-
Title
Mod-auth-vas (MAV) protected URLs getting Intermittent 403 and 401 URL errors and "Request is a replay" message shown in log -
Description
Intermittent issue with mod_auth_vas (MAV). When accessing the URLs, receiving intermittent 403 Forbidden and 401 Authorization Required error messages. If we F5 (refresh) the page, it loads successfully, and may continue to work for a few more refreshes but then it will reoccur again.When the page load fails, we see this in the Apache error log.[error] [mod_auth_vas] match_group: fatal vas error: VAS_ERR_NOT_FOUND: Not found\n Could not find keytab file: /etc/opt/quest/vas/HTTP.keytabThe following error message appears in the log when using Mod_auth_vas:[error] [client xx.xx.xx.xx] do_gss_spnego_accept: VAS_ERR_INTERNAL: Internal error\n First call to gss_accept_sec_context() failed, minor_status = -1765328350, result = 2, display_status = "duplicate per-message token detected", Mechanism-Specific error text: "Request is a replay"
-
Cause
Product defects fixed in 4.1.0.20948 version and up:
345014:
* api: If GSS_C_REPLAY_FLAG is not set, don't apply the replay cache.
This should fix apache/MAV re-authenticating multiple parts of a page. Another method is being used now.Fixed in Mod-Auth-VAS 3.6.8.2 and up:
Code changes were made in Mod-Auth-Vas 3.6.8.2 to address the replay issue.
-
Resolution
The replay is only triggered when clients attempt to access a url that isn't the full path such as "www.example.com" instead of "www.example.com/index.html" When the first examples request comes to Apache, Apache will then take that URL and fixup the url to the absoulte path of www.example.com/index.html, but in doing so makes two requests to MAV to authenticate both URL's so the first one looks good but the second one comes across as a replay.STATUS:
Fixed.RESOLUTION:
1 - Upgrade to Authentication Services 4.1 Maintenance Release
The above link contains the Changelog.txt attached which describes the defects fixed in the Maintenance release.2 - Upgrade to MAV 3.6.8.4 for Apache 2.2 or to MAV 4.0.2.3-1 for Apache 2.4
It is available by going to https://github.com/OneIdentity/mod_auth_vas/
3 - Restart all instances of Apache or reboot the server
MAV and all One Identity open source projects are supported through One Identity GitHub issues and the One Identity Community. For assistance with any One Identity GitHub project, please raise a new Issue on the One Identity GitHub project page. You may also visit the One Identity Community to ask questions. Requests for assistance made through official One Identity Support will be referred back to GitHub and the One Identity Community forums where those requests can benefit all users.
Main MAV GitHub page:
https://github.com/OneIdentity/mod_auth_vas
Latest MAV Packages:
https://github.com/OneIdentity/mod_auth_vas/releases
Open a MAV Issue:
https://github.com/OneIdentity/mod_auth_vas/issues
MAV Wiki:
https://github.com/OneIdentity/mod_auth_vas/wiki -
Change Request
345014 -
Additional Information
If you are still having issue please enable QAS API debug by adding AuthVasApiDebugLevel 6 This will cause QAS to write API debug out to syslog, so syslog will still need to be configured to handle it.