Knowledge Partner
Knowledge Partner
849 views

NMAS Challenge Responses don't seem to be read via SSPR?

SSPR Version: v4.2.0.0 b196 r39220, Framework: 1.8.0

Appliance, BTW.

eDir/NMAS and all that jazz is enabled.

I swear this used to work, but maybe never tested this exact scenario.

User logs into a Windows 7 workstation with the OES Client. They can use that to set their NMAS Challenge/Response questions (we only have ONE Challenge/response Set).

NMAS policy is set to use that.

Login to SSPR click the "forgot my password"
Enter the answers to the questions, and it says "one or more" is wrong. When I know they are not.

Interestingly, if I use the SSPR appliance to set the challenge/response questions then it'll work.

It's almost like it's not reading the NMAS answers? (it sees the questions). SSPR is (I'm 99.9% certain) set to use the eDir/NMAS stuff and not its internal questions/answers (OK, I know for a fact it's set to use NMAS/eDir)

I know the Novell client and the old IDM UA are reading/writing to the same NMAS attributes, but not sure why it *seems* that SSPR isn't reading the answers.

I enabled trace logging and got this (which seems a bit odd):

December 17, 2018 at 3:41:31 PM Eastern Standard Time, TRACE, http.PwmRequest, {15745} POST request for: /sspr/public/forgottenpassword completed requestID=1566 in 6s [134.179.106.30]
PwmResponse_R_1=*hidden*
PwmResponse_R_2=*hidden*
processAction='checkResponses'
pwmFormID='H4sIAAAAAAAAAAGaAGX_UFdNLkdDTTEQSmkgAmmL-ddCZ4IjMVOaSHif-1sz5awMp--XqRVlN0hlb_Q5Q07CDc6AxlyE7BZohTgRNcH2ndxKZGYdUXg4VNlvnCUDk7wUImPSFEFRPSzMoNhI7Snpxc6GlPwx-3GyUGwFy1HbfHQ7TWkKfpd0eQslYsoQLHo4ZzYiW8tjnKKG4PI0xHGflqs-vR7QWtNhH8pI1dqaAAAA'
December 17, 2018 at 3:41:31 PM Eastern Standard Time, TRACE, http.PwmResponse, sending 303 redirect to /sspr/public/forgottenpassword
December 17, 2018 at 3:41:31 PM Eastern Standard Time, TRACE, state.CryptoCookieLoginImpl, {15745} wrote LoginInfoBean={"a":false,"p":"*hidden*","t":"UNAUTHENTICATED","af":[],"rq":"2018-12-17T20:41:31Z","g":"jpssazgaJ0932warTyEOzvl49G6yWZ209rI8Ouug6lMLHsMKlyCPX7Pm5vPBScMI2zVQLvOY","c":2,"lf":[]} [134.179.106.30]
December 17, 2018 at 3:41:31 PM Eastern Standard Time, DEBUG, servlet.AbstractPwmServlet, {15745} this request is not idempotent, redirecting to self with no action [134.179.106.30]
December 17, 2018 at 3:41:30 PM Eastern Standard Time, TRACE, intruder.IntruderManager, {15745} delaying response 1082ms due to intruder record: {"type":"ADDRESS","subject":"134.179.106.30","timeStamp":"2018-12-17T20:41:30Z","attemptCount":1,"alerted":false} [134.179.106.30]
December 17, 2018 at 3:41:30 PM Eastern Standard Time, DEBUG, event.AuditService, discarding event, INTRUDER_ATTEMPT are being ignored; event={"instance":"F3787DAD5CA4D66E","type":"SYSTEM","eventCode":"INTRUDER_ATTEMPT","guid":"dd2f3771-88fd-42af-9547-98cd96ed7b58","timestamp":"2018-12-17T20:41:30Z","message":"{\"type\":\"ADDRESS\",\"subject\":\"134.179.106.30\"}","narrative":"Non user-specific intruder attempt (Details: {\"type\":\"ADDRESS\",\"subject\":\"134.179.106.30\"})","xdasTaxonomy":"XDAS_AE_IDS_SUSPICIOUS","xdasOutcome":"XDAS_OUT_SUCCESS"}
December 17, 2018 at 3:41:30 PM Eastern Standard Time, DEBUG, intruder.RecordManagerImpl, re-setting existing outdated record={"type":"ADDRESS","subject":"134.179.106.30","timeStamp":"2018-12-17T20:31:51Z","attemptCount":0,"alerted":false} (9m:39s)
December 17, 2018 at 3:41:30 PM Eastern Standard Time, TRACE, intruder.IntruderManager, {15745} delaying response 620ms due to intruder record: {"type":"USER_ID","subject":"default|cn=mpistest,ou=ABC,ou=DEF,ou=CO,o=ACME","timeStamp":"2018-12-17T20:41:30Z","attemptCount":1,"alerted":false} [134.179.106.30]
December 17, 2018 at 3:41:30 PM Eastern Standard Time, DEBUG, event.AuditService, discarding event, INTRUDER_USER_ATTEMPT are being ignored; event={"perpetratorID":"mpistest","perpetratorDN":"cn=mpistest,ou=ABC,ou=DEF,ou=CO,o=ACME","perpetratorLdapProfile":"default","sourceAddress":"134.179.106.30","sourceHost":"134.179.106.30","type":"USER","eventCode":"INTRUDER_USER_ATTEMPT","guid":"cde1db67-c13e-4412-89b2-8779beb017ba","timestamp":"2018-12-17T20:41:30Z","narrative":"mpistest (cn=mpistest,ou=ABC,ou=DEF,ou=CO,o=ACME) account has had an invalid login attempt (intruder attempt)","xdasTaxonomy":"XDAS_AE_IDS_SUSPICIOUS","xdasOutcome":"XDAS_OUT_SUCCESS"}
December 17, 2018 at 3:41:30 PM Eastern Standard Time, DEBUG, intruder.RecordManagerImpl, re-setting existing outdated record={"type":"USER_ID","subject":"default|cn=mpistest,ou=ABC,ou=DEF,ou=CO,o=ACME","timeStamp":"2018-12-17T20:31:50Z","attemptCount":1,"alerted":false} (9m:40s)
December 17, 2018 at 3:41:30 PM Eastern Standard Time, DEBUG, auth.SessionAuthenticator, {15745} unexpected error during simulated bad-password login attempt for UserIdentity{"userDN":"cn=mpistest,ou=ABC,ou=DEF,ou=CO,o=ACME","ldapProfile":"default"}; result: unable to create connection: unable to bind to ldaps://ldap1.acme.com:636 as cn=mpistest,ou=ABC,ou=DEF,ou=CO,o=ACME reason: [LDAP: error code 49 - NDS error: failed authentication (-669)] [134.179.106.30]
December 17, 2018 at 3:41:30 PM Eastern Standard Time, TRACE, provider.ChaiProviderFactory, unable to create connection: com.novell.ldapchai.exception.ChaiUnavailableException:unable to bind to ldaps://ldap1.acme.com:636 as cn=mpistest,ou=ABC,ou=DEF,ou=CO,o=ACME reason: [LDAP: error code 49 - NDS error: failed authentication (-669)] (stacktrace follows)
java.lang.Throwable: unable to bind to ldaps://ldap1.acme.com:636 as cn=mpistest,ou=ABC,ou=DEF,ou=CO,o=ACME reason: [LDAP: error code 49 - NDS error: failed authentication (-669)]
at com.novell.ldapchai.exception.ChaiUnavailableException.forErrorMessage(ChaiUnavailableException.java:48)
at com.novell.ldapchai.provider.JNDIProviderImpl.generateNewJndiContext(JNDIProviderImpl.java:147)
at com.novell.ldapchai.provider.JNDIProviderImpl.init(JNDIProviderImpl.java:877)
at com.novell.ldapchai.provider.ChaiProviderFactory.createConcreateProvider(ChaiProviderFactory.java:209)
at com.novell.ldapchai.provider.FailOverWrapper$RotationMachine.makeNewProvider(FailOverWrapper.java:429)
at com.novell.ldapchai.provider.FailOverWrapper$RotationMachine.getCurrentProvider(FailOverWrapper.java:312)
at com.novell.ldapchai.provider.FailOverWrapper.<init>(FailOverWrapper.java:115)
at com.novell.ldapchai.provider.FailOverWrapper.forConfiguration(FailOverWrapper.java:65)
at com.novell.ldapchai.provider.ChaiProviderFactory.createProvider(ChaiProviderFactory.java:165)
at password.pwm.ldap.LdapOperationsHelper.createChaiProvider(LdapOperationsHelper.java:454)
at password.pwm.ldap.auth.SessionAuthenticator.simulateBadPassword(SessionAuthenticator.java:250)
at password.pwm.http.servlet.forgottenpw.ForgottenPasswordServlet.handleUserVerificationBadAttempt(ForgottenPasswordServlet.java:1310)
at password.pwm.http.servlet.forgottenpw.ForgottenPasswordServlet.processCheckResponses(ForgottenPasswordServlet.java:671)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at password.pwm.http.servlet.ControlledPwmServlet.dispatchMethod(ControlledPwmServlet.java:102)
at password.pwm.http.servlet.ControlledPwmServlet.processAction(ControlledPwmServlet.java:135)
at password.pwm.http.servlet.AbstractPwmServlet.handleRequest(AbstractPwmServlet.java:111)
at password.pwm.http.servlet.AbstractPwmServlet.doPost(AbstractPwmServlet.java:70)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:661)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at password.pwm.http.filter.AbstractPwmFilter$PwmFilterChain.doFilter(AbstractPwmFilter.java:138)
at password.pwm.http.filter.SessionFilter.processFilter(SessionFilter.java:108)
at password.pwm.http.filter.AbstractPwmFilter.doFilter(AbstractPwmFilter.java:89)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at password.pwm.http.filter.AbstractPwmFilter$PwmFilterChain.doFilter(AbstractPwmFilter.java:138)
at password.pwm.http.filter.ApplicationModeFilter.processFilter(ApplicationModeFilter.java:74)
at password.pwm.http.filter.AbstractPwmFilter.doFilter(AbstractPwmFilter.java:89)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at password.pwm.http.filter.AbstractPwmFilter$PwmFilterChain.doFilter(AbstractPwmFilter.java:138)
at password.pwm.http.filter.ObsoleteUrlFilter.processFilter(ObsoleteUrlFilter.java:50)
at password.pwm.http.filter.AbstractPwmFilter.doFilter(AbstractPwmFilter.java:89)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at password.pwm.http.filter.RequestInitializationFilter.initializeServletRequest(RequestInitializationFilter.java:210)
at password.pwm.http.filter.RequestInitializationFilter.doFilter(RequestInitializationFilter.java:129)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at password.pwm.http.filter.GZIPFilter.doFilter(GZIPFilter.java:73)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:478)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:80)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:799)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1457)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)




Now, one thing I just noticed, not sure if this it the culprit, but seems odd:

1) Use the OES Client to set challenge/response questions. Change your password via OES Client. All is well. Now, try the "forgotten password" of the OES Client. It'll ask your challenge/respones questions and actually accept the answers, unlike SSPR. But, when prompted to change your password, it'll tell you it can't because the Min. Password Age hasn't been met yet (it's set to "1").

2) However: If you use the SSPR to change your password and re-answer your challenge response questions (same answers, BTW), it'll let you use the SSPR forgotten password feature (the only way for SSPR to actually work seems to be to use *it* to set the answers), it'll let you change your password, even though the min. age thingy is still "1".

BTW, the password policy we're using is assigned to the Login Policy.Security object in eDir (always has been).
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.