I'm pretty sure this is a client setup issue, but have already ruled out
pretty much all the usual suspects.


Kerberos integration configured as per the docs (except that user store
is IDM rather than AD). NAM 3.2.1

two users on same subnet running same OS, with same browser


XXX.XXX.XXX.58 - - [07/Mar/2013:15:26:30 +0100] "GET /nidp/app/login?id=krb&target=https://ids.acme.com/nidp/saml2/idpsend?id=cwt1 HTTP/1.1" 401 2291
XXX.XXX.XXX.58 - - [07/Mar/2013:15:26:30 +0100] "GET /nidp/app/login?id=krb&target=https://ids.acme.com/nidp/saml2/idpsend?id=cwt1 HTTP/1.1" 400 -



XXX.XXX.XXX.39 - - [07/Mar/2013:14:17:38 +0100] "GET /nidp/app/login?id=krb&target=https://ids.acme.com/nidp/saml2/idpsend?id=cwt1 HTTP/1.1" 401 2291
XXX.XXX.XXX.39 - - [07/Mar/2013:14:17:43 +0100] "GET /nidp/app/login?id=krb&target=https://ids.acme.com/nidp/saml2/idpsend?id=cwt1 HTTP/1.1" 200 433
XXX.XXX.XXX.39 - - [07/Mar/2013:14:17:43 +0100] "GET /nidp/saml2/idpsend?id=cwt1 HTTP/1.1" 200 6894


I've got debug level logging turned on but for the failure scenario, I
see the first request get processed (that ends up with a response to the
client of 401 - which means auth required). However I don't see anything
in the logs to show that the client re-sent the request with an
authorization header.

Looking on the client side, I see that the re-sent request included an
authorization header, but it seems like Access Manager never sees this
re-sent request.

Has anyone else seen this? Is this a bug?

alexmchugh's Profile: https://forums.netiq.com/member.php?userid=461
View this thread: https://forums.netiq.com/showthread.php?t=47035