Solved: vCAC 6.0 Error : User getting error Forbidden whil...

VirExprt · ‎07-23-2014

Hello ,

one of the user of VCAC is getting an error while login to vCAC 6.0 "Forbidden! Please close the browser window and login from a new window", when i did tail of Catalina.out for error on SSO server found below log entry

4-07-22 11:02:21,282 DEBUG [DefaultIdmAccessorFactory] DefaultIdmAccessorFactory constructor

2014-07-22 11:02:21,282 DEBUG [DefaultIdmAccessorFactory] DefaultIdmAccessorFactory getIdmAccessor

2014-07-22 11:02:21,282 DEBUG [CasIdmAccessor] CasIdmAccessor constructor called

2014-07-22 11:02:21,282 DEBUG [AuthnRequestState] Relay state specified was https://VCAC-UI.abc.local/shell-ui-app/#csp.places.iaas.Default

2014-07-22 11:02:21,282 DEBUG [AuthnRequestState] parseRequestForTenant, tenant vsphere.local

2014-07-22 11:02:21,283 DEBUG [AuthnRequestState] Replay attack detected - DENYING authentication request

2014-07-22 11:02:21,283 DEBUG [BaseSsoController] Caught parsing exception java.lang.IllegalStateException: Forbidden

2014-07-22 11:02:21,283 DEBUG [AuthnRequestState] addResponseHeaders, response org.apache.catalina.connector.ResponseFacade@144d6c10

2014-07-22 11:02:21,283 DEBUG [AuthnRequestState] generateResponseForTenant, tenant vsphere.local

2014-07-22 11:02:21,283 INFO [BaseSsoController] Responded with ERROR 403, message Forbidden! Please close the browser window and login from a new window

As well when i tried to check for user account from Administration>users from VCAC, i an not able to list out his AD groups he is actually member of!! this is strange because ,actually user have log of groups listed in Active Directory.

Please help me getting this fixed

Thanks in Advance

Br,

MG

Regards, MG

GrantOrchardVMw · ‎07-23-2014

Steve's all over it today....

2014-07-22 11:02:21,283 DEBUG [AuthnRequestState] Replay attack detected - DENYING authentication request

This line indicates that someone is attempting to reuse a token from an expired session. Ensure that people are not using a cached page from SSO, or bookmark for SSO.

Grant

Grant http://grantorchard.com

View solution in original post

quantum_2 · ‎07-23-2014

make sure all of your times are synced in the VCAC CORE , Identity app and the IAAS ,

are all the services started in the VCAC CORE appliance ?

VirExprt · ‎07-23-2014

yes all components have time sync.... and this is affecting only few users not all at a time.

Br,

MG

Regards, MG

stvkpln · ‎07-23-2014

Not sure if it's the same thing, but I had a few users who inadvertently bookmarked the login page, rather than the vcac appliance shell-ui-app page (post-login)... It was working for a bit, but then the token went stale, and the bookmark was bad. After they fixed that, everything went back to normal....

-Steve

GrantOrchardVMw · ‎07-23-2014

Steve's all over it today....

2014-07-22 11:02:21,283 DEBUG [AuthnRequestState] Replay attack detected - DENYING authentication request

This line indicates that someone is attempting to reuse a token from an expired session. Ensure that people are not using a cached page from SSO, or bookmark for SSO.

Grant

Grant http://grantorchard.com

All

vCAC 6.0 Error : User getting error Forbidden while login