Hi everybody!
I am seeing strange behavior when using categories, but let's start from beginning.
This is AA version 6.4.2.1
We have added one more category, so we have the "Default" and GENLAN.
If user provisions method on only "non-default" category, authentication fails.
For example with this test client we have provisioned email OTP only for GENLAN category but not for default.
When user tries to authenticate to enrollment portal (or Access Manager) we see following in AA logs (debug enabled):
Preamble: [OIDP TOP] Txn: NjkeYCVJRvaPbEfZO2rWgg Priority Level: FINEST Java: internal.osp.oidp.aa.NaafSource.authenticateUser() [2903] thread=http-nio-0.0.0.0-10089-exec-4 Elapsed time: 143.642 milliseconds Time: 2024-03-04T15:01:48.974+0000 Log Data: Process AA authentication request for: GENLAN-AD\testuser1 Server: NaafServer[Advanced Authentication Primary Server (id=aa-primary-server)] Issue chain authentication next method request. Trigger AA issuance of factor. Unexpected error: Class: NaafRestException Status: 400 Message: 400: Class: NaafError Status: error Reason: RESOURCE_NOT_FOUND Class: Error Identifier: AUCORE-1052 Name: AuError Location: server Description: GENLAN-AD\testuser1 has no authenticator for the Email OTP and for the category ""
Before that I can see following (removed cookies so it is easier to read):
Preamble: [OIDP TOP] Txn: NjkeYCVJRvaPbEfZO2rWgg Priority Level: FINER Java: internal.osp.oidp.aa.rest.NaafRestRequest.issueRequestWithRetry() [544] thread=http-nio-0.0.0.0-10089-exec-4 Elapsed time: 80.580 milliseconds Time: 2024-03-04T15:01:48.976+0000 Log Data: Issue POST to http://127.0.0.1:6001/api/v1/logon/NhcGWvxoYv1KiyiQKnads5iUuDalBGb0/next .... Content sent: { "tenant_name":"TOP", "method_id":"EMAIL_OTP:1", "endpoint_session_id":"FELNADDOiyperCtu0R3wZwYTBeNJRXjG", "txn":"NjkeYCVJRvaPbEfZO2rWgg" } Status: 200 Response headers: [HTTP/1.1 200 OK] Cache-Control: no-store Content-Length: 1411 Content-Type: application/json Response data: { "logon_hints":{ }, "status":"MORE_DATA", "msg":"Process has been started", "linked_logon":false, "reason":"PROCESS_STARTED", "plugins":[ ], "msgid":"AUCORE-1008", "chains":[ { "id_hex":"3b713ae4c73511eab4e30242ac110003", "tenant_id":"def0def0def0def0def0def0def0def0", "is_trusted":null, "is_enabled":true, "name":"Password+Email OTP", "short_name":"", "methods":[ "LDAP_PASSWORD:1", "EMAIL_OTP:1" ], "position":3, "apply_for_ep_owner":false, "image_name":"default", "required_chain_id_hex":null, "grace_period":null, "mfa_tags":[ ], "risk_level":"NONE" }, { "id_hex":"cb31bbde322711eab3790242ac110003", "tenant_id":"def0def0def0def0def0def0def0def0", "is_trusted":null, "is_enabled":true, "name":"Password+SMS OTP", "short_name":"", "methods":[ "LDAP_PASSWORD:1", "SMS_OTP:1" ], "position":4, "apply_for_ep_owner":false, "image_name":"default", "required_chain_id_hex":null, "grace_period":null, "mfa_tags":[ ], "risk_level":"NONE" } ], "categories":[ { "id":"676c7e68938511ee8d620242ac110004", "name":"GENLAN", "desc":"" } ], "current_method":"EMAIL_OTP:1", "completed_methods":[ "LDAP_PASSWORD:1" ], "logon_process_id":"NhcGWvxoYv1KiyiQKnads5iUuDalBGb0", "event_name":"Authenticators Management", "event_type":"Generic", "event_all_categories":true, "event_data_id":"AUTHENTICATORS MANAGEMENT", "data_id":"AUTHENTICATORS MANAGEMENT", "category_id":"", "current_category_id":"" } Preamble: [OIDP TOP] Txn: NjkeYCVJRvaPbEfZO2rWgg Priority Level: FINER Java: internal.osp.oidp.aa.rest.NaafRestRequest.issueRequestWithRetry() [536] thread=http-nio-0.0.0.0-10089-exec-4 Elapsed time: 43.65 milliseconds Time: 2024-03-04T15:01:49.058+0000 Log Data: Issue POST to http://127.0.0.1:6001/api/v1/logon/NhcGWvxoYv1KiyiQKnads5iUuDalBGb0/do_logon .... Content sent: { "tenant_name":"TOP", "endpoint_session_id":"FELNADDOiyperCtu0R3wZwYTBeNJRXjG", "txn":"NjkeYCVJRvaPbEfZO2rWgg" } Status: 400 Response headers: [HTTP/1.1 400 Bad Request] Content-Length: 234 Content-Type: application/json Response data: { "status":"error", "errors":[ { "location":*****, "name":"AuError", "msgid":"AUCORE-1052", "description":***** } ], "reason":"RESOURCE_NOT_FOUND" }
Interestingly, if I add email OTP for Default category, both categories work without any problem.
Anybody else seen something similar?
Kind regards,
Sebastijan
Kind regards,
Sebastijan
If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button