Authentication fails if method on default category not provisioned

Hi everybody!

I am seeing strange behavior when using categories, but let's start from beginning.

This is AA version 6.4.2.1

We have added one more category, so we have the "Default" and GENLAN.

If user provisions method on only "non-default" category, authentication fails.

For example with this test client we have provisioned email OTP only for GENLAN category but not for default.

When user tries to authenticate to enrollment portal (or Access Manager) we see following in AA logs (debug enabled):

Preamble: [OIDP TOP]
Txn: NjkeYCVJRvaPbEfZO2rWgg
Priority Level: FINEST
Java: internal.osp.oidp.aa.NaafSource.authenticateUser() [2903] thread=http-nio-0.0.0.0-10089-exec-4
Elapsed time: 143.642 milliseconds
Time: 2024-03-04T15:01:48.974+0000
Log Data: Process AA authentication request for: GENLAN-AD\testuser1
Server: NaafServer[Advanced Authentication Primary Server (id=aa-primary-server)]
Issue chain authentication next method request.
Trigger AA issuance of factor.
Unexpected error: Class: NaafRestException
Status: 400
Message: 400:
Class: NaafError
Status: error
Reason: RESOURCE_NOT_FOUND
Class: Error
Identifier: AUCORE-1052
Name: AuError
Location: server
Description: GENLAN-AD\testuser1 has no authenticator for the Email OTP and for the category ""

Before that I can see following (removed cookies so it is easier to read):

Preamble: [OIDP TOP]
Txn: NjkeYCVJRvaPbEfZO2rWgg
Priority Level: FINER
Java: internal.osp.oidp.aa.rest.NaafRestRequest.issueRequestWithRetry() [544] thread=http-nio-0.0.0.0-10089-exec-4
Elapsed time: 80.580 milliseconds
Time: 2024-03-04T15:01:48.976+0000
Log Data: Issue POST to http://127.0.0.1:6001/api/v1/logon/NhcGWvxoYv1KiyiQKnads5iUuDalBGb0/next
....
Content sent:
{
"tenant_name":"TOP",
"method_id":"EMAIL_OTP:1",
"endpoint_session_id":"FELNADDOiyperCtu0R3wZwYTBeNJRXjG",
"txn":"NjkeYCVJRvaPbEfZO2rWgg"
}
Status: 200
Response headers:
[HTTP/1.1 200 OK]
Cache-Control: no-store
Content-Length: 1411
Content-Type: application/json
Response data:
{
"logon_hints":{

},
"status":"MORE_DATA",
"msg":"Process has been started",
"linked_logon":false,
"reason":"PROCESS_STARTED",
"plugins":[

],
"msgid":"AUCORE-1008",
"chains":[
{
"id_hex":"3b713ae4c73511eab4e30242ac110003",
"tenant_id":"def0def0def0def0def0def0def0def0",
"is_trusted":null,
"is_enabled":true,
"name":"Password+Email OTP",
"short_name":"",
"methods":[
"LDAP_PASSWORD:1",
"EMAIL_OTP:1"
],
"position":3,
"apply_for_ep_owner":false,
"image_name":"default",
"required_chain_id_hex":null,
"grace_period":null,
"mfa_tags":[

],
"risk_level":"NONE"
},
{
"id_hex":"cb31bbde322711eab3790242ac110003",
"tenant_id":"def0def0def0def0def0def0def0def0",
"is_trusted":null,
"is_enabled":true,
"name":"Password+SMS OTP",
"short_name":"",
"methods":[
"LDAP_PASSWORD:1",
"SMS_OTP:1"
],
"position":4,
"apply_for_ep_owner":false,
"image_name":"default",
"required_chain_id_hex":null,
"grace_period":null,
"mfa_tags":[

],
"risk_level":"NONE"
}
],
"categories":[
{
"id":"676c7e68938511ee8d620242ac110004",
"name":"GENLAN",
"desc":""
}
],
"current_method":"EMAIL_OTP:1",
"completed_methods":[
"LDAP_PASSWORD:1"
],
"logon_process_id":"NhcGWvxoYv1KiyiQKnads5iUuDalBGb0",
"event_name":"Authenticators Management",
"event_type":"Generic",
"event_all_categories":true,
"event_data_id":"AUTHENTICATORS MANAGEMENT",
"data_id":"AUTHENTICATORS MANAGEMENT",
"category_id":"",
"current_category_id":""
}

Preamble: [OIDP TOP]
Txn: NjkeYCVJRvaPbEfZO2rWgg
Priority Level: FINER
Java: internal.osp.oidp.aa.rest.NaafRestRequest.issueRequestWithRetry() [536] thread=http-nio-0.0.0.0-10089-exec-4
Elapsed time: 43.65 milliseconds
Time: 2024-03-04T15:01:49.058+0000
Log Data: Issue POST to http://127.0.0.1:6001/api/v1/logon/NhcGWvxoYv1KiyiQKnads5iUuDalBGb0/do_logon
....
Content sent:
{
"tenant_name":"TOP",
"endpoint_session_id":"FELNADDOiyperCtu0R3wZwYTBeNJRXjG",
"txn":"NjkeYCVJRvaPbEfZO2rWgg"
}
Status: 400
Response headers:
[HTTP/1.1 400 Bad Request]
Content-Length: 234
Content-Type: application/json
Response data:
{
"status":"error",
"errors":[
{
"location":*****,
"name":"AuError",
"msgid":"AUCORE-1052",
"description":*****
}
],
"reason":"RESOURCE_NOT_FOUND"
}

Interestingly, if I add email OTP for Default category, both categories work without any problem.

Anybody else seen something similar?

Kind regards,

Sebastijan

Kind regards,

Sebastijan

If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

  • 0  

    Just found this thread:  Access Manager Auth Fails if Default Method Removed 

    At first sight it looks related (auth fails if Default category is missing)

     Have you found a solution for your problem? I see exactly the same behavior. After user selects method that does not have Default category provisioned AA bounces back to AM with /nidp/oauth/nam/callback?error=access_denied&sub_error=usrcan&error_description=User canceled authentication

    Kind regards,

    Sebastijan

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

  • 0   in reply to   

    As far as I know, this was never resolved.  I typically don't use categories now because they have so many other implementation issues and problems with end-users (the lack of customization here is a huge problem, who the heck came up with calling this categories?).

    I looked at my case history, I opened a case on this issue on Oct. 19, 2021 (02022421).  The last comment from the support engineer is that he believed it was fixed in AAF 6.3.6 and closed the case.  Clearly it has not been fixed based on your experience.

    So the answer to your question, no, I never found a solution.  

    For a while, adding categories broke the enrollment portal.  That took 7 months to get a fix (was fixed in 6.4.2).

    I would like the ability to add categories on a per chain/method level. Because once you enable categories, the end user can add the second category for any of the chains/methods they have access too. This causes confusion for things like LDAP password.

    Matt

  • 0   in reply to   

    Thanks for feedback, Matt

    Kind regards,

    Sebastijan

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button