Home

Results 1 to 6 of 6

Thread: Resource Not Available & Header Injection fail

Threaded View

  1. #1
    Join Date
    Feb 2008
    Location
    The Netherlands
    Posts
    184

    Resource Not Available & Header Injection fail

    I'm running into an annoying issue and i can't seem to find a solution.
    Hopefully anyone can push me in the right direction.

    First a little bit on the environment :
    Access Manager :
    5 IDP's, 6 AG's, 3 AdminConsoles (1 due to be removed),1 AnalyticsServer. All version 4.3.3
    ID Store 4 eDirectory 8.8.8. & 2 AD's for Kerberos
    2 F5 Loadbalancers, most important settings : SourceIP Stickyness, timeout 300s and when reconnected go to the same service (AG)

    We're using 3 major contracts : Kerberos with FallBack and password fetch, Secure Name Password & Risk Based (internal/external IP) selecting between Kerberos or Secure Name Password and Token (AA)

    We have two major issues :

    1) Every once in a while when a user goes to a proxy service, (s)he is getting an error message from NAM : Resource Not Available (esp-<DeviceID>) The URL shows the esp.
    This doesn't happen all the (15%) and it doesn't matter which browser or where they are (on-premise or outside)
    2) Sometime when a user is accessing a protected resource and is working with that for a short while, the user gets an basic authentication pop-up from the the application.
    This can be due to the application itself but my guess is that it fails to deliver the authentication header while the application is requesting that.

    And a couple of minor (not too often)

    3) Unable to complete request at this time (SAML Subject NameIdentifier Missing Required NameIdentifier value (IDP DeviceID). And this is a NAM fault, not the external SP Fault

    I've done all the nessecary optimizations : Adding a attribute set to Liberty, Indexing attribute in eDirectoy, using roles in authentication policies, tuning the LDAP connections and time-outs ans sharing session between IDP's. We even tried a seperate network for Proxied Requests (Which made the failure rate even bigger)

    We've turning the logging to see what actually happen and when we check the logging, a couple of things caught my interest. (And believe me, google doesn't give any results on the most important keywords)
    It is a little bit hard to troubleshoot with 150 logins per minute ;-) so i look for keywords.

    Looking at the esp logging it looks like :

    1) A user starts a session.
    2) For some reason the user ends up on another AG, This AG does a proxied request to the correct AG. This sometimes fails and i guess that's the reason they get a "Resource Not Available" at the esp
    3) Being on anther AG means sometimes connecting to another IDP for artifact resolution. Which also fails sometimes (connecting errors), invalidating the session. This can also be the cause for the resource not available. This might also be the cause for the second issue. It tries to get the credentials for the session but fails. I know i can add the credential to the attribute set. But the credentials consists of a certain attribute (not the CN) and the password they type in or retreived with the password fetch.

    I know the soap API is asynchronous, is it simply not fast enough?. we did have issues with that in a far forgotten history

    We even got messages stating the SOAP Response was ill formatted (missing elements).

    When i check the apache error log, i see a different entry, don't know if that has anything to do with it :
    Mar 22 00:13:25 aghsldz151 httpd[10827]: [error] (99)Cannot assign requested address: apr_socket_bind: failed to bind to bind_addr 192.87.130.152
    And warnings
    Mar 22 00:13:25 aghsldz151 httpd[11167]: [warn] AMEVENTID#8521: Host Header is NULL, skipped Host Header Attack detection
    Mar 22 00:13:25 aghsldz151 httpd[11167]: [warn] AM#304600404 AMDEVICEID#ag-3D96DE04FB3C85CD: AMAUTHID#: AMEVENTID#8520: request doesn't have proper path (/NAGErrors/HTTP_BAD_REQUEST.html.var) or hostname

    Some entries from the logging :

    NIDPProxiedRequest, Value:

    <amLogEntry> 2018-03-15T12:40:35Z SEVERE NIDS Application: AM#100105001: AMDEVICEID#esp-BCC8A41D28EDF1A9: AMAUTHID#83ee8615bdc29ed5bd8bb340e1a2c534b7a317b00 6c344d0f0731d432da3794a: An error happened while forwarding a request to a cluster member. Error: XML document structures must start and end within the same entity.. Unable to forward request to cluster member. </amLogEntry>

    Warning: Invalid resource key: SOAP fault: Artifact resolution failed at IDP. No prefix!
    Warning: Invalid resource key: SOAP fault: Artifact resolution failed at IDP. No prefix!
    Warning: Invalid resource key: SOAP fault: Artifact resolution failed at IDP. No prefix!
    <amLogEntry> 2018-03-12T20:39:09Z INFO NIDS Application: AM#500105039: AMDEVICEID#esp-46683EB0AA3E53E8: AMAUTHID#d450f4e6dd09847d164904e446f9451295008c304 d5d7d447bebda7759821906: Error on session id d450f4e6dd09847d164904e446f9451295008c304d5d7d447b ebda7759821906, error SOAP fault: Artifact resolution failed at IDP-esp-46683EB0AA3E53E8, Unable to authenticate.:SOAP fault: Artifact resolution failed at IDP: </amLogEntry>

    <amLogEntry> 2018-03-13T13:41:49Z WARNING NIDS Application: AM#501101054: AMDEVICEID#esp-3D96DE04FB3C85CD: AMAUTHID#37150786e8c300ae728bd30c23155e1e089a02d70 fb7a299d717ca2047506815: PolicyID#14547554-O6O2-494L-K4K1-P53KN612P96P: NXPESID#1050585: Error retrieving data from cluster: cluster member -192.87.130.155
    Exception message: "Unable to communicate with endpoint https://192.87.130.155:443/nesp/app/soap. Request timed out!"

    Proxy: Invalidating orphaned HttpSession: FD7F9B392274D9105453E698CB80EB40
    Proxy: Response: Writing 14920 bytes!
    Proxy: Response: The Cluster Proxy Request List has 0 members!

    <amLogEntry> 2018-03-12T20:39:09Z WARNING NIDS Application: AM#300101030: AMDEVICEID#esp-46683EB0AA3E53E8: SOAP fault: Artifact resolution failed at IDP </amLogEntry>

    Warning: Invalid resource key: SOAP fault: Artifact resolution failed at IDP. No prefix!
    <amLogEntry> 2018-03-13T18:30:54Z SEVERE NIDS Application: The session might have been hijacked. Logging out the session 375648da6a5f61167ff3d310fe55ededd7d1b9a3e64028d57e 08d07978793746. Root cause: NespIDC cookie mismatch </amLogEntry>

    Warning: Invalid resource key: Error during session assurance : NespIDC cookie mismatch, so logging out !. No prefix!
    <amLogEntry> 2018-03-13T18:30:54Z SEVERE NIDS Application: Error during session assurance : NespIDC cookie mismatch, so logging out ! </amLogEntry>
    Last edited by dvandermaas; 22-Mar-2018 at 11:52 AM.
    The Network lives on patches, re-configurations and caffeine. One Net, One Engineer, One Coffee Brand.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •