I have an AM set up for domain-based multihoming. The idea is to protect
a ressource "application.company.corp" through AM with Kerberos
authentication and Identity Injection via header.
I have it all set up, logging in works (confirmed via the portal) but
when I try to access "application.company.corp" (behind an LB for the
two AGWs, I have ROUTEIDs set for the LB and they appear properly in the
browser), I get a redirection loop and FF (same for IE) stops after
about 10 seconds.

Enabling debugging, I got this X-Mag header:


HTTP/1.1 302 Found
Date: Thu, 12 Jan 2017 09:49:18 GMT
Server: Apache/2.4.18 (Unix) OpenSSL/1.0.2j mod_jk/1.2.41
P3p: CP="NOI"
X-Mag: D85C94D2F317964E;f112d8a6;60583;usrLkup->0;SendSoapStart->0;SendSoapExit->7;CheckSB->7;makeuser;SBUsr;getPRBefFind->7;getPRBefFind->7;PRAfterFind->7;Application_Test;Contract-valid->7;Application_Test;default;SH;FF1End->8;SendSoapStart->8;Bad-User;6088-IIEvalErr:Bad-User;SendSoapExit->6088;EvalII->6088;FPE->6088;
Via: 1.1 application.company.corp (Access Gateway-ag-D85C94D2F317964E-60583)
Location: https://application.company.corp/application/
Content-Length: 164
Content-Type: text/html; charset=iso-8859-1
Set-Cookie: IPCZQX03dad6199d=0; expires=Thu, 01-Jan-1970 00:00:00 GMT; path=/; domain=.company.corp; Secure
Vary: User-Agent
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
Keep-Alive: timeout=15, max=4992
Connection: Keep-Alive


This is the request that restarts the loop (setting the IPC* cookie to 0
from its previous value).
What I'm surprised about in the X-Mag header is the "Bad-User" text,
although I can find no documentation about this header.

Any hints here?

blindcoder's Profile: https://forums.netiq.com/member.php?userid=5313
View this thread: https://forums.netiq.com/showthread.php?t=57183