Skip navigation
Currently Being Moderated

How do I get certificate authentication working across multiple domains?

May 10, 2010 4:56 PM

Hi,

 

I've got LC ES2 set up for certificate authentication and when there's only one domain (with a single certificate mapping set up), it works fine.

 

However would like to have multiple domains (application specific), with a small set of administrator type users who manage all of the domains.

 

To test, I've set up two domains, with the admin users in one and the normal users in the other.

I've set up two certificate mapping rules (both for the same CA), one for each domain.

 

However LC will only authenticate users who are matched using the first certificate mapping rule.

 

Has anyone else seen/tried this?  Have I missed something obvious?

 

For the moment I'm going to have to work with a single domain, which is a pain, but will have to do for now.

 

Thanks

Craig

 

Here's the error I get when LC fails to match (or attempt to match?) on the second cert mapping rule:

 

2010-05-11 11:23:41,331 WARN  [com.adobe.idp.um.businesslogic.authentication.AuthenticationManagerB ean] Authentication failed for  (Scheme - Certficate) Reason: Certificate Authentication failed since no user exists in the system that satisfies the certificate mapping . Refer to debug level logs for category com.adobe.idp.um.businesslogic.authentication for further details

2010-05-11 11:36:38,835 WARN  [com.adobe.idp.um.businesslogic.authentication.AuthenticationManagerB ean] Authentication failed for  (Scheme - Certficate) Reason: Certificate Authentication failed since no user exists in the system that satisfies the certificate mapping . Refer to debug level logs for category com.adobe.idp.um.businesslogic.authentication for further details

2010-05-11 11:36:38,885 ERROR [STDERR] 11/05/2010 11:36:38 AM com.adobe.rightsmanagement.webservices.rest.RestServlet doAction
SEVERE: Unexpected exception in Rest Call
com.adobe.idp.um.api.UMException| [com.adobe.idp.um.api.impl.AuthenticationManagerImpl] errorCode:16423 errorCodeHEX:0x4027 message:Authentication failed for  (Scheme - Certficate) Reason: Certificate Authentication failed since no user exists in the system that satisfies the certificate mappingcom.adobe.idp.common.errors.exception.IDPException| [com.adobe.idp.um.businesslogic.authentication.AuthenticationManagerB ean] errorCode:12805 errorCodeHEX:0x3205 message:Authentication failed for  (Scheme - Certficate) Reason: Certificate Authentication failed since no user exists in the system that satisfies the certificate mapping
at com.adobe.idp.um.api.impl.ManagerImpl.handleException(ManagerImpl.jav a:251)
at com.adobe.idp.um.api.impl.ManagerImpl.handleException(ManagerImpl.jav a:194)
at com.adobe.idp.um.api.impl.AuthenticationManagerImpl.authenticate(Auth enticationManagerImpl.java:338)
at com.adobe.idp.um.api.impl.AuthenticationManagerImpl.authenticate(Auth enticationManagerImpl.java:154)
at com.adobe.idp.um.api.impl.AuthenticationManagerImpl.authenticate(Auth enticationManagerImpl.java:162)
at com.adobe.idp.um.dsc.util.dscservice.UserManagerUtilServiceImpl.authe nticateWithWSHeaderElement(UserManagerUtilServiceImpl.java:173)
at sun.reflect.GeneratedMethodAccessor1065.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at com.adobe.idp.dsc.component.impl.DefaultPOJOInvokerImpl.invoke(Defaul tPOJOInvokerImpl.java:118)
at com.adobe.idp.dsc.interceptor.impl.InvocationInterceptor.intercept(In vocationInterceptor.java:140)
at com.adobe.idp.dsc.interceptor.impl.RequestInterceptorChainImpl.procee d(RequestInterceptorChainImpl.java:60)
at com.adobe.idp.dsc.interceptor.impl.DocumentPassivationInterceptor.int ercept(DocumentPassivationInterceptor.java:53)
at com.adobe.idp.dsc.interceptor.impl.RequestInterceptorChainImpl.procee d(RequestInterceptorChainImpl.java:60)
at com.adobe.idp.dsc.transaction.interceptor.TransactionInterceptor$1.do InTransaction(TransactionInterceptor.java:74)
at com.adobe.idp.dsc.transaction.impl.ejb.adapter.EjbTransactionBMTAdapt erBean.doRequiresNew(EjbTransactionBMTAdapterBean.java:218)
at sun.reflect.GeneratedMethodAccessor363.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at org.jboss.invocation.Invocation.performCall(Invocation.java:359)
at org.jboss.ejb.StatelessSessionContainer$ContainerInterceptor.invoke(S tatelessSessionContainer.java:237)
at org.jboss.resource.connectionmanager.CachedConnectionInterceptor.invo ke(CachedConnectionInterceptor.java:158)
at org.jboss.ejb.plugins.CallValidationInterceptor.invoke(CallValidation Interceptor.java:63)
at org.jboss.ejb.plugins.AbstractTxInterceptor.invokeNext(AbstractTxInte rceptor.java:121)
at org.jboss.ejb.plugins.AbstractTxInterceptorBMT.invokeNext(AbstractTxI nterceptorBMT.java:173)
at org.jboss.ejb.plugins.TxInterceptorBMT.invoke(TxInterceptorBMT.java:7 7)
at org.jboss.ejb.plugins.StatelessSessionInstanceInterceptor.invoke(Stat elessSessionInstanceInterceptor.java:169)
at org.jboss.ejb.plugins.SecurityInterceptor.invoke(SecurityInterceptor. java:168)
at org.jboss.ejb.plugins.LogInterceptor.invoke(LogInterceptor.java:205)
at org.jboss.ejb.plugins.ProxyFactoryFinderInterceptor.invoke(ProxyFacto ryFinderInterceptor.java:138)
at org.jboss.ejb.SessionContainer.internalInvoke(SessionContainer.java:6 48)
at org.jboss.ejb.Container.invoke(Container.java:960)
at org.jboss.ejb.plugins.local.BaseLocalProxyFactory.invoke(BaseLocalPro xyFactory.java:430)
at org.jboss.ejb.plugins.local.StatelessSessionProxy.invoke(StatelessSes sionProxy.java:103)
at $Proxy179.doRequiresNew(Unknown Source)
at com.adobe.idp.dsc.transaction.impl.ejb.EjbTransactionProvider.execute (EjbTransactionProvider.java:145)
at com.adobe.idp.dsc.transaction.interceptor.TransactionInterceptor.inte rcept(TransactionInterceptor.java:72)
at com.adobe.idp.dsc.interceptor.impl.RequestInterceptorChainImpl.procee d(RequestInterceptorChainImpl.java:60)
at com.adobe.idp.dsc.interceptor.impl.InvocationStrategyInterceptor.inte rcept(InvocationStrategyInterceptor.java:55)
at com.adobe.idp.dsc.interceptor.impl.RequestInterceptorChainImpl.procee d(RequestInterceptorChainImpl.java:60)
at com.adobe.idp.dsc.interceptor.impl.InvalidStateInterceptor.intercept( InvalidStateInterceptor.java:37)
at com.adobe.idp.dsc.interceptor.impl.RequestInterceptorChainImpl.procee d(RequestInterceptorChainImpl.java:60)
at com.adobe.idp.dsc.interceptor.impl.AuthorizationInterceptor.intercept (AuthorizationInterceptor.java:165)
at com.adobe.idp.dsc.interceptor.impl.RequestInterceptorChainImpl.procee d(RequestInterceptorChainImpl.java:60)
at com.adobe.idp.dsc.interceptor.impl.JMXInterceptor.intercept(JMXInterc eptor.java:48)
at com.adobe.idp.dsc.interceptor.impl.RequestInterceptorChainImpl.procee d(RequestInterceptorChainImpl.java:60)
at com.adobe.idp.dsc.engine.impl.ServiceEngineImpl.invoke(ServiceEngineI mpl.java:121)
at com.adobe.idp.dsc.routing.Router.routeRequest(Router.java:129)
at com.adobe.idp.dsc.provider.impl.base.AbstractMessageReceiver.routeMes sage(AbstractMessageReceiver.java:93)
at com.adobe.idp.dsc.provider.impl.vm.VMMessageDispatcher.doSend(VMMessa geDispatcher.java:225)
at com.adobe.idp.dsc.provider.impl.base.AbstractMessageDispatcher.send(A bstractMessageDispatcher.java:66)
at com.adobe.idp.dsc.clientsdk.ServiceClient.invoke(ServiceClient.java:2 08)
at com.adobe.idp.um.dsc.util.client.UserManagerUtilServiceClient.authent icate(UserManagerUtilServiceClient.java:210)
at com.adobe.edc.server.platform.UMHelper.authenticate(UMHelper.java:549 )
at com.adobe.rightsmanagement.webservices.rest.RestFacade.validateClient AuthenticationHeader(RestFacade.java:161)
at com.adobe.rightsmanagement.webservices.rest.RestFacade.getBusinessHan dler(RestFacade.java:206)
at com.adobe.rightsmanagement.webservices.rest.RestFacade.getAuthenticat ionToken(RestFacade.java:226)
at com.adobe.rightsmanagement.webservices.rest.RestDefaultRequestHandler .handleRequest(RestDefaultRequestHandler.java:29)
at com.adobe.rightsmanagement.webservices.rest.RestSecureRequestHandler. handleRequest(RestSecureRequestHandler.java:13)
at com.adobe.rightsmanagement.webservices.rest.RestRequestRouter.routeRe quest(RestRequestRouter.java:10)
at com.adobe.rightsmanagement.webservices.rest.RestServlet.doAction(Rest Servlet.java:50)
at com.adobe.rightsmanagement.webservices.rest.RestServlet.doGet(RestSer vlet.java:37)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl icationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF ilterChain.java:206)
at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFi lter.java:96)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl icationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF ilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperV alve.java:230)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextV alve.java:175)
at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(Securit yAssociationValve.java:179)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValv e.java:84)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.j ava:128)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.j ava:104)
at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedC onnectionValve.java:157)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineVal ve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.jav a:241)
a

2010-05-11 11:36:38,886 ERROR [STDERR] t org.apache.coyote.http11.Http11Processor.process(Http11Processor.java :844)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.proce ss(Http11Protocol.java:580)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:44 7)
at java.lang.Thread.run(Unknown Source)

 
Replies
  • Currently Being Moderated
    May 11, 2010 3:58 AM   in reply to CraigHumphrey

    Craig,

     

    The certificate mapping works in the following manner,

     

    1. First the User's certificate is validated.
    2. If the certificate is valid, the related Certificate mapping information is fetched.
    3. From the Certificate Mapping information, the domain is determined.
    4. Following this, the user is searched in the domain and checked for it's current/deleted status.
    5. If user exists or is a valid one, then return an AuthResult corresponding to that is returned to the client.

     

    The error log below says, "Certificate Authentication failed since no user exists in the system that satisfies the certificate mapping"

    1. Please check if the concerned user exists in the domain registered in the second cert mapping.

    2. Also check if the concerned user satisfies the attribute mapping specified in the second cert mapping.

    3. Could you confirm whether the admin Users and the normal users are distinct in both the domains and not duplicate in any of them??

       Because if same user exists in 2 domains, then there is no way to find out which domain you are referring to. In that case the first domain which declares the user as valid will return the AuthResult.

    4. You are using LC ES2, so there is a Test Certificate utlity on the same Certificate Mapping page, which can help you confirm the validity of the user's certificate and then you can proceed.

     
    |
    Mark as:

More Like This

  • Retrieving data ...

Bookmarked By (0)

Answers + Points = Status

  • 10 points awarded for Correct Answers
  • 5 points awarded for Helpful Answers
  • 10,000+ points
  • 1,001-10,000 points
  • 501-1,000 points
  • 5-500 points