Fingerprint based Authentication fails with 'wait' string appearing indefinitely on login page

  • 7018044
  • 12-Sep-2016
  • 01-Nov-2016

Environment

NetIQ Access Manager 4.2
NetIQ Access Manager 4.3
NetIQ Advanced Authentication Framework 5.3
NetIQ Advanced Authentication Framework 5.4

Situation

Access Manager 4.2 setup and working well - users can authenticate to the Identity (IDP) server and access a protected resource on Access Gateway (AG) successfully. After rolling out a new HR based application protected by the AG, the business owner required that multifactor authentication would be needed for this app. It was decided to use Fingerprint based authentication coming with the Advanced Authentication Framework (AAF) 5.3 product.

To use Fingerprint authentication with the IDP server, one must create the dymamic class/method/contract and assign it to the HR based application protected resource. After the user enrolled their fingerprint and accessed the HR protected resource, they were challenged for the username and fingerprint. After submitting the fingerprint itself, the IDP login page would display a 'wait' message indefinitely and user would never get redirected to application.

The IDP logs indicated that the IDP sent the data to the AAF appliance and the response back indicated that it was waiting fore more data.

Sep 08, 2016 9:44:53 AM com.authasas.aucore.nam.method.AAPluginAuthenticationClass debugMessage
INFO: handlePostedData else
Sep 08, 2016 9:44:53 AM com.authasas.aucore.nam.method.AAPluginAuthenticationClass debugMessage
INFO:  status = MORE_DATA
Sep 08, 2016 9:44:53 AM com.authasas.aucore.nam.method.AAPluginAuthenticationClass debugMessage
INFO: status.equals(ResponseStatus.MOREDATA)
Sep 08, 2016 9:44:53 AM com.authasas.aucore.nam.method.AAPluginAuthenticationClass debugMessage
INFO: moreDataHandler call
Sep 08, 2016 9:44:53 AM com.authasas.aucore.nam.method.AAPluginAuthenticationClass debugMessage
INFO: Last else
Sep 08, 2016 9:44:53 AM com.authasas.aucore.nam.method.AAPluginAuthenticationClass debugMessage
INFO:  status = MORE_DATA
Sep 08, 2016 9:44:53 AM com.authasas.aucore.nam.method.AAPluginAuthenticationClass debugMessage
INFO: isAjax()
Sep 08, 2016 9:44:53 AM com.authasas.aucore.nam.method.AAPluginAuthenticationClass debugMessage
INFO: ajax header is XMLHttpRequest
Sep 08, 2016 9:44:53 AM com.authasas.aucore.nam.method.AAPluginAuthenticationClass debugMessage
INFO: showStatusPage with wait
Sep 08, 2016 9:44:53 AM com.authasas.aucore.nam.method.AAPluginAuthenticationClass debugMessage
INFO: state != NOT_INIT
Sep 08, 2016 9:44:53 AM com.authasas.aucore.nam.method.AAPluginAuthenticationClass debugMessage
INFO: saveDataToSession
Sep 08, 2016 9:44:53 AM com.authasas.aucore.nam.method.AAPluginAuthenticationClass debugMessage
INFO: this.lastTry = 0
Sep 08, 2016 9:44:53 AM com.authasas.aucore.nam.method.AAPluginAuthenticationClass debugMessage
INFO: this.currentMethod = 0


The AAF logs simply showed that the login process had started but never completed

2016-09-08 10:28:27 (UTC+0100) INFO [aucore.logger.client] CEF:0|AAA|Core|5.0|100|User logon started|4|ep=nam43sba.dub.novell.com ep_addr=147.2.32.1 event=NAM session_id=onQECru5N1EGnfXpuLftbXVrDiUk1KPr user_name=IDMVAULT\\ncashell p=40224
2016-09-08 10:28:27 (UTC+0100) DEBUG [uwsgi] POST /api/v1/logon 147.2.32.1 147ms
*** 5 secs later 2016-09-08 10:28:33 (UTC+0100) DEBUG [uwsgi] GET /admin/api/session_status 149.44.166.71 3ms

Resolution

Edit the tomcat maxPostSize setting to increase the maximum POST data size (default is 64 kB, but with some fingerprint devices the ata size can be up to 2 MB). We opened /opt/novell/nam/idp/conf/server.xml, found the maxPostSize="65536" string and replaced it with maxPostSize="2097152" to accept request's fingerprint data.

Cause

IDP was not getting full fingerprint data from tomcat, and AAF could not validate the user chain based on the limited info.