I'm pretty sure this is a client setup issue, but have already ruled out
pretty much all the usual suspects.

Scenario:

Kerberos integration configured as per the docs (except that user store
is IDM rather than AD). NAM 3.2.1

two users on same subnet running same OS, with same browser

Failure:

Code:
--------------------
XXX.XXX.XXX.58 - - [07/Mar/2013:15:26:30 +0100] "GET /nidp/app/login?id=krb&target=https://ids.acme.com/nidp/saml2/idpsend?id=cwt1 HTTP/1.1" 401 2291
XXX.XXX.XXX.58 - - [07/Mar/2013:15:26:30 +0100] "GET /nidp/app/login?id=krb&target=https://ids.acme.com/nidp/saml2/idpsend?id=cwt1 HTTP/1.1" 400 -

--------------------

Success:

Code:
--------------------
XXX.XXX.XXX.39 - - [07/Mar/2013:14:17:38 +0100] "GET /nidp/app/login?id=krb&target=https://ids.acme.com/nidp/saml2/idpsend?id=cwt1 HTTP/1.1" 401 2291
XXX.XXX.XXX.39 - - [07/Mar/2013:14:17:43 +0100] "GET /nidp/app/login?id=krb&target=https://ids.acme.com/nidp/saml2/idpsend?id=cwt1 HTTP/1.1" 200 433
XXX.XXX.XXX.39 - - [07/Mar/2013:14:17:43 +0100] "GET /nidp/saml2/idpsend?id=cwt1 HTTP/1.1" 200 6894

--------------------

I've got debug level logging turned on but for the failure scenario, I
see the first request get processed (that ends up with a response to the
client of 401 - which means auth required). However I don't see anything
in the logs to show that the client re-sent the request with an
authorization header.

Looking on the client side, I see that the re-sent request included an
authorization header, but it seems like Access Manager never sees this
re-sent request.

Has anyone else seen this? Is this a bug?


--
alexmchugh
------------------------------------------------------------------------
alexmchugh's Profile: https://forums.netiq.com/member.php?userid=461
View this thread: https://forums.netiq.com/showthread.php?t=47035