1 Reply Latest reply: May 11, 2010 3:58 AM by Amit Pugalia RSS

    How do I get certificate authentication working across multiple domains?

    CraigHumphrey Community Member

      Hi,

       

      I've got LC ES2 set up for certificate authentication and when there's only one domain (with a single certificate mapping set up), it works fine.

       

      However would like to have multiple domains (application specific), with a small set of administrator type users who manage all of the domains.

       

      To test, I've set up two domains, with the admin users in one and the normal users in the other.

      I've set up two certificate mapping rules (both for the same CA), one for each domain.

       

      However LC will only authenticate users who are matched using the first certificate mapping rule.

       

      Has anyone else seen/tried this?  Have I missed something obvious?

       

      For the moment I'm going to have to work with a single domain, which is a pain, but will have to do for now.

       

      Thanks

      Craig

       

      Here's the error I get when LC fails to match (or attempt to match?) on the second cert mapping rule:

       

      2010-05-11 11:23:41,331 WARN  [com.adobe.idp.um.businesslogic.authentication.AuthenticationManagerBean] Authentication failed for  (Scheme - Certficate) Reason: Certificate Authentication failed since no user exists in the system that satisfies the certificate mapping . Refer to debug level logs for category com.adobe.idp.um.businesslogic.authentication for further details

      2010-05-11 11:36:38,835 WARN  [com.adobe.idp.um.businesslogic.authentication.AuthenticationManagerBean] Authentication failed for  (Scheme - Certficate) Reason: Certificate Authentication failed since no user exists in the system that satisfies the certificate mapping . Refer to debug level logs for category com.adobe.idp.um.businesslogic.authentication for further details

      2010-05-11 11:36:38,885 ERROR [STDERR] 11/05/2010 11:36:38 AM com.adobe.rightsmanagement.webservices.rest.RestServlet doAction
      SEVERE: Unexpected exception in Rest Call
      com.adobe.idp.um.api.UMException| [com.adobe.idp.um.api.impl.AuthenticationManagerImpl] errorCode:16423 errorCodeHEX:0x4027 message:Authentication failed for  (Scheme - Certficate) Reason: Certificate Authentication failed since no user exists in the system that satisfies the certificate mappingcom.adobe.idp.common.errors.exception.IDPException| [com.adobe.idp.um.businesslogic.authentication.AuthenticationManagerBean] errorCode:12805 errorCodeHEX:0x3205 message:Authentication failed for  (Scheme - Certficate) Reason: Certificate Authentication failed since no user exists in the system that satisfies the certificate mapping
      at com.adobe.idp.um.api.impl.ManagerImpl.handleException(ManagerImpl.java:251)
      at com.adobe.idp.um.api.impl.ManagerImpl.handleException(ManagerImpl.java:194)
      at com.adobe.idp.um.api.impl.AuthenticationManagerImpl.authenticate(AuthenticationManagerImp l.java:338)
      at com.adobe.idp.um.api.impl.AuthenticationManagerImpl.authenticate(AuthenticationManagerImp l.java:154)
      at com.adobe.idp.um.api.impl.AuthenticationManagerImpl.authenticate(AuthenticationManagerImp l.java:162)
      at com.adobe.idp.um.dsc.util.dscservice.UserManagerUtilServiceImpl.authenticateWithWSHeaderE lement(UserManagerUtilServiceImpl.java:173)
      at sun.reflect.GeneratedMethodAccessor1065.invoke(Unknown Source)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
      at java.lang.reflect.Method.invoke(Unknown Source)
      at com.adobe.idp.dsc.component.impl.DefaultPOJOInvokerImpl.invoke(DefaultPOJOInvokerImpl.jav a:118)
      at com.adobe.idp.dsc.interceptor.impl.InvocationInterceptor.intercept(InvocationInterceptor. java:140)
      at com.adobe.idp.dsc.interceptor.impl.RequestInterceptorChainImpl.proceed(RequestInterceptor ChainImpl.java:60)
      at com.adobe.idp.dsc.interceptor.impl.DocumentPassivationInterceptor.intercept(DocumentPassi vationInterceptor.java:53)
      at com.adobe.idp.dsc.interceptor.impl.RequestInterceptorChainImpl.proceed(RequestInterceptor ChainImpl.java:60)
      at com.adobe.idp.dsc.transaction.interceptor.TransactionInterceptor$1.doInTransaction(Transa ctionInterceptor.java:74)
      at com.adobe.idp.dsc.transaction.impl.ejb.adapter.EjbTransactionBMTAdapterBean.doRequiresNew (EjbTransactionBMTAdapterBean.java:218)
      at sun.reflect.GeneratedMethodAccessor363.invoke(Unknown Source)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
      at java.lang.reflect.Method.invoke(Unknown Source)
      at org.jboss.invocation.Invocation.performCall(Invocation.java:359)
      at org.jboss.ejb.StatelessSessionContainer$ContainerInterceptor.invoke(StatelessSessionConta iner.java:237)
      at org.jboss.resource.connectionmanager.CachedConnectionInterceptor.invoke(CachedConnectionI nterceptor.java:158)
      at org.jboss.ejb.plugins.CallValidationInterceptor.invoke(CallValidationInterceptor.java:63)
      at org.jboss.ejb.plugins.AbstractTxInterceptor.invokeNext(AbstractTxInterceptor.java:121)
      at org.jboss.ejb.plugins.AbstractTxInterceptorBMT.invokeNext(AbstractTxInterceptorBMT.java:1 73)
      at org.jboss.ejb.plugins.TxInterceptorBMT.invoke(TxInterceptorBMT.java:77)
      at org.jboss.ejb.plugins.StatelessSessionInstanceInterceptor.invoke(StatelessSessionInstance Interceptor.java:169)
      at org.jboss.ejb.plugins.SecurityInterceptor.invoke(SecurityInterceptor.java:168)
      at org.jboss.ejb.plugins.LogInterceptor.invoke(LogInterceptor.java:205)
      at org.jboss.ejb.plugins.ProxyFactoryFinderInterceptor.invoke(ProxyFactoryFinderInterceptor. java:138)
      at org.jboss.ejb.SessionContainer.internalInvoke(SessionContainer.java:648)
      at org.jboss.ejb.Container.invoke(Container.java:960)
      at org.jboss.ejb.plugins.local.BaseLocalProxyFactory.invoke(BaseLocalProxyFactory.java:430)
      at org.jboss.ejb.plugins.local.StatelessSessionProxy.invoke(StatelessSessionProxy.java:103)
      at $Proxy179.doRequiresNew(Unknown Source)
      at com.adobe.idp.dsc.transaction.impl.ejb.EjbTransactionProvider.execute(EjbTransactionProvi der.java:145)
      at com.adobe.idp.dsc.transaction.interceptor.TransactionInterceptor.intercept(TransactionInt erceptor.java:72)
      at com.adobe.idp.dsc.interceptor.impl.RequestInterceptorChainImpl.proceed(RequestInterceptor ChainImpl.java:60)
      at com.adobe.idp.dsc.interceptor.impl.InvocationStrategyInterceptor.intercept(InvocationStra tegyInterceptor.java:55)
      at com.adobe.idp.dsc.interceptor.impl.RequestInterceptorChainImpl.proceed(RequestInterceptor ChainImpl.java:60)
      at com.adobe.idp.dsc.interceptor.impl.InvalidStateInterceptor.intercept(InvalidStateIntercep tor.java:37)
      at com.adobe.idp.dsc.interceptor.impl.RequestInterceptorChainImpl.proceed(RequestInterceptor ChainImpl.java:60)
      at com.adobe.idp.dsc.interceptor.impl.AuthorizationInterceptor.intercept(AuthorizationInterc eptor.java:165)
      at com.adobe.idp.dsc.interceptor.impl.RequestInterceptorChainImpl.proceed(RequestInterceptor ChainImpl.java:60)
      at com.adobe.idp.dsc.interceptor.impl.JMXInterceptor.intercept(JMXInterceptor.java:48)
      at com.adobe.idp.dsc.interceptor.impl.RequestInterceptorChainImpl.proceed(RequestInterceptor ChainImpl.java:60)
      at com.adobe.idp.dsc.engine.impl.ServiceEngineImpl.invoke(ServiceEngineImpl.java:121)
      at com.adobe.idp.dsc.routing.Router.routeRequest(Router.java:129)
      at com.adobe.idp.dsc.provider.impl.base.AbstractMessageReceiver.routeMessage(AbstractMessage Receiver.java:93)
      at com.adobe.idp.dsc.provider.impl.vm.VMMessageDispatcher.doSend(VMMessageDispatcher.java:22 5)
      at com.adobe.idp.dsc.provider.impl.base.AbstractMessageDispatcher.send(AbstractMessageDispat cher.java:66)
      at com.adobe.idp.dsc.clientsdk.ServiceClient.invoke(ServiceClient.java:208)
      at com.adobe.idp.um.dsc.util.client.UserManagerUtilServiceClient.authenticate(UserManagerUti lServiceClient.java:210)
      at com.adobe.edc.server.platform.UMHelper.authenticate(UMHelper.java:549)
      at com.adobe.rightsmanagement.webservices.rest.RestFacade.validateClientAuthenticationHeader (RestFacade.java:161)
      at com.adobe.rightsmanagement.webservices.rest.RestFacade.getBusinessHandler(RestFacade.java :206)
      at com.adobe.rightsmanagement.webservices.rest.RestFacade.getAuthenticationToken(RestFacade. java:226)
      at com.adobe.rightsmanagement.webservices.rest.RestDefaultRequestHandler.handleRequest(RestD efaultRequestHandler.java:29)
      at com.adobe.rightsmanagement.webservices.rest.RestSecureRequestHandler.handleRequest(RestSe cureRequestHandler.java:13)
      at com.adobe.rightsmanagement.webservices.rest.RestRequestRouter.routeRequest(RestRequestRou ter.java:10)
      at com.adobe.rightsmanagement.webservices.rest.RestServlet.doAction(RestServlet.java:50)
      at com.adobe.rightsmanagement.webservices.rest.RestServlet.doGet(RestServlet.java:37)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.j ava:290)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.j ava:235)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
      at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
      at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.ja va:179)
      at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:104)
      at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java: 157)
      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:241)
      a

      2010-05-11 11:36:38,886 ERROR [STDERR] t org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
      at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.ja va:580)
      at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
      at java.lang.Thread.run(Unknown Source)

        • 1. Re: How do I get certificate authentication working across multiple domains?
          Amit Pugalia techies

          Craig,

           

          The certificate mapping works in the following manner,

           

          1. First the User's certificate is validated.
          2. If the certificate is valid, the related Certificate mapping information is fetched.
          3. From the Certificate Mapping information, the domain is determined.
          4. Following this, the user is searched in the domain and checked for it's current/deleted status.
          5. If user exists or is a valid one, then return an AuthResult corresponding to that is returned to the client.

           

          The error log below says, "Certificate Authentication failed since no user exists in the system that satisfies the certificate mapping"

          1. Please check if the concerned user exists in the domain registered in the second cert mapping.

          2. Also check if the concerned user satisfies the attribute mapping specified in the second cert mapping.

          3. Could you confirm whether the admin Users and the normal users are distinct in both the domains and not duplicate in any of them??

             Because if same user exists in 2 domains, then there is no way to find out which domain you are referring to. In that case the first domain which declares the user as valid will return the AuthResult.

          4. You are using LC ES2, so there is a Test Certificate utlity on the same Certificate Mapping page, which can help you confirm the validity of the user's certificate and then you can proceed.