I have an issue to retrieve current sessions in Openam.
When I connect with the amAdmin user on the first server and go to the session item on the administration page, I cannot see the session on the second server.
I got the following error :
Failed to get the valid sessions from the specified server.
But sometimes I can see the sessions on the second server.
But when I connect with the amAdmin user on the second server and go to the session item, I can only see the open sessions on the second server (only the current sessions on the second server are displayed instead of the open sessions for the first server)
I have restarted web container after configuring both servers and also I have checked keystore.jk (it the same on both servers)
The session failover is configured as recommended in openam documentation.
After checking /sso/debug -> Session
I get the following message:
ERROR: Session:getValidSession :
com.iplanet.dpro.session.SessionException: AQIC5wM2LY4Sfcx_fLoDaTo7RYYE1qLOq3Q4WtoQQ1k7_jk.*AAJTSQACMDIAAlMxAAIwMQ..* Invalid session ID.AQIC5wM2LY4Sfcx_fLoDaTo7RYYE1qLOq3Q4WtoQQ1k7_jk.*AAJTSQACMDIAAlMxAAIwMQ..*
at com.iplanet.dpro.session.Session.getSessionResponseWithoutRetry(Session.java:1583)
at com.iplanet.dpro.session.Session.getValidSessions(Session.java:1340)
at com.iplanet.dpro.session.Session.getValidSessions(Session.java:1201)
at com.sun.identity.console.session.model.SMProfileModelImpl.initSessionsList(SMProfileModelImpl.java:111)
at com.sun.identity.console.session.model.SMProfileModelImpl.getSessionCache(SMProfileModelImpl.java:307)
at com.sun.identity.console.session.SMProfileViewBean.beginDisplay(SMProfileViewBean.java:190)
at com.iplanet.jato.taglib.UseViewBeanTag.doStartTag(UseViewBeanTag.java:149)
Did you have any ideas to fix this issue?
Best regards
OpenAM uses an HTTP url connection to the other instance url (listed under 'Servers & Sites' to retrieve the session information.
if the OpenAM server instance urls have scheme 'https', make sure the deployment container trusts the issuer of the cert ... that's plain JSSE (http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html), not OpenAM related.
Session failover means 'failover', not session replication.
The issue has been resolved after modifing settings in the openam config file 'bootstrap'.
Some settings are not correctly saved in this file.
Related
When logging on to OWA using a browser, receive a 503 error. In the Fiddler trace will see a more detailed response status code:
503 Failed authentication on backend server: Unauthorized
On the Exchange Server, see the following System event log (intermittently):
Event 4 Security-Kerberos
The Kerberos client received a KRB_APP_ERR_MODIFIED error from the server exchangeserver$.
The target name used was HTTP/exchangeserver.ad.root.
This indicates that the target server failed to decrypt the ticket provided by the client.
I hope someone only receives this in a lab environment!
Here is a link to enable Kerberos logging, which could be helpful as well: https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/enable-kerberos-event-logging
After enabling Kerberos logging, would see the KRB_APP_ERR_MODIFIED error more frequently, whereas before would not be logged each time a logon attempt occurred.
The issue here (in the lab) was that a duplicate SPN for the Exchange Server in question was added erroneously to another server, causing a duplicate. This was due to trying to enable Kerberos delegation for a separate web application.
Although there could be a quicker way to do this, you can list the SPNs on each server to look for your erroneous exchangeserver record by running
setspn -l otherservername (this is a lower-case L)
And if you find that SPNs like http/exchangeserver or http/exchangeserver.ad.root are listed on another server (say 'otherservername'), you can carefully remove them by running
setspn -D http/exchangeserver otherservername
setspn -D http/exchangeserver.ad.root otherservername
I was able to logon to OWA immediately after the duplicate SPN was removed, without restarting any servers or services.
Check, if the bindings for Exchange Backend website in IIS is correctly configured. You can check this by visiting IIS console in the server and open bindings for Backend website for 443 port. See, if the certificate is assigned well
Also, check, if the Default website's binding is correct. It should have thirdparty SSL certificate assigned or the self signed certificate
If any of the bindings are incorrect, fix it and restart IIS (iisrest from cmd prompt). Check again
I have a asp.net mvc application that interacts with RabbitMq. Everything works great locally.
However, on our deployment server it cannot connect
DEBUG|MassTransit.RabbitMqTransport.Integration.RabbitMqConnectionCache|Connecting: muyuser#localhost:5672/|
ERROR|MassTransit.RabbitMqTransport.RabbitMqReceiveTransport|RabbitMQ connection failed: Connect failed: muyuser#localhost:5672/|
What I'm able to gather is this
In order to connect to RabbitMq you need a valid .erlang.cookie in (on windows) your User root
As best I can tell, this cookie is created when you install rabbitmq
In development we're using localdb which runs as the developer's user (which has this cookie)
In production the application runs off of IIS which uses the application pool and the built-in ApplicationPoolIdentity account. Which doesn't have a User folder for the .erlang.cookie file to live in.
So the question becomes...what now? How is this intended to work?
Obviously we could create a dedicated user for the web application but our system administrator is understandably very reluctant to do this.
Another clue, is that when I tried to RDP, log in as myself and connect to rabbit I found that I could not. After troubleshooting I discovered that my cookie didn't match up with that of others who could! I replaced it with the one from c:\windows\.erlang.cookie and could then connect from cli. It seems possible like there is a cookie installed somewhere for the applicationpoolidentity but it is an incorrect cookie. What is the location where it would go?
Erlang cookies are used for internode communication, whether it is for clustering RabbitMQ or for contacting RabbitMQ via the command line using rabbitmqctl.
If you have problems with an AMQP connection, then the erlang cookie has nothing to do here.
Take a look at access control https://www.rabbitmq.com/access-control.html to see if your user is properly configured.
At the same time check the server logs to see why the connection is refused.
First this app works perfectly fine in a non-clustered environment.
The problem we have is when the ELB routes first to one server in a cluster during a session, then to a second server. The second server can't find the session. e.g.
An iOS app passes a login call to a Glassfish 4 server cluster (we're using oAuth/Facebook tokens, so no Glassish security realms).
The Amazon Elastic Load Balancer (ELB) sends to server 1.
Session is authenticated and user logged in and a session cookie passed back to the app.
Immediately the app sends another request which needs authentication (is this a valid session).
The ELB decides to send the request to server 2
In our authenticate servlet filter, server 2 can't find a session with the id passed in with the cookie
The servlet says the user is not authenticated and the call fails.
Our code is pretty typical for finding the session (if no session immediately return fail):
HttpSession session = req.getSession(false);
//psuedocode
if session == null then session not authenticated log and return
else session authenticated, log and return
If the second call gets routed to the same server as the login, the second call works fine. Whenever a call (be it the second, third, fourth, whatever) goes to the second server, authentication fails because it can't find the session on the second server.
I'm looking to see if anyone has encountered something like this and how you have resolved the issue. Is it better to use sticky sessions on the ELB, or is Apache web server using JK or AJP a better choice?
Two potential issues off the top of my head:
Have you specified <distributable/> in your web.xml?
Could be a multicast issue. EC2 does not support multicast, which is what GlassFish uses by default. Check out this stackoverflow thread that discusses the topic, including non-multicast clustering.
I'm currently attempting to debug a solution that I've picked up as a side project but I'm not having much luck. The solution depends on data (user IDs, page content, etc) stored on an MSSQL server on my local network, but when I execute the solution in VS2012 debug mode the connection fails. The error I'm getting says that the connection failed, and that the user was rejected.
When I log into the SQL server and check the event logs I can see where the login ID was rejected, but it was rejected because it wasn't the login ID that I specified in the connection string. It seems to be trying to use my windows authentication instead (which in windows 8 is a live ID) which won't work because my windows ID doesn't (and shouldn't) have access to the server.
Some basic connection string info (all data changed to protect the innocent... aka my poor server)
Data Source=myServer; Initial Catalog=myDB; User ID=myUsername; Password=myPassword; Integrated Security=false;
Has anyone run into this issue?
Do a search in the entire solution for myServer. This should shed light on the issue, given the connection string is defined somewhere else and it connects to the same server.
I am running a asp .net web service on IIS7. The latter is running on a Windows 2008 R2 Server. IIS7/the web service is configured for asp .net impersonation. The worker process owner is set to NETWORK SERVICE.
The web service invokes sqlplus.exe impersonated with his/her domain account on the server. I can see that through the task manager. However, when sqlplus is started, oracle says the username/password is wrong.
sqlplus.exe is started like this: sqlplu.exe / . This works great if I manually log on the server with the user account and type the statement above, everything works great
I believe you're running into the "double hop" issue here.
Your first hop is using impersonation from the client's computer to the web server. The second hop is from the web server to your database server, where you're attempting to pass those same credentials along to the database.
When you manually log on and run the sqlplus statement, it's only a single hop from the web server to the database server.
The following is quoted from MSDN. Notice the recommendation to use basic authentication from the client to the web server.
The double-hop issue occurs when the
ASPX page attempts to use resources
located on a server that is different
from the IIS server. In our case, the
first "hop" is from the web browser
client to the IIS ASPX page; the
second hop is to Active Directory.
Active Directory requires a primary
token. Therefore, the IIS server must
know the password for the client to
pass a primary token to Active
Directory. If the IIS server has a
secondary token, the
NTAUTHORITY\ANONYMOUS account
credentials are used. This account is
not a domain account and has very
limited access to Active Directory.
The double-hop using a secondary token
occurs, for example, when the browser
client is authenticated to the IIS
ASPX page by using NTLM
authentication. In this example, the
IIS server has a hashed version of the
password as a result of using NTLM. If
IIS turns around and passes the
credentials to Active Directory, IIS
is passing a hashed password. Active
Directory cannot verify the password
so it uses NTAUTHORITY\ANONYMOUS LOGON
for authentication.
If your browser client uses Basic
authentication to authenticate to the
IIS ASPX page, the IIS server has the
client password and can make a primary
token to pass to Active Directory.
Active Directory can verify the
password and authenticate the domain
user.
http://msdn.microsoft.com/en-us/library/ms817871.aspx