Browser looping trying to access protected resource behind Linux Access Gateway

  • 7005115
  • 08-Jan-2010
  • 26-Apr-2012

Environment

Novell Access Manager 3.1 Linux Access Gateway
Novell Access Manager 3.0 Linux Access Gateway
Novell Access Manager 3.1 Support Pack 1 applied
Only occurs with protected and not public resources behind Linux Access Gateway

Situation

Multiple back end web server accelerated by Linux Access Gateway (LAG). All these applications appear to be working fine for most users. Some users, accessing the same applications report  issues with not being able to complete logins ie. they access the protected resources, get redirected to the Identity Server (IDP) to authenticate and cannot get redirected to the original URL being accessed.

HTTP header traces show that the user successfully authenticates, gets redirected back to the LAG protected resource but that the LAG keeps rerequesting the user for their credentials. This is normally done when no LAG session cookie exists (IPCQZX03) but in this scenario, the cookie existed.

Resolution

Apply the following commands on the LAG

# touch /etc/lagDisableAuthIPCheck
# /etc/init.d/novell-vmc restart

This touch file will remove one of the checks done by the LAG on incoming session cookies specific to IP addresses.

Additional Information

If multiple paths (at network level) exist between a browser and the LAG and proxies or NAT devices exist on these paths, it is possible that the source IP address of the incoming requests into the LAG may change. Let's take an example user, user A, who connects to an ISP. This ISP has multiple transparent proxies in parallel for performance reasons.

- user A goes and accesses the LAG for the first time. User As request goes through a local transparent proxy TP1, so the incoming IP address of the initial request will have that transparent proxy's (TP1) IP address. The LAG session cookie is set and the user is redirected back to the page he/she was going to originally

- user A then sends the next request for this original page but it goes through a different proxy, TP2. The incoming IP address of the request into the LAG is now different to the one that the user authenticated with (TP1 IP address) ... and the validation will fail. We will loop as the LAG will request the user to send a valid session cookie.

The ics_dyn.log file (in debug mode) will include a message indicating the cookie validation failed ... if the admin looks at the logs (/etc/laglogs.conf must have the DEBUG flag set to 7 and not the default of 5), the following string will be visible showing the issue has occured:

Jan  6 16:01:08 exlmad0a0146 : AM#504504000: AMDEVICEID#ag-E12AD37549DD2AA: AMAUTHID#0: AMEVENTID#1591: Got   valid Cookie[1102191248 131072 1979328327 1247904132  165.197.19.242 0.2 CIP:165.197.19.246] COOKIE_VALIDATION
Jan  6 16:01:08 exlmad0a0146 : AM#104504000: AMDEVICEID#ag-E12AD37549DD2AA: AMAUTHID#2E9826B446657573CA850293E212C303: AMEVENTID#1591: Browser IP address does not match with the IAUser
Jan  6 16:01:08 exlmad0a0146 : AM#504504000: AMDEVICEID#ag-E12AD37549DD2AA: AMAUTHID#2E9826B446657573CA850293E212C303: AMEVENTID#1591: Redirect to LAGBroker
Jan  6 16:01:08 exlmad0a0146 : AM#504504000: AMDEVICEID#ag-E12AD37549DD2AA: AMAUTHID#2E9826B446657573CA850293E212C303: AMEVENTID#1591: AuthServerRequestDS - handleRequestAfterEventProcessing with request state = 6, action = 0
Jan  6 16:01:08 exlmad0a0146 : AM#504504000: AMDEVICEID#ag-E12AD37549DD2AA: AMAUTHID#2E9826B446657573CA850293E212C303: AMEVENTID#1591: REDIRECT_TO_LAGBROKER https://esp.novell.com:443/LAGBroker?c=secure/name/password/DOR/uri&%22https://tap.rev.win.com:443/%22
Jan  6 16:01:08 exlmad0a0146 : AM#504503000: AMDEVICEID#ag-E12AD37549DD2AA: AMAUTHID#0: AMEVENTID#1591: msgIndex:1000 msgCnt:200