-
Title
Unable to log in with AD credentials after upgrading to 7.1 -
Description
After upgrading Cloud Access Manager from 7.0 to 7.1 the main site can no longer be logged into with AD credential. -
Cause
The cleaning certificates code didn’t run as part of the upgrade due to the code version that is running and the schema of the database not matching. It affects upgrades to Cloud Access Manager 7.1 from code at schema level <38; typically this affects versions 7.0.1.x but not 7.0.2.x.
Certain certificates will now be stored in the CTData database in the wrong format :
1) FedTrusts table entries with type=0 (application type)
a) all internal apps with rpIdentifier (rpid) of “urn:CloudAccessManager/UI” and “urn:CloudAccessManager/Proxy”
b) any external federated (SAML/WSFed) apps added by the user
2) FedTrusts table entry with type=1 (sts type) with rpid like “urn:[myhost]/CloudAccessManager/RPSTS”
3) Certs table entry with name of CN=Dell Cloud Access Manager STS
-
Resolution
A fix for this issue has not been released yet, however it can be fixed manually by using SQLServer Management Studio or SQLCmd, but only for users not using localdb.
To restore normal behaviour it is necessary to remove the first 12 bytes of each certificate, or the first 16 characters (highlighted in yellow in the example below) of the Base64 encoded certificate in the “publicCert” field. Simplistically the certificate should go from starting with “IAAA…” to starting with “MII…” e.g.
IAAAAAEAAADwAgAAMIIC7DCCAdSgAwIBAgIQAPjUiDjbdFCswBOUbHeQDTANBgkqhkiG9w0BAQUFADAxMS8wLQYDVQQDDCZEZWxsIENsb3VkIEFjY2VzcyBNYW5hZ2VyIEFwcCBDVF9QUk9YWTAgFw0xNDA3MjEwMDAwMDBaGA8yMDU0MDcyMjAwMDAwMFowMTEvMC0GA1UEAwwmRGVsbCBDbG91ZCBBY2Nlc3MgTWFuYWdlciBBcHAgQ1RfUFJPWFkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCpxorN22dteNUjE1SBafzo5SOlSXABSG0/WS1PYy8XaCUt9WKgqN7t70fcaLFzVMfdfItvWGh6ITHvMRZ0m3BSth5qPJyDDUOY0kGtCsfNn7YHibrTvwePMdKD21cQGI8bmcVuXavPUCadnyBs1v1KePbiT92AL830sK2HVmqFiIZaHxqkwx+D2wlg8qlWcmsvwkRfHAm5RKS7la0rrytqZ3VcPeNdhdSCdjyvR9p+c0clSQ+C3D5f8CZf+YEeROLfeXrhyppmJLUhZpYBWwcC7HxdwFrENzT2c5SnZtteKIjeMtUmwKRKqxvlhIZmgA5r6TlTaN28v6CaFm65AQXtAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAFmY7Of4oBk4XlriiHvXTlY6a2KY0i/a7+4EKIHgo6Gjs1U3y/Iljb6kFxWu5SXzH9soTUUgdOVNNTVCJmT8fWpLL+BBtzPbQKe6A5wxy9YRQpYhS0PcpiI6jHI94GBF/GV+9v83Vwr4IAWmQ6BxqSAbne9pF+LeantHEdxF/Y6Lo9I9Lpon3V0QoAUjpZGhvWgWp6BEVsorEy4sKLil7fKrSfdy8mL+phNssNUYfIc5kr1OQPLWCeL0l4F2TZcOw5ak43kVhAb7/5DEKGTTmWXQ/Scg+g9ZC0pZSXzg9UMp8ksBbAd0DCTq6dokWv+/QHO4Kbe2X5tG8ISHbDUyI5o=
-
Change Request
379323