• State Suggested Answer
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 95 subscribers
  • Views 4299 views
  • Users 0 members are here
Options
Related

Error while login in web manager

dnyandev
over 3 years ago

Hi All,

I have installed web manager and configured to user system user authontication.

When I try to login with user and password I get below error.

The active session is being used more than once.

Possible reasons are: Application was temporary left and reloaded using browser history.

Another user is trying to use a foreign session.

Session has been closed for security reasons!

You can see configuration at 

https://1drv.ms/u/s!At2ViqLAc9HptWF8zvl-1RwFL-2S?e=pvg3A1 

One identity manager version is 8.1.5

Do anybody know what is the issue and how to solve it.

Kind Regards,

Dnyandev

  • 0 over 3 years ago in reply to kinshasa

    yes, I did it.

    In Log file I see error as below.

    2021-12-15 17:59:33.4442 INFO (ObjectLog 322415d4-ac12-42c2-8293-49dbc2b95902) : User viadmin (Dialog user: viadmin, X fields: viadmin) authenticated.
    2021-12-15 17:59:45.1261 WARN (RequestBroker ) : Web application has found active session being used more than once.
    Possibe reasons:
    The application was left temporarily and reloaded using the browser history.
    Another user is trying to use a foreign session.

    The session has been closed for security reasons!
    2021-12-15 18:00:04.1321 INFO (ObjectLog 00b3c3a2-76ef-4db9-b790-1026cbbac933) : User CCC_Admin (Dialog user: CCC_Admin, X fields: CCC_Admin) authenticated.
    2021-12-15 18:00:15.0335 WARN (RequestBroker ) : Web application has found active session being used more than once.
    Possibe reasons:
    The application was left temporarily and reloaded using the browser history.
    Another user is trying to use a foreign session.

    The session has been closed for security reasons!
    2021-12-15 18:01:14.9917 INFO (ObjectLog c05a51b4-74c7-47a6-8776-cb3aba902051) : User CCC_Admin (Dialog user: CCC_Admin, X fields: CCC_Admin) authenticated.
    2021-12-15 18:01:25.0957 WARN (RequestBroker ) : Web application has found active session being used more than once.
    Possibe reasons:
    The application was left temporarily and reloaded using the browser history.
    Another user is trying to use a foreign session.

    The session has been closed for security reasons!

  • 0 over 3 years ago in reply to dnyandev

    It is working fine with Microsoft edge browser.

    I think some issue with IE, not able to figure it out.

  • 0 over 3 years ago in reply to dnyandev

    Hi Kinshasa,

    I have configured mager web authontication for "Account based system user"  but it is not working.

    Do you know what else I need to so.

    System use and employee authontication is working.

    Thank you in advance.

  • 0 over 3 years ago in reply to dnyandev

    Account based system user needs the IIS to have Windows Authentication enabled for the Web Manager (and anonymous off, obviously).

    In addition you need to have the mapping done at the person object according to the Authorization and Authentication guide.

  • 0 over 3 years ago in reply to Markus Weiss-Ehlers

    Hi Markus,

    On development I have person object , I have mapped my AD account which I use to login on workstation.

    Person object does not have any AD account attached..

    I have disabled anaonymous on all level and enable windows authontication in IIS.

    When I open URL I get popup to enter autthontication details and then again it ask for user ID and password.

    One important thing is that manager web is configured to user application server connection.

    Please see configuration screen at below location.

    https://1drv.ms/u/s!At2ViqLAc9Hptg4i_XgVH23BoVkh?e=nYOwIh 

    Could you please check and let me know what is missing or wrong.

    Thank you in advance and have a nice weekend.

  • 0 over 3 years ago in reply to dnyandev

    First of all, if you are using an application server connection, you need to configure the application server used to use windows-authentication only as well.

    Secondly, and this is the tricky windows part, you need to configure delegation (as far as I remember) because your application server is placed on a different host than the Web Manager (i remember this as the double-hop problem with Windows (non-Kerberos) authentication).

    I found this (non-official) guide that doe the same delegation thing for using a WebDesigner portal via the Application Server. Might help.

    Configuration of WebPortal with AppServer connection and Windows SSO

    Lab Summary

    In this scenario the steps to configure a WebPortal with Windows Authentication and delegated authentication to the AppServer are outlined.

    Domain: demo.corp

    Host #1 (AppServer):
      FQDN Hostname:        ADWEB01.demo.corp
      Service Account:      demo\svc_adweb01
      AppServerUrl:         adweb01.demo.corp/AppServer

    Host #2 (WebPortal):
      FQDN Hostname:        ADWEB02.demo.corp
      Service Account:      demo\svc_adweb02
      IdentityManagerUrl:   adweb02.demo.corp/IdentityManager

    Host #3 (Client):
      FQDN Hostname:        client.demo.corp
      User Account:         demo\user01

    It is not required to use service accounts for IIS as by default, machine accounts are used.  The configuration is basically the same for non service accounts, the main exception would be that a hidden configuration parameter needs to be set when using service accounts: 

    system.webServer/security/authentication/windowsAuthentication/useAppPoolCredentials.

    If not using service accounts, it is necessary to complete the steps for the corresponding machine account instead and not set useAppPoolCredentials to True.

    1. Set SPNs

    When starting there should not be any SPN set for these service accounts, machine accounts would have some, but by default none with HTTP.  Verify with:

    setspn -l demo\svc_adweb01 setspn -l demo\svc_adweb02

    These commands should not list anything at the beginning, so start adding to corresponding SPNs: the -s parameter checks if the SPNs are already registered, as they cannot be registered multiple times.  SPN is being added for the FQDN hostname and the simple hostname, so that users can access the web with both names.

    setspn -s HTTP/ADWEB01 demo\svc_adweb01 setspn -s HTTP/ADWEB01.DEMO.CORP demo\svc_adweb01

    setspn -s HTTP/ADWEB02 demo\svc_adweb02 setspn -s HTTP/ADWEB02.DEMO.CORP demo\svc_adweb02

    After adding these SPNs confirm that these are set correctly again, by using setspn -l


    2. Configure Delegation

    The next step is to allow the service account svc_adweb02 to delegate authentication to the appserver that is running on adweb01.  Edit the user using dsa.msc (on domain controller or with RSAT installed) and open the delegation tab for the service account "svc_adweb02":

    Change the setting to:

    - (x) Trust this user for delegation to specified services only 
    - (x) Use any authentication protocol 
    - [Add] Type the service account of AppServer and add the services the credentials should to be delegated to, in this case this would be:

    Service Account: demo\svc_adweb01 HTTP/ADWEB01.DEMO.CORP HTTP/ADWEB01

    In most cases both SPNs are grouped and only displayed both when the checkbox for "Expanded" has been checked.


    3. Configure AppServer IIS

    It is assumed that the AppServer has been installed with web authentication set to Windows Authentication.

    - Set the service account to the Identity of the AppServer, e.g.: AppServer_Pool

    Inetmgr -> Application Pools -> AppServer_Pool -> Advanced Settings -> Identity -> custom account -> demo\svc_adweb01

    - Configure the web to use the service account for Windows Authentication

    Inetmgr -> Sites -> [Site of AppServer] -> AppServer -> Configuration Editor
    system.webServer/security/authentication/windowsAuthentication/useAppPoolCredentials -> true

    - Ensure only Windows Authentication is enabled

    Inetmgr -> Sites -> [Site] -> AppServer -> Authentication -> Only Windows Authentication should be enabled


    4. Configure WebPortal IIS

    It is assumed that the WebPortal has been installed with web authentication set to Windows Authentication.  ConnectionString should point to adweb01.demo.corp/AppServer and not use a database connection.

    - Set the service account to the Identity of the WebPortal, e.g.: IdentityManager_Pool

    Inetmgr -> Application Pools -> IdentityManager_Pool -> Advanced Settings -> Identity -> custom account -> demo\svc_adweb02

    - Configure the web to use the service account for Windows Authentication

    Inetmgr -> Sites -> [Site of WebPortal] -> IdentityManager -> Configuration Editor

    system.webServer/security/authentication/windowsAuthentication/useAppPoolCredentials -> true

    - Ensure only Windows Authentication is enabled

    Inetmgr -> Sites -> [Site] -> WebPortal -> Authentication -> Only Windows Authentication should be enabled


    5. Client / Browser Configuration

    If SSO should be used on Windows Clients these URIs need to be added to the intranet zone:

    control -> internet options -> Security -> Local intranet -> Sites -> Advanced

    Add:

    http://adweb02.demo.corp

    http://adweb01.demo.corp

    Some browsers like Firefox require additional configuration.


    Troubleshooting

    Impersonated Calls

    - Most requests from the WebPortal to the AppServer are made as the service account/machine account of the ApplicationPool.

    Only the call to /AppServer/auth/apphost is impersonated, therefore many requests appear to come from the service account. This means that the service account must be allowed to access the AppServer, but should not have application level access to One Identity.

    Windows Authentication defaults

    Most Windows Authentication settings are set during installation, here are the values tested with:

    inetmgr -> Sites -> [Site] -> Web -> Authentication -> Only Windows Authentication should be enabled

    inetmgr -> Sites -> [Site] -> Web -> Configuration Editor:

    - system.webServer/security/authentication/windowsAuthentication

    useKernelMode: true

    useAppPoolCredentials: true ( only if using service account instead of machine account )

    - system.webServer/security/authentication/windowsAuthentication/providers

    Negotiate

    NTLM