Novell Home

My Favorites

Close

Please to see your favorites.

300101011 Error (Assertion is being replayed) accessing Access Gateway protected resources

This document (7013199) is provided subject to the disclaimer at the end of this document.

Environment

NetIQ Access Manager 3.2
NetIQ Identity Server acting as a SAML2 Service Provider
3rd party SAML2 Identity Server
Firefox, Chrome, IE6 browsers work without issues
IE7 and greater experiencing errors

Situation

Access Manager setup and working well ie. users can access protected resources successfully after having autenticated at the NAM Identity server. A new application was rolled out that required users to authenticate using an external contract to a remote SAML2 Identity server. The user would hit the Access Gateway (AG) protected resource, get redirected to the NAM Identity server which in turn generates a SAML AuthnRequest to the remote Identity server. Once authenticated, the assertion was passed all the way back to the NAM Identity server and AG so that the SSO happened. This all worked fine with initial testing. However, as the application was rolled out some users started reporting the following errors on the browser :

Error status 300101011 - Assertion is being replayed
An assertion has been received that was already used to authenticate a user at the service provider.

Turns out that the users reporting this were on IE7 and greater, whereas users on older versions of IE and latest CHrome or Firefox browser had no issues.

Resolution

Changed to AG Proxy Server certificate to one whose subject name matched the DNS name of that proxy server.

The situation we were in was that the server certificate assigned to the reverse proxy (published dns name esp.secure.windows.co.uk) the users were hitting was actually the test-connector certificate when it should have been esp_secure_windows_co_uk.  Most browsers (Firefox, Chrome, IE6) don't care about this and you can simply select accept to continue, but apparently IE7 and above do care and we were seeing a duplicate assertion sent as a result. The 

following link seems to suggests that it has been seen on other software:


http://help.netmail.com/pages/viewpage.action?pageId=5506721



The reason the test-connector certificate was still in use was because of a failed certificate change to the proxy.  It failed because the devman.keystore certificate had expired (updates never progressed from pending to current).  We replaced the devman certificate which then allowed us to change to the correct proxy certificate, and all is well with Internet Explorer 7+.


Additional Information

The catalina log files confirms that the browser POSTs the assertion from the Remote IDP server 2 times, 4 secs apart. Both the assertionID and ResponseID are the same - these should be unique. This would indicate that it is not a NAM issue but an issue with the browser or app or remote IDP server.



// Response 1 from IDP server



<amLogEntry seq="27376620" d="2013-07-15T13:04:19Z" lg="SAML2" lv="DEBUG" th="15" ><msg>Method: SAML2Profile.traceMessage
Thread: http-443-Processor4




************************* SAML2 POST message ********************************



Type: received
 RelayState: https://sp.secure.windows.co.uk/frame.wpl/839
&lt;samlp:Response xmlns:samlp=&quot;urn:oasis:names:tc:SAML:2.0:protocol&quot; xmlns:ds=&quot;http://www.w3.org/2000/09/xmldsig#&quot;; xmlns:saml=&quot;urn:oasis:names:tc:SAML:2.0:assertion&quot; xmlns:xs=&quot;http://www.w3.org/2001/XMLSchema&quot;; xmlns:xsi=&quot;http://www.w3.org/2001/XMLSchema-instance&quot;; Destination=&quot;https://ids.secure.windows.co.uk/nidp/saml2/spassertion_consumer&quot;; ID=&quot;I570BE9E71A6796CB2E37680C543E34386ADE1BB2&quot; IssueInstant=&quot;2013-07-15T13:04:29Z&quot; Version=&quot;2.0&quot;&gt;&lt;saml:Issuer&gt;idp.mymoneyworks.co.uk&lt;/saml:Issuer&gt;&lt;samlp:Status&gt;&lt;samlp:StatusCode Value=&quot;urn:oasis:names:tc:SAML:2.0:status:Success&quot;/&gt;&lt;/samlp:Status&gt;&lt;saml:Assertion xmlns:xenc=&quot;http://www.w3.org/2001/04/xmlenc#&quot;; ID=&quot;A27E77BF4463B0C507767C32A8D7576415858DDCB&quot; IssueInstant=&quot;2013-07-15T13:04:29Z&quot; Version=&quot;2.0&quot; xmlns:ds=&quot;http://www.w3.org/2000/09/xmldsig#&quot;; xmlns:saml=&quot;urn:oasis:names:tc:SAML:2.0:assertion&quot; xmlns:xs=&quot;http://www.w3.org/2001/XMLSchema&quot;; xmlns:xsi=&quot;http://www.w3.org/2001/XMLSchema-instance&quot;&gt;&lt;saml:Issuer&gt;idp.mymoneyworks.co.uk&lt;/saml:Issuer&gt;&lt;dsig:Signature xmlns:dsig=&quot;http://www.w3.org/2000/09/xmldsig#&quot;&gt;&lt;dsig:SignedInfo&gt;&lt;dsig:CanonicalizationMethod Algorithm=&quot;http://www.w3.org/2001/10/xml-exc-c14n#&quot;/&gt;&lt;dsig:SignatureMethod Algorithm=&quot;http://www.w3.org/2000/09/xmldsig#rsa-sha1&quot;/&gt;&lt;dsig:Reference URI=&quot;#A27E77BF4463B0C507767C32A8D7576415858DDCB&quot;&gt;&lt;dsig:Transforms&gt;&lt;dsig:Transform Algorithm=&quot;http://www.w3.org/2000/09/xmldsig#enveloped-signature&quot;/&gt;&lt;dsig:Transform Algorithm=&quot;http://www.w3.org/2001/10/xml-exc-c14n#&quot;&gt;&lt;ec14n:InclusiveNamespaces xmlns:ec14n=&quot;http://www.w3.org/2001/10/xml-exc-c14n#&quot;; PrefixList=&quot;xs xsi&quot;/&gt;&lt;/dsig:Transform&gt;&lt;/dsig:Transforms&gt;&lt;dsig:DigestMethod Algorithm=&quot;http://www.w3.org/2000/09/xmldsig#sha1&quot;/&gt;&lt;dsig:DigestValue&gt;Hfe0DfNl/ryu2E6H+29JlxjkxYE=&lt;/dsig:DigestValue&gt;&lt;/dsig:Reference&gt;&lt;/dsig:SignedInfo&gt;&lt;dsig:SignatureValue&gt;XWdif+hMXz7qP9+icEgCljEwunnC4V2OLzXw+r9YBjN0K3v2lzIZrfzalnZLkOrr+zOUGE3Hsp48XdgYbjFS1sD6rxHVZhms3CZj4Ede4BRUONNHQSAgN85z3Oknmq8KBYOl9FNLZDvyA3ZteR5lkB81SWRbEdnbFVC2djSmyXYPoRxhJs7qhEzEFHOOoc36cLaVXLIesZ/COCTFfnO11AbLpzngDEK6cgLVazAnZBlydMYeWVeSAioWcS8/oYEdMDZEv0zL9qCF3QWArv2Uy7iWD/fTXrsCltcTTX9fy3egBqV2Lf6FKAW8qHiltLVM5f+dOrJv0CDXqNTqtObI8A==&lt;/dsig:SignatureValue&gt;&lt;/dsig:Signature&gt;&lt;saml:Subject&gt;&lt;saml:NameID Format=&quot;urn:oasis:names:tc:SAML:2.0:nameid-format:persistent&quot; NameQualifier=&quot;idp.mymoneyworks.co.uk&quot; SPNameQualifier=&quot;https://ids.secure.windows.co.uk/nidp/saml2/metadata&quot;&gt;1dba9fac698aab5efb8cd7359bcb6c2977297e9b&lt;/saml:NameID&gt;&lt;saml:SubjectConfirmation Method=&quot;urn:oasis:names:tc:SAML:2.0:cm:bearer&quot;&gt;&lt;saml:SubjectConfirmationData NotOnOrAfter=&quot;2013-07-15T13:05:34Z&quot; Recipient=&quot;https://ids.secure.windows.co.uk/nidp/saml2/spassertion_consumer&quot;/&gt;&lt;/saml:SubjectConfirmation&gt;&lt;/saml:Subject&gt;&lt;saml:Conditions NotBefore=&quot;2013-07-15T13:04:24Z&quot; NotOnOrAfter=&quot;2013-07-15T13:05:34Z&quot;&gt;&lt;saml:AudienceRestriction&gt;&lt;saml:Audience&gt;https://ids.secure.windows.co.uk/nidp/saml2/metadata&lt;/saml:Audience&gt;&lt;/saml:AudienceRestriction&gt;&lt;saml:OneTimeUse/&gt;&lt;/saml:Conditions&gt;&lt;saml:AuthnStatement AuthnInstant=&quot;2013-07-15T13:02:44Z&quot; SessionIndex=&quot;A27E77BF4463B0C507767C32A8D7576415858DDCB&quot; SessionNotOnOrAfter=&quot;2013-07-15T21:02:49Z&quot;&gt;&lt;saml:AuthnContext&gt;&lt;saml:AuthnContextClassRef&gt;urn:oasis:names:tc:SAML:2.0:ac:classes:Password&lt;/saml:AuthnContextClassRef&gt;&lt;/saml:AuthnContext&gt;&lt;/saml:AuthnStatement&gt;&lt;/saml:Assertion&gt;&lt;/samlp:Response&gt;
************************* End SAML2 message ****************************</msg></amLogEntry>





// Response 2 from IDP server 4 secs later



************************* SAML2 POST message ********************************



Type: received
 RelayState: https://sp.secure.windows.co.uk/frame.wpl/839
&lt;samlp:Response xmlns:samlp=&quot;urn:oasis:names:tc:SAML:2.0:protocol&quot; xmlns:ds=&quot;http://www.w3.org/2000/09/xmldsig#&quot;; xmlns:saml=&quot;urn:oasis:names:tc:SAML:2.0:assertion&quot; xmlns:xs=&quot;http://www.w3.org/2001/XMLSchema&quot;; xmlns:xsi=&quot;http://www.w3.org/2001/XMLSchema-instance&quot;; Destination=&quot;https://ids.secure.windows.co.uk/nidp/saml2/spassertion_consumer&quot;; ID=&quot;I570BE9E71A6796CB2E37680C543E34386ADE1BB2&quot; IssueInstant=&quot;2013-07-15T13:04:29Z&quot; Version=&quot;2.0&quot;&gt;&lt;saml:Issuer&gt;idp.mymoneyworks.co.uk&lt;/saml:Issuer&gt;&lt;samlp:Status&gt;&lt;samlp:StatusCode Value=&quot;urn:oasis:names:tc:SAML:2.0:status:Success&quot;/&gt;&lt;/samlp:Status&gt;&lt;saml:Assertion xmlns:xenc=&quot;http://www.w3.org/2001/04/xmlenc#&quot;; ID=&quot;A27E77BF4463B0C507767C32A8D7576415858DDCB&quot; IssueInstant=&quot;2013-07-15T13:04:29Z&quot; Version=&quot;2.0&quot; xmlns:ds=&quot;http://www.w3.org/2000/09/xmldsig#&quot;; xmlns:saml=&quot;urn:oasis:names:tc:SAML:2.0:assertion&quot; xmlns:xs=&quot;http://www.w3.org/2001/XMLSchema&quot;; xmlns:xsi=&quot;http://www.w3.org/2001/XMLSchema-instance&quot;&gt;&lt;saml:Issuer&gt;idp.mymoneyworks.co.uk&lt;/saml:Issuer&gt;&lt;dsig:Signature xmlns:dsig=&quot;http://www.w3.org/2000/09/xmldsig#&quot;&gt;&lt;dsig:SignedInfo&gt;&lt;dsig:CanonicalizationMethod Algorithm=&quot;http://www.w3.org/2001/10/xml-exc-c14n#&quot;/&gt;&lt;dsig:SignatureMethod Algorithm=&quot;http://www.w3.org/2000/09/xmldsig#rsa-sha1&quot;/&gt;&lt;dsig:Reference URI=&quot;#A27E77BF4463B0C507767C32A8D7576415858DDCB&quot;&gt;&lt;dsig:Transforms&gt;&lt;dsig:Transform Algorithm=&quot;http://www.w3.org/2000/09/xmldsig#enveloped-signature&quot;/&gt;&lt;dsig:Transform Algorithm=&quot;http://www.w3.org/2001/10/xml-exc-c14n#&quot;&gt;&lt;ec14n:InclusiveNamespaces xmlns:ec14n=&quot;http://www.w3.org/2001/10/xml-exc-c14n#&quot;; PrefixList=&quot;xs xsi&quot;/&gt;&lt;/dsig:Transform&gt;&lt;/dsig:Transforms&gt;&lt;dsig:DigestMethod Algorithm=&quot;http://www.w3.org/2000/09/xmldsig#sha1&quot;/&gt;&lt;dsig:DigestValue&gt;Hfe0DfNl/ryu2E6H+29JlxjkxYE=&lt;/dsig:DigestValue&gt;&lt;/dsig:Reference&gt;&lt;/dsig:SignedInfo&gt;&lt;dsig:SignatureValue&gt;XWdif+hMXz7qP9+icEgCljEwunnC4V2OLzXw+r9YBjN0K3v2lzIZrfzalnZLkOrr+zOUGE3Hsp48XdgYbjFS1sD6rxHVZhms3CZj4Ede4BRUONNHQSAgN85z3Oknmq8KBYOl9FNLZDvyA3ZteR5lkB81SWRbEdnbFVC2djSmyXYPoRxhJs7qhEzEFHOOoc36cLaVXLIesZ/COCTFfnO11AbLpzngDEK6cgLVazAnZBlydMYeWVeSAioWcS8/oYEdMDZEv0zL9qCF3QWArv2Uy7iWD/fTXrsCltcTTX9fy3egBqV2Lf6FKAW8qHiltLVM5f+dOrJv0CDXqNTqtObI8A==&lt;/dsig:SignatureValue&gt;&lt;/dsig:Signature&gt;&lt;saml:Subject&gt;&lt;saml:NameID Format=&quot;urn:oasis:names:tc:SAML:2.0:nameid-format:persistent&quot; NameQualifier=&quot;idp.mymoneyworks.co.uk&quot; SPNameQualifier=&quot;https://ids.secure.windows.co.uk/nidp/saml2/metadata&quot;&gt;1dba9fac698aab5efb8cd7359bcb6c2977297e9b&lt;/saml:NameID&gt;&lt;saml:SubjectConfirmation Method=&quot;urn:oasis:names:tc:SAML:2.0:cm:bearer&quot;&gt;&lt;saml:SubjectConfirmationData NotOnOrAfter=&quot;2013-07-15T13:05:34Z&quot; Recipient=&quot;https://ids.secure.windows.co.uk/nidp/saml2/spassertion_consumer&quot;/&gt;&lt;/saml:SubjectConfirmation&gt;&lt;/saml:Subject&gt;&lt;saml:Conditions NotBefore=&quot;2013-07-15T13:04:24Z&quot; NotOnOrAfter=&quot;2013-07-15T13:05:34Z&quot;&gt;&lt;saml:AudienceRestriction&gt;&lt;saml:Audience&gt;https://ids.secure.windows.co.uk/nidp/saml2/metadata&lt;/saml:Audience&gt;&lt;/saml:AudienceRestriction&gt;&lt;saml:OneTimeUse/&gt;&lt;/saml:Conditions&gt;&lt;saml:AuthnStatement AuthnInstant=&quot;2013-07-15T13:02:44Z&quot; SessionIndex=&quot;A27E77BF4463B0C507767C32A8D7576415858DDCB&quot; SessionNotOnOrAfter=&quot;2013-07-15T21:02:49Z&quot;&gt;&lt;saml:AuthnContext&gt;&lt;saml:AuthnContextClassRef&gt;urn:oasis:names:tc:SAML:2.0:ac:classes:Password&lt;/saml:AuthnContextClassRef&gt;&lt;/saml:AuthnContext&gt;&lt;/saml:AuthnStatement&gt;&lt;/saml:Assertion&gt;&lt;/samlp:Response&gt;
************************* End SAML2 message ****************************</msg></amLogEntry>
<amLogEntry seq="27376691" d="2013-07-15T13:04:23Z" lg="SAML2" lv="DEBUG" th="14" ><msg>Method: SAML2AuthnContext.parse
Thread: http-443-Processor3
expiration: 0</msg></amLogEntry>
<amLogEntry seq="27376692" d="2013-07-15T13:04:23Z" lg="SAML2" lv="DEBUG" th="14" ><msg>Method: SAML2Profile.A
Thread: http-443-Processor3
Processing artifact for pre-brokering, provider= idp.mymoneyworks.co.uk and relayState = https://sp.secure.windows.co.uk/frame.wpl/839</msg></amLogEntry>
<amLogEntry seq="27376693" d="2013-07-15T13:04:23Z" lg="SAML2" lv="DEBUG" th="14" ><msg>Method: SAML2Profile.A
Thread: http-443-Processor3
Relaystate does not have Intersite Transfer request.. no brokering policy enforcement is needed</msg></amLogEntry>
<amLogEntry seq="27376694" d="2013-07-15T13:04:23Z" lg="Application" lv="VERBOSE" th="14" ><msg>IDP response failed to authenticate: NIDPLOGGING.300101011</msg></amLogEntry>
<amLogEntry seq="27376695" d="2013-07-15T13:04:23Z" lg="SAML2" lv="WARNING" th="14" ><msg>Exception message: &quot;NIDPLOGGING.300101011&quot;
     y, Line: 2431, Method: validate
     y, Line: 3075, Method: verifyResponse
     y, Line: 277, Method: handleAuthentication
     y, Line: 2562, Method: processResponse
     y, Line: 226, Method: processResponse
     y, Line: 1125, Method: handleInBoundMessage
     y, Line: 3474, Method: processResponse
     y, Line: 2544, Method: A


Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7013199
  • Creation Date:03-SEP-13
  • Modified Date:03-SEP-13
    • NetIQAccess Manager (NAM)

Did this document solve your problem? Provide Feedback