your L4 switch has been configured as SSL terminator incoming HTTP requests can be modified removing the cluster member cookie UrnNovellNidpClusterMemberId from your old system to be send to the new system and vice versa.

Cause

  • The cluster member cookies (UrnNovellNidpClusterMemberId) of the NIDP servers from the old NAM 3.1 systems have been send to the new NAM 4.1 NIDP servers. The UrnNovellNidpClusterMemberId includes the encrypted IP address of the cluster member a given user has been authenticated with.

    Even the old NIDP server from NAM 3.1 is not a cluster member  of the new NAM 4.1 system the NIDP server in request tries to contact the IP address encrypted in the "UrnNovellNidpClusterMemberId" cookie in order to retrieve existing user information by running a proxy request.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.