Error 403 Forbidden Access when trying to authenticate into Vibe account via IIS / SSO configuration.

  • Document ID:7016003
  • Creation Date:17-Dec-2014
  • Modified Date:06-Jan-2015
    • Micro Focus Products:
      Vibe

Environment

Novell Vibe 3.4

Situation

You have installed and configured Vibe 3.4. On top of it you want to achieve also SSO solution provided via IIS. Once this add-on is done, imported user cannot login into Vibe. When you hit directly Vibe server, you can login as this user without any problems.
When you would check catalina.out log file, you will see similar complains like in example bellow:
 
[TP-Processor2] [org.kablink.teaming.module.authentication.impl.AuthenticationModuleImpl] - Authentication failure for zone 1: org.springframework.security.userdetails.UsernameNotFoundException: No such user; nested exception is org.kablink.teaming.security.authentication.UserDoesNotExistException: Unrecognized user [kablink,<AD-domain-name>\<user-account>.

Resolution

When a user is authenticated through IIS and pass the user information to Vibe server, the IIS passes the NetBIOS domain name (i.e., short/legacy domain name) rather than the full/long domain name. When Vibe subsequently validates this user against the LDAP, it compares the user's domain name (obtained through LDAP interface) against the IIS-supplied domain name to ensure that the authenticated user actually matches the Vibe provisioned user.
 
Up to Vibe 3.4, we have the following in ssf.properties file.
 
ldap.domain.matcher.class=org.kablink.teaming.spring.security.ldap.DefaultDomainMatcher
 
This so-called default (and more strict) matcher makes certain assumption about the relationship between the NetBIOS domain name and the full domain name. Since most customers tend to use NetBIOS domain name as part of the full domain name (at least, that's the default AD behavior as far as I understand), this default matcher looks for the NetBIOS name in the full domain name. If found, it passes, and if not, it fails.
 
We have seen several customers who do not use this default setting. Their full domain names do not contain the NetBIOS domain name. In such case, this default validation fails and they can work around this issue by specifying undefined undefinedNullDomainMatcher in ssf-ext.properties file:
 
ldap.domain.matcher.class=org.kablink.teaming.spring.security.ldap.NullDomainMatcher
 
After you add this new statement in ssf-ext.properties file, restart teaming services.