Unable to authenticate error: "DOCTYPE is disallowed when the feature "http://apache.org/xml/features/disallow-doctype-decl""

  • 7020985
  • 19-Jun-2017
  • 12-Oct-2018

Environment

NetIQ Access Manager 4.3

Situation

User accesses a protected resource accelerated by Access Gateway and is redirected to authenticate. After authenticating successfully, the user gets the following error on the browser:

Unable to authenticate.:DOCTYPE is disallowed when the feature "http://apache.org/xml/features/disallow-doctype-decl" set to true.:

The catalina log file on the AG shows the following extract when POSTing the artifact to the IDP, and awaiting an assertion:

<amLogEntry> 2017-06-04T08:54:24Z INFO NIDS Application: AM#500105021: AMDEVICEID#esp-BC92CCFEA52ADC7E: AMAUTHID#e563ceae2024d1f5bc59e006303f22452f84a2012b663f8630de7351afa003a1:  Sending artifact AANjUNFmLbzq6hGIlD6ECHjrVPNMUFd1YYo2xBlV0n0KAlgmawxExH/Q to URL https://nam.kington.com/nidp/idff/soap at IDP </amLogEntry>

 

<amLogEntry> 2017-06-04T08:54:24Z SEVERE NIDS Application: AM#100105003: AMDEVICEID#esp-BC92CCFEA52ADC7E:  Error obtaining SOAP response. Reason: DOCTYPE is disallowed when the feature "http://apache.org/xml/features/disallow-doctype-decl" set to true.. </amLogEntry>

 

<amLogEntry> 2017-06-04T08:54:24Z INFO NIDS Application: AM#500105039: AMDEVICEID#esp-BC92CCFEA52ADC7E: AMAUTHID#e563ceae2024d1f5bc59e006303f22452f84a2012b663f8630de7351afa003a1:  Error on session id e563ceae2024d1f5bc59e006303f22452f84a2012b663f8630de7351afa003a1, error DOCTYPE is disallowed when the feature "http://apache.org/xml/features/disallow-doctype-decl" set to true.-esp-BC92CCFEA52ADC7E, Unable to authenticate.:DOCTYPE is disallowed when the feature "http://apache.org/xml/features/disallow-doctype-decl" set to true.: </amLogEntry>


The IDP logs show the artifact coming in and the responding assertion sent back.

Resolution

 add option XML_PARSE_ALLOW_DTD  true to AG Cluster -> Edit -> Reverse Proxy/Authentication -> ESP Global Options

Feedback service temporarily unavailable. For content questions or problems, please contact Support.