Hello ,
one of the user of VCAC is getting an error while login to vCAC 6.0 "Forbidden! Please close the browser window and login from a new window", when i did tail of Catalina.out for error on SSO server found below log entry
4-07-22 11:02:21,282 DEBUG [DefaultIdmAccessorFactory] DefaultIdmAccessorFactory constructor
2014-07-22 11:02:21,282 DEBUG [DefaultIdmAccessorFactory] DefaultIdmAccessorFactory getIdmAccessor
2014-07-22 11:02:21,282 DEBUG [CasIdmAccessor] CasIdmAccessor constructor called
2014-07-22 11:02:21,282 DEBUG [AuthnRequestState] Relay state specified was https://VCAC-UI.abc.local/shell-ui-app/#csp.places.iaas.Default
2014-07-22 11:02:21,282 DEBUG [AuthnRequestState] parseRequestForTenant, tenant vsphere.local
2014-07-22 11:02:21,283 DEBUG [AuthnRequestState] Replay attack detected - DENYING authentication request
2014-07-22 11:02:21,283 DEBUG [BaseSsoController] Caught parsing exception java.lang.IllegalStateException: Forbidden
2014-07-22 11:02:21,283 DEBUG [AuthnRequestState] addResponseHeaders, response org.apache.catalina.connector.ResponseFacade@144d6c10
2014-07-22 11:02:21,283 DEBUG [AuthnRequestState] generateResponseForTenant, tenant vsphere.local
2014-07-22 11:02:21,283 INFO [BaseSsoController] Responded with ERROR 403, message Forbidden! Please close the browser window and login from a new window
As well when i tried to check for user account from Administration>users from VCAC, i an not able to list out his AD groups he is actually member of!! this is strange because ,actually user have log of groups listed in Active Directory.
Please help me getting this fixed
Thanks in Advance
Br,
MG
Steve's all over it today....
2014-07-22 11:02:21,283 DEBUG [AuthnRequestState] Replay attack detected - DENYING authentication request
This line indicates that someone is attempting to reuse a token from an expired session. Ensure that people are not using a cached page from SSO, or bookmark for SSO.
Grant
make sure all of your times are synced in the VCAC CORE , Identity app and the IAAS ,
are all the services started in the VCAC CORE appliance ?
yes all components have time sync.... and this is affecting only few users not all at a time.
Br,
MG
Not sure if it's the same thing, but I had a few users who inadvertently bookmarked the login page, rather than the vcac appliance shell-ui-app page (post-login)... It was working for a bit, but then the token went stale, and the bookmark was bad. After they fixed that, everything went back to normal....
Steve's all over it today....
2014-07-22 11:02:21,283 DEBUG [AuthnRequestState] Replay attack detected - DENYING authentication request
This line indicates that someone is attempting to reuse a token from an expired session. Ensure that people are not using a cached page from SSO, or bookmark for SSO.
Grant