HTTP ERROR 403 after upgrading my Test server from SBM v11.8 to v12.1

I've just upgraded my Test server, which is controlled by DISA, from SBM v11.8 to v12.1 and installed APLS v2022.08 on the same server.

I ran into this 403 error everytime I tried to access the work center using both Chrome and Edge. I cleared browser data all the time and when I ran "nslookup" I also got the response without Time Out issue, but there's no way for me to access the work center. I upgraded my Development server a few months ago and everything worked fine because this environment is in my project network. Does anyone experience the same issue? Any suggestions please? 

  • Verified Answer

    +1  

        We need to determine what is generating the 403 issue.  

    First, ensure that IIS Logging is enabled on workcenter, gsoap and sbmconnector.  Then, check the IIS logs to get the 403.X error if one exists.   The .X will tell us a lot if you are getting the 403 on IIS. Open DevTools and verify which URL is giving you the 403 error.

    Next, in the URL you have the hostname,  Copy the URL and paste it into notepad.  Do you see a "continue" or "wreply" query parameter that references a hostname different from the URL hostname?  If so, look at Configurator > Authentication > SSO  Protected Hosts and verify that this other hostname is there.  If it is and you have an asterisk next to Authentication, the solution may be to just apply Configurator again.  Perhaps, the SBM IDP is throwing the error.

  • 0 in reply to   

    Thank you David for your suggestions and I'm really sorry for my late response, because I've been too busy to try out all possibilities to resolve the issue.

    - At first, from the IIS log file, the error was 403 - 16 related to the certificate so I have to re-import all DOD certificate. After this action, I no longer see 403 - 16 error from the log.

    - However, I now see the error as "403 keep alive". The hostname shown in the URL or the one next to wreply and the one under Configurator > Authentication > SSO Protected Hosts is the same one.

    From the web browser using the Developer tools, the error is "Failed to load resource: the server responded with a status of 403 ()"

  • 0   in reply to 

    Make sure that when you open Configurator there is not an asterisk next to Authentication:  Configurator > Authentication > SSO Protected Hosts.  If so, it means that SBM is failing authentication.  This normally the sso-idp.log or server.log would show more information about this, but it may not show what we want to know in 12.1 (we are working on fixing this).  We may need to look at the sso gatekeeper log and the web.xml in idp/web-inf/conf.

  • 0 in reply to   

    Thank you so much for your suggestion and I really appreciate your review of my following problems:

    1. There's no such asterisk in my SBM configurator.

    2. There are lots of ERRORs in the sso-gatekeeper.log but I don't know how/where to fix this error. Here is just small part of the log:2023-10-17T21:10:32,156 DEBUG [GK] f: g: GatekeeperFilterImpl.doFilterInternal(555): Anonymous request allowed
    2023-10-17T21:10:32,166 DEBUG [GK] f: g: GatekeeperFilterImpl.doFilterInternal(607): <<< SSO Gatekeeper processing end <<<
    2023-10-17T21:10:45,855 ERROR [GK] f: g: GatekeeperSPIProviderImpl.requestSecurityToken(571): Username cannot be empty when requesting security token
    2023-10-17T21:22:45,162 ERROR [GK] f: g: GatekeeperSPIProviderImpl.requestSecurityToken(571): Username cannot be empty when requesting security token
    2023-10-17T21:52:45,166 ERROR [GK] f: g: GatekeeperSPIProviderImpl.requestSecurityToken(571): Username cannot be empty when requesting security token

    3. Here is the the web.xml file:

    <?xml version="1.0" encoding="UTF-8"?>
    <web-app xmlns="">xmlns.jcp.org/.../javaee" xmlns:xsi="">www.w3.org/.../XMLSchema-instance" xsi:schemaLocation="xmlns.jcp.org/.../javaee ">xmlns.jcp.org/.../web-app_3_1.xsd" version="3.1" metadata-complete="true">

    <absolute-ordering />

    <display-name>Single Sign On Login UI</display-name>
    <description>Single Sign On Login UI</description>


    <listener>
    <listener-class>org.eclipse.alf.security.sso.server.federationserver.FedSrvServletContextListener</listener-class>
    </listener>

    <listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>


    <context-param>
    <param-name>ROOT_PATH</param-name>
    <param-value>${server.deploy.dir}/idp</param-value>
    </context-param>
    <context-param>
    <param-name>fedsvr.log4j.use-repo-selector</param-name>
    <param-value>true</param-value>
    </context-param>
    <context-param>
    <param-name>fedsvr.log4j.create-new-repo</param-name>
    <param-value>true</param-value>
    </context-param>
    <context-param>
    <param-name>fedsvr.log4j.properties.filename</param-name>
    <param-value>
    /WEB-INF/conf/log4j2.xml</param-value>
    </context-param>
    <context-param>
    <param-name>log4jConfiguration</param-name>
    <param-value>/WEB-INF/conf/log4j2.xml</param-value>
    </context-param>
    <!-- Spring Security SAML -->
    <context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>/WEB-INF/conf/saml2sp/securityContext.xml</param-value>
    </context-param>


    <!-- Login redirect parameters -->
    <context-param>
    <param-name>loginredirect.serviceURL</param-name>
    <param-value><![CDATA[https://iss2.rfitv.army.mil/tmtrack/tmtrack.dll?]]></param-value>
    </context-param>
    <context-param>
    <param-name>loginredirect.serviceURL.ar</param-name>
    <param-value><![CDATA[http://localhost:8085/mashupmgr/]]></param-value>
    </context-param>


    <!-- ========================================================== -->
    <!-- Federation server servlet -->
    <!-- ========================================================== -->
    <servlet>
    <servlet-name>FedSrvServlet</servlet-name>
    <servlet-class>org.eclipse.alf.security.sso.server.federationserver.FedSrvServlet</servlet-class>
    <init-param>
    <param-name>fedsvr.config.filename</param-name>
    <param-value>/WEB-INF/conf/fedsvr-services-config.xml</param-value>
    </init-param>
    <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet-mapping>
    <servlet-name>FedSrvServlet</servlet-name>
    <url-pattern>/login</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
    <servlet-name>FedSrvServlet</servlet-name>
    <url-pattern>/logout</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
    <servlet-name>FedSrvServlet</servlet-name>
    <url-pattern>/rdr</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
    <servlet-name>FedSrvServlet</servlet-name>
    <url-pattern>/login_provider</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
    <servlet-name>FedSrvServlet</servlet-name>
    <url-pattern>/login_saml</url-pattern>
    </servlet-mapping>


    <!-- ========================================================== -->
    <!-- STS WS-Trust Services (Axis1) -->
    <!-- ========================================================== -->
    <servlet>
    <display-name>WSTrust-based Token Service Servlet</display-name>
    <servlet-name>WSTrustTokenServlet</servlet-name>
    <servlet-class>org.eclipse.higgins.sts.binding.axis1x.Servlet</servlet-class>
    <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet-mapping>
    <servlet-name>WSTrustTokenServlet</servlet-name>
    <url-pattern>/services/*</url-pattern>
    </servlet-mapping>


    <!-- ========================================================== -->
    <!-- STS JSON Services -->
    <!-- ========================================================== -->
    <servlet>
    <display-name>JSON-based Token Service Servlet</display-name>
    <servlet-name>JSONTokenServlet</servlet-name>
    <servlet-class>org.eclipse.higgins.sts.binding.rest.Servlet</servlet-class>
    <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet-mapping>
    <servlet-name>JSONTokenServlet</servlet-name>
    <url-pattern>/services/rest/*</url-pattern>
    </servlet-mapping>


    <!-- ========================================================== -->
    <!-- Branding preprocessing servlet -->
    <!-- ========================================================== -->
    <servlet>
    <servlet-name>BrandingResourceServerServlet</servlet-name>
    <servlet-class>org.eclipse.alf.security.sso.server.federationserver.branding.BrandingResourceServerServlet</servlet-class>
    <init-param>
    <param-name>Enabled</param-name>
    <param-value>true</param-value>
    </init-param>
    <init-param>
    <param-name>BrandingConfig</param-name>
    <param-value>${sbm.common}/branding/branding.xml</param-value>
    </init-param>
    </servlet>
    <servlet-mapping>
    <servlet-name>BrandingResourceServerServlet</servlet-name>
    <url-pattern>/b/*</url-pattern>
    </servlet-mapping>


    <!-- ========================================================== -->
    <!-- Branding UI preprocessing servlet -->
    <!-- ========================================================== -->
    <servlet>
    <servlet-name>BrandingUIPreprocessingServlet</servlet-name>
    <servlet-class>org.eclipse.alf.security.sso.server.federationserver.branding.BrandingUIPreprocessingServlet</servlet-class>
    </servlet>
    <servlet-mapping>
    <servlet-name>BrandingUIPreprocessingServlet</servlet-name>
    <url-pattern>/brandingPreProcess</url-pattern>
    </servlet-mapping>


    <!-- ========================================================== -->
    <!-- Spring SAML Security servlet -->
    <!-- ========================================================== -->
    <servlet>
    <servlet-name>saml</servlet-name>
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    <init-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>/WEB-INF/conf/saml2sp/saml-servlet.xml</param-value>
    </init-param>
    <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet-mapping>
    <servlet-name>saml</servlet-name>
    <url-pattern>/saml/web/*</url-pattern>
    </servlet-mapping>

    <filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>
    <filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
    </filter-mapping>
    <filter>
    <filter-name>RemoteUserPrincipalFilter</filter-name>
    <filter-class>org.eclipse.alf.security.sso.server.federationserver.filter.RemoteUserPrincipalFilter</filter-class>
    <init-param>
    <param-name>RemoteUserHeader</param-name>
    <param-value>remote-user</param-value>
    </init-param>
    <init-param>
    <param-name>AuthType</param-name>
    <param-value>RemoteUser</param-value>
    </init-param>
    <init-param>
    <param-name>AllowContainerPrincipal</param-name>
    <param-value>true</param-value>
    </init-param>
    </filter>
    <filter-mapping>
    <filter-name>RemoteUserPrincipalFilter</filter-name>
    <url-pattern>/*</url-pattern>
    </filter-mapping>


    <!-- ========================================================== -->
    <!-- Login-redirect filter -->
    <!-- ========================================================== -->
    <filter>
    <filter-name>LoginRedirectFilter</filter-name>
    <filter-class>org.eclipse.alf.security.sso.server.federationserver.filter.LoginRedirectFilter</filter-class>
    </filter>
    <filter-mapping>
    <filter-name>LoginRedirectFilter</filter-name>
    <url-pattern>/*</url-pattern>
    </filter-mapping>


    <!-- ========================================================== -->
    <!-- Callback URLs sanitizing filter -->
    <!-- ========================================================== -->


    <!-- ========================================================== -->
    <!-- Negotiate (NTLM & Kerberos) authentication via Waffle. -->
    <!-- See Waffle documentation for more info at -->
    <!-- http:/.../ -->
    <!-- ========================================================== -->
    <filter>
    <filter-name>WaffleIWAFilter</filter-name>
    <filter-class>waffle.servlet.NegotiateSecurityFilter</filter-class>
    <init-param>
    <param-name>principalFormat</param-name>
    <param-value>fqn</param-value>
    </init-param>
    <init-param>
    <param-name>roleFormat</param-name>
    <param-value>both</param-value>
    </init-param>
    <init-param>
    <param-name>allowGuestLogin</param-name>
    <param-value>false</param-value>
    </init-param>
    <init-param>
    <param-name>impersonate</param-name>
    <param-value>false</param-value>
    </init-param>
    <init-param>
    <param-name>securityFilterProviders</param-name>
    <param-value>
    waffle.servlet.spi.NegotiateSecurityFilterProvider
    waffle.servlet.spi.BasicSecurityFilterProvider
    </param-value>
    </init-param>
    <init-param>
    <param-name>waffle.servlet.spi.NegotiateSecurityFilterProvider/protocols</param-name>
    <param-value>
    Negotiate
    NTLM
    </param-value>
    </init-param>
    <init-param>
    <param-name>waffle.servlet.spi.BasicSecurityFilterProvider/realm</param-name>
    <param-value>Solutions Business Manager</param-value>
    </init-param>
    </filter>

    <!-- CONFIGURATOR <filter-mapping>
    <filter-name>WaffleIWAFilter</filter-name>
    <url-pattern>/login</url-pattern>
    </filter-mapping>-->

    <!-- ========================================================== -->
    <!-- NTLM Principal Filter -->
    <!-- ========================================================== -->
    <filter>
    <filter-name>NtlmPrincipalFilter</filter-name>
    <filter-class>org.eclipse.alf.security.sso.server.federationserver.filter.NtlmPrincipalFilter</filter-class>

    <init-param>
    <param-name>AuthTypeIn</param-name>
    <param-value>ntlm,negotiate</param-value>
    </init-param>
    <init-param>
    <param-name>AuthTypeOut</param-name>
    <param-value>NTLM</param-value>
    </init-param>
    <init-param>
    <param-name>NtlmDomainStrip</param-name>
    <param-value>true</param-value>
    </init-param>
    <init-param>
    <param-name>NtlmDomainAttributeName</param-name>
    <param-value>NtlmPrincipalFilter.NtlmDomain</param-value>
    </init-param>
    </filter>

    <!-- CONFIGURATOR <filter-mapping>
    <filter-name>NtlmPrincipalFilter</filter-name>
    <url-pattern>/login</url-pattern>
    </filter-mapping>-->

    <!-- == CONFIGURATOR-DEFINED AUTHENTICATION FILTERS BELOW THIS LINE. DO NOT EDIT ========= -->
    <!-- == CONFIGURATOR-DEFINED AUTHENTICATION FILTERS ABOVE THIS LINE. DO NOT EDIT ========= -->

    <session-config>
    <tracking-mode>COOKIE</tracking-mode>
    </session-config>

    <filter>
    <filter-name>ContinueURLSanitizingFilter</filter-name>
    <filter-class>org.eclipse.alf.security.sso.server.federationserver.filter.ContinueURLSanitizingFilter</filter-class>
    <init-param>
    <param-name>sanitizedHttpParamNames</param-name>
    <param-value>continue, wreply</param-value>
    </init-param>
    <init-param>
    <param-name>allowedHostnames</param-name>
    <param-value>iss2.rfitv.army.mil</param-value>
    </init-param>
    <init-param>
    <param-name>allowLocalAddresses</param-name>
    <param-value>true</param-value>
    </init-param>
    </filter>
    <filter-mapping>
    <filter-name>ContinueURLSanitizingFilter</filter-name>
    <url-pattern>/login</url-pattern>
    </filter-mapping></web-app>