The Keycloak server sends what appears to be an extra AUTH_SESSION_ID cookie with a path value of "/auth" when logging into the console.
I am running Keycloak 3.4.3 Final, Standalone HA configuration on Windows 2016 servers which sit behind an F5 load balancer.
When this cookie appears in the browser and the user logs in/out of the console without closing the browser, it will eventually lead to Keycloak prompting the user with a warning "You took too long to login. Login process starting from beginning." After the user logs in for the second time, occasionally, the browser will hit a "Too Many Redirects" error and fail to open the console.
Is Keycloak supposed to create two AUTH_SESSION_ID cookies, one with a path of "/auth" and the other with a path of my realm ("/auth/realms/xxxx")?
How are these symptoms related?
The answer is no, we should not get two AUTH_SESSION_ID cookies.
Thanks to Martin Kanis and the RedHat team as they identified why this was happening. If you are using F5 or another load balancer and not the mod_cluster balancer, you should not include the following setup in your configuration:
<session-cookie name="AUTH_SESSION_ID" http-only="true" />
They are going to update the Keycloak documentation and make this point clear.
Related
Some background:
We were accessing our RSA Archer application on IE 11 via SSO, and all has been well. But we are required to move on to Edge browser, and that's where we started having the Windows Security credential prompt coming out, whenever we tried to access the application on Edge browser.
The strange thing is, the application is able to load up on Edge properly, in the logged in state, and then the prompt will appear. We can just click on Cancel to close the prompt and we are able to use the application normally. All end users on their client PCs encountered the same problem.
We want to remove the credentials prompt. The RSA support team has confirmed it is not an issue of their product, since there's no problem over at IE. What we have done on our end on the servers:
Enabled SSL on our load balanced environment
Updated the web.config file of the application with the entry below:
<security mode="Transport">
<transport clientCredentialType="Windows" />
</security>
Configure IIS settings to allow Anonymous Authentication instead of Windows Authentication for the application pages.
Will greatly appreciate some assistance or suggestions on how to move forward. Thanks!
Addon after investigation:
After finally being able to investigate via the development tool for this, we discovered that apparently, the behavior of some components / javascripts were different on IE / Edge.
On IE, if the components / javascripts took too long to load, it will fail (status 304) and retry again until it succeeded (status 200).
On Edge, instead of failing, it will go into "Pending", and then the credentials prompts pops out, and usually there's more than one prompt. We suspect the number is based on the number of pending components / javascripts that are in "Pending". Clicking on Cancel on the prompt will caused the components to not load (status 304), and no retry will happen like in the case of IE.
Able to advise what's wrong? Is there a timeout in the Edge settings?
Open Edges developer tools and go to the Network tab and see which request (URL) is prompting you for credentials. Then you can see what IIS has configured for its security.
I have a WSO2 5.10 server behind an AWS elastic load balancer. Per my original question How can I change the management console port of a wso2 is server using deployment.toml file changes , I modified the template and the server starts and correctly reflects the new management console url in the log file. When I log into it, it also indicates that I have logged in, but the browser simply redirects back to the logon page. Further, the original carbon management url is still active and functional. For example, logon.domain.com is the host name, idp.domain.com is the management url. Both display the carbon management screens, but the idp.domain.com url does not seem to function. No logs other than acknowledging the logon are apparent. This is a multi tenant setup, all of the tenant logons work fine
Any thoughts on diagnosing this would be much appreciated.
I have set up AEM 6.3 on remote Linux machine. But when I try to access the AEM from browser, it says "Connection has timed out".
I am not getting any error in the error.log file. Also, in stdout.log file, it says "Startup completed".
Also, I checked that port(4502) is not blocked on the server.
When I put command "curl http://localhost:4502/" on the server, I am not getting any error, which makes me assume that the connection is established.
Do I need to do any other configuration or something in order to access it from the browser? I am using http://ip:4502/ in the browser..
Almost certainly a firewall issue, check and check again :)
Look in the AEM Access log (same folder as the other logs you looked in) can you see any requests coming in from your browser? There is no other config required on AEM to access other than starting it up, assuming there is nothing network/firewall related blocking then you should be able to access it.
I try to setup an OpenLDAP-Server that I can use as backend for a WebSSO (LemonLDAP::NG). This specific WebSSO allows to store the sessions inside the LDAP backend.
My problem is that it seems that whenever I connect to the LDAP backend to store session data ~1 out of 10 times it works, the other times LDAP rejects the authentication.
Logs for failed attempts and for successful attempts can be found here
As you can see the maker of LemonLDAP::NG thinks the error is within OpenLDAP (or my configuration of OpenLDAP). I'm out of ideas and open to suggestions.
Looks like someone changes OpenLDAP DB during your session. Don't you have any processes with access to MDB file except this instance of OpenLDAP?
It may be slapadd/slapmodify/2nd slapd instance with the same directory value in config.
If not, could you show your slapd.conf (don't forget to change rootpw)
I have set up JBoss Fuse, created a fabric and installed the fabric:web feature as explained in the resource Using the Management Console. I can browse http://hostName:8181 and it shows the Management Console login screen.
However, whichever user/pass combination I try, the response is "Failed to log in, Forbidden". It also shows an icon with an exclamation mark, when I click that I see the following messages appear:
[Branding] enabled branding
[Core] Management Console started
That does not help much either. How do I know what login combination I should use? It is not clear to me what I am logging into in the first place.
In your fuse install folder under /etc there is a file called user.properties. Is the user admin with password admin filled in? If not, then at least admin user should be allowed.
If yes, try simply restarting the server. I am not sure why buy that has helped in some cases for me. Do a osgi:shutdown and then start it again.
Have you tried admin/admin?
I believe those are the default credentials.