Timeout message on first UserApplication login

Hello everyone

I'm having an issue with the UserApplication (4.6.2), when i try to login i get this message:

This XML file does not appear to have any style information associated with it. The document tree is shown below.
<Fault>
<Code>
<Value>Sender</Value>
<Subcode>
<Value>Expired</Value>
</Subcode>
</Code>
<Reason>
<Text>
Login session has timed out. Log in to the application again.
</Text>
</Reason>
</Fault>


But, when we enter again to http://MYPORTALIP:8080/IDMProv this error dissapears

Also, on the catalina.out we can see the following errors:

  7017:2018-01-18 09:41:49,591 [ERROR] OAuthServlet [RBPM] Login session has timed out. Log in to the application again.
7018:com.novell.common.auth.ValidationException
7019: at com.netiq.idm.auth.oauth.OAuthServlet.handleAuthorizationResponse(OAuthServlet.java:176)
7020: at com.netiq.idm.auth.oauth.OAuthServlet.doGet(OAuthServlet.java:70)
7021: at javax.servlet.http.HttpServlet.service(HttpServlet.java:635)
7022: at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
7023: at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
7024: at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
7025: at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
7026: at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
7027: at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
7028: at com.novell.common.CrossScriptingFilter.doFilter(CrossScriptingFilter.java:53)
7029: at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
7030: at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
7031: at com.novell.common.HttpSecurityHeadersFilter.doFilter(HttpSecurityHeadersFilter.java:132)
7032: at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
7033: at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
7034: at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
7035: at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
7036: at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:478)
7037: at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
7038: at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
7039: at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650)
7040: at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
7041: at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
7042: at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:803)
7043: at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
7044: at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)
7045: at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1459)
7046: at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
7047: at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
7048: at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
7049: at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
7050: at java.lang.Thread.run(Thread.java:748)


The portal is an Identity Applications 4.6.2, Tomcat 8.5.23, Java 1.8 Update 152 connected to a Identity Manager 4.6.2 Server with eDirectory 9.0.4

Someone knows what is wrong? Could it be an OAuth issue or bug?

Thanks in advance.
  • Jdipietrantonio,

    It appears that in the past few days you have not received a response to your
    posting. That concerns us, and has triggered this automated reply.

    These forums are peer-to-peer, best effort, volunteer run and that if your issue
    is urgent or not getting a response, you might try one of the following options:

    - Visit https://www.microfocus.com/support-and-services and search the knowledgebase and/or check
    all the other self support options and support programs available.
    - Open a service request: https://www.microfocus.com/support
    - You could also try posting your message again. Make sure it is posted in the
    correct newsgroup. (http://forums.microfocus.com)
    - You might consider hiring a local partner to assist you.
    https://www.partnernetprogram.com/partnerfinder/find.html

    Be sure to read the forum FAQ about what to expect in the way of responses:
    http://forums.microfocus.com/faq.php

    Sometimes this automatic posting will alert someone that can respond.

    If this is a reply to a duplicate posting or otherwise posted in error, please
    ignore and accept our apologies and rest assured we will issue a stern reprimand
    to our posting bot.

    Good luck!

    Your Micro Focus Forums Team
    http://forums.microfocus.com


  • jdipietrantonio;2473797 wrote:
    Hello everyone

    I'm having an issue with the UserApplication (4.6.2), when i try to login i get this message:

    This XML file does not appear to have any style information associated with it. The document tree is shown below.
    <Fault>
    <Code>
    <Value>Sender</Value>
    <Subcode>
    <Value>Expired</Value>
    </Subcode>
    </Code>
    <Reason>
    <Text>
    Login session has timed out. Log in to the application again.
    </Text>
    </Reason>
    </Fault>


    But, when we enter again to http://MYPORTALIP:8080/IDMProv this error dissapears

    Also, on the catalina.out we can see the following errors:

      7017:2018-01-18 09:41:49,591 [ERROR] OAuthServlet [RBPM] Login session has timed out. Log in to the application again.
    7018:com.novell.common.auth.ValidationException
    7019: at com.netiq.idm.auth.oauth.OAuthServlet.handleAuthorizationResponse(OAuthServlet.java:176)
    7020: at com.netiq.idm.auth.oauth.OAuthServlet.doGet(OAuthServlet.java:70)
    7021: at javax.servlet.http.HttpServlet.service(HttpServlet.java:635)
    7022: at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
    7023: at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
    7024: at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    7025: at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
    7026: at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    7027: at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    7028: at com.novell.common.CrossScriptingFilter.doFilter(CrossScriptingFilter.java:53)
    7029: at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    7030: at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    7031: at com.novell.common.HttpSecurityHeadersFilter.doFilter(HttpSecurityHeadersFilter.java:132)
    7032: at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    7033: at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    7034: at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
    7035: at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
    7036: at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:478)
    7037: at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
    7038: at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
    7039: at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650)
    7040: at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
    7041: at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
    7042: at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:803)
    7043: at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
    7044: at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)
    7045: at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1459)
    7046: at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
    7047: at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    7048: at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    7049: at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    7050: at java.lang.Thread.run(Thread.java:748)


    The portal is an Identity Applications 4.6.2, Tomcat 8.5.23, Java 1.8 Update 152 connected to a Identity Manager 4.6.2 Server with eDirectory 9.0.4

    Someone knows what is wrong? Could it be an OAuth issue or bug?

    Thanks in advance.


    You get this particular error if you're using IE as the web browser (Firefox and Chrome you get a different error) and if the redirect URLs in configupdate.sh are missing the port. So if you have https://login.foo.com/idmdash/oauth.html in there, it should be https://login.foo.com:443/idmdash/oauth.html (you must include the port number).

    But only with IE. Why IE presents an entirely different error message, both to the user, and in catalina.out, I don't know.

    Found this question while looking for this very same error, and saw it wasn't answered, so even though it's old, at least this way anybody searching for this will find the answer next time.
  • On 12/18/2018 10:26 AM, c-pkalla wrote:
    >
    > Below URL's changed in configupdate-> outh redirect Urls. Should I
    > change all of them or only few?
    >
    > https://www.localhost:443/landing/com.netiq.ualanding.index/oauth.html
    > https://www.localhost:443/dash/com.netiq.uadash.index/oauth.html
    > https://www.localhost:443/idmdash/oauth.html
    > https://www.localhost:443/IDMProv/oauth
    > https://www.localhost:443/IDMRPT/oauth.html
    > https://www.localhost:443/rra/com.netiq.rra.index/oauth.html
    > https://www.localhost:443/sspr/public/oauth
    >
    > Still having an issue. How do you resolve this issue. IDM 4.6.3, OSP
    > 6.2.1,


    Hey KP
    Short answer - your issue is that OSP is following the standard that is
    super duper sensitive to EXACTLY what the browsers URL bar says.

    So https://host:443/ is NOT the same as https://host/ even though HTTPS
    is always on 443, and worst, all browsers, if you type https://host:443/
    it will rewrite it against your will to https://host/ cuz the browser
    knows!

    Ok, so no problem, then in configupdate.sh you think you can just simply
    put https://host/ and be done right?

    Except it validates and says, YOU NEED A PORT! And you cannot save
    without a port value.

    So what we usually do is define it as 443, and then save, and then edit
    the file and remove the :443 and then restart and it works.

    But next time you open configupdate.sh it will complain till you put 443
    back in.


  • I recently updated the IDM to the 4.7 version. When i try to open a running task in the UserApplication i get exactly the same error. Im using OSP in the port 8543. I tried the solution that geoffc proposed, i removed from the ism-configuration-properties file the port from all the "OSP Oauth redirect url" field. Now no url have the the port, but when i try to access to the UserApplication in the IE browser cant load the page. In Chrome is working fine, like nothing happend. Can i anyome give a hand?
  • On 4/9/2019 12:14 PM, gtejo wrote:
    >
    > I recently updated the IDM to the 4.7 version. When i try to open a
    > running task in the UserApplication i get exactly the same error. Im
    > using OSP in the port 8543. I tried the solution that geoffc proposed, i
    > removed from the ism-configuration-properties file the port from all the
    > "OSP Oauth redirect url" field. Now no url have the the port, but when i
    > try to access to the UserApplication in the IE browser cant load the
    > page. In Chrome is working fine, like nothing happend. Can i anyome give
    > a hand?


    So be clear, I only said that in the 443 case do you need to remove port
    references. For 8543 you MUST have the port references in the
    ism-configuration.properties file.

    Could you clarify, since your post above seems to contradict itself.

  • Yes, the OSP port im using is the 8543. In the configupdate this port is set in the Authentication tab, in the property "OAuth server TCP port" and in all the url of the property "OSP Oauth redirect url" in the SSO client. With this configurations, im having the same error as mentioned above. In chrome work's fine, but in IE im getting this error.
  • On 4/9/2019 1:14 PM, gtejo wrote:
    >
    > Yes, the OSP port im using is the 8543. In the configupdate this port is
    > set in the Authentication tab, in the property "OAuth server TCP port"
    > and in all the url of the property "OSP Oauth redirect url" in the SSO
    > client. With this configurations, im having the same error as mentioned
    > above. In chrome work's fine, but in IE im getting this error.


    Get a tool like SAML Tracer, or something that will show each HTTP
    request in sequence, and decode them (Different than apacket trace) for
    IE, and then lets see where it is 'going and doing' and then do the same
    in Chrome and compare.

  • On 4/9/2019 1:14 PM, gtejo wrote:
    >
    > Yes, the OSP port im using is the 8543. In the configupdate this port is
    > set in the Authentication tab, in the property "OAuth server TCP port"
    > and in all the url of the property "OSP Oauth redirect url" in the SSO
    > client. With this configurations, im having the same error as mentioned
    > above. In chrome work's fine, but in IE im getting this error.


    Get a tool like SAML Tracer, or something that will show each HTTP
    request in sequence, and decode them (Different than apacket trace) for
    IE, and then lets see where it is 'going and doing' and then do the same
    in Chrome and compare.