Issue when apply SSO with IIS 8 and Ivy Server

0

Hi all, Our project requires SSO as an authentication method. I have integrated it with IIS 8 and Ivy Server. But I have 1 issues, when the user accesses our application and his/her account is not in the LDAP directory which I have configured on Ivy Admin, the exception occurs. It seems like the authentication process occurs at IIS layer, then the authorization process occurs later, so the user able to access the "index.jsp" page, but not other page(which require user must be in the LDAP directory) . So my questions are :

  1. How does IIS authenticate user? Which LDAP directory it uses to authenticate user?
  2. If those things above is true, (authentication first authorization later) how can I handle when account (which does not exist in the LDAP directory of our app ) access my app? For example, redirect to custom error page.

This is the stack traces when the exception occurs: 

ch.ivyteam.ivy.persistence.PersistencyException: javax.naming.directory.InvalidSearchFilterException: Missing 'equals'; remaining name 'CN=hcmc-4axonivy,OU=AAVN_HCM,DC=aavn,DC=local'
    at ch.ivyteam.ivy.security.internal.jndi.JndiSecuritySystem.executeWithCachedContext(JndiSecuritySystem.java:641)
    at ch.ivyteam.ivy.security.internal.jndi.JndiSecuritySystem.synchronizeUser(JndiSecuritySystem.java:1053)
    at ch.ivyteam.ivy.security.internal.jndi.JndiSecuritySystem.findUser(JndiSecuritySystem.java:519)
    at ch.ivyteam.ivy.security.internal.jndi.JndiSecuritySystem.findUser(JndiSecuritySystem.java:1)
    at ch.ivyteam.ivy.security.internal.SecurityContext$7.execute(SecurityContext.java:439)
    at ch.ivyteam.ivy.security.internal.SecurityContext$7.execute(SecurityContext.java:1)
    at ch.ivyteam.ivy.persistence.base.AbstractPersistencyService.execute(AbstractPersistencyService.java:169)
    at ch.ivyteam.ivy.persistence.base.ClassPersistencyService.execute(ClassPersistencyService.java:648)
    at ch.ivyteam.ivy.persistence.client.PersistentClientObjectChildren.execute(PersistentClientObjectChildren.java:543)
    at ch.ivyteam.ivy.security.internal.SecurityContext.execute(SecurityContext.java:1331)
    at ch.ivyteam.ivy.security.internal.SecurityContext.findUser_aroundBody14(SecurityContext.java:433)
    at ch.ivyteam.ivy.security.internal.SecurityContext.findUser_aroundBody15$advice(SecurityContext.java:34)
    at ch.ivyteam.ivy.security.internal.SecurityContext.findUser(SecurityContext.java:1)
    at ch.ivyteam.ivy.security.internal.WebContainerApprovedUserAuthenticator.findUser(WebContainerApprovedUserAuthenticator.java:83)
    at ch.ivyteam.ivy.security.internal.WebContainerApprovedUserAuthenticator.authenticate(WebContainerApprovedUserAuthenticator.java:46)
    at ch.ivyteam.ivy.security.internal.Session.authenticateWebContainerApprovedUser(Session.java:1193)
    at ch.ivyteam.ivy.webserver.internal.IvySession.authenticateSessionUser(IvySession.java:228)
    at ch.ivyteam.ivy.webserver.internal.IvySession.getSecuritySession(IvySession.java:142)
    at ch.ivyteam.ivy.webserver.internal.IvySession.getSession(IvySession.java:127)
    at ch.ivyteam.ivy.webserver.internal.AbstractServlet.setSession(AbstractServlet.java:489)
    at ch.ivyteam.ivy.webserver.internal.process.IvyProcessServlet.doRespondAsSystem(IvyProcessServlet.java:51)
    at ch.ivyteam.ivy.webserver.internal.AbstractServlet.prepareRespondAsSystem(AbstractServlet.java:231)
    at ch.ivyteam.ivy.webserver.internal.AbstractServlet.access$3(AbstractServlet.java:213)
    at ch.ivyteam.ivy.webserver.internal.AbstractServlet$2.call(AbstractServlet.java:191)
    at ch.ivyteam.ivy.security.internal.SecurityManager.executeAsSystem(SecurityManager.java:1467)
    at ch.ivyteam.ivy.webserver.internal.AbstractServlet.doService(AbstractServlet.java:185)
    at ch.ivyteam.ivy.webserver.internal.AbstractServlet.doGet(AbstractServlet.java:169)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:624)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
    at sun.reflect.GeneratedMethodAccessor123.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:497)
    at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
    at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
    at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
    at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297)
    at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
    at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
    at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
    at java.security.AccessController.doPrivileged(Native Method)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
    at ch.ivyteam.ivy.webserver.internal.exception.IvyExceptionFilter.doFilter(IvyExceptionFilter.java:49)
    at sun.reflect.GeneratedMethodAccessor92.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:497)
    at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
    at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
    at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
    at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:260)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237)
    at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
    at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
    at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
    at java.security.AccessController.doPrivileged(Native Method)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
    at ch.ivyteam.ivy.webserver.internal.IvyFilter.doFilterInternal(IvyFilter.java:267)
    at ch.ivyteam.ivy.webserver.internal.IvyFilter.doFilter(IvyFilter.java:172)
    at sun.reflect.GeneratedMethodAccessor92.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:497)
    at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
    at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
    at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
    at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:260)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237)
    at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
    at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
    at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
    at java.security.AccessController.doPrivileged(Native Method)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
    at ch.ivyteam.ivy.webserver.internal.IvyExecuteAsSystemFilter$1.call(IvyExecuteAsSystemFilter.java:45)
    at ch.ivyteam.ivy.webserver.internal.IvyExecuteAsSystemFilter$1.call(IvyExecuteAsSystemFilter.java:1)
    at ch.ivyteam.ivy.security.internal.SecurityManager.executeAsSystem(SecurityManager.java:1467)
    at ch.ivyteam.ivy.webserver.internal.IvyExecuteAsSystemFilter.doFilter(IvyExecuteAsSystemFilter.java:39)
    at sun.reflect.GeneratedMethodAccessor92.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:497)
    at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
    at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
    at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
    at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:260)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237)
    at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
    at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
    at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
    at java.security.AccessController.doPrivileged(Native Method)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
    at ch.ivyteam.ivy.webserver.internal.duplicate.IvyDuplicateRequestFilter.doFilter(IvyDuplicateRequestFilter.java:74)
    at sun.reflect.GeneratedMethodAccessor92.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:497)
    at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
    at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
    at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
    at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:260)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237)
    at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
    at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
    at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
    at java.security.AccessController.doPrivileged(Native Method)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
    at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:89)
    at com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:119)
    at com.google.inject.servlet.GuiceFilter$1.call(GuiceFilter.java:133)
    at com.google.inject.servlet.GuiceFilter$1.call(GuiceFilter.java:130)
    at com.google.inject.servlet.GuiceFilter$Context.call(GuiceFilter.java:203)
    at com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:130)
    at sun.reflect.GeneratedMethodAccessor92.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:497)
    at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
    at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
    at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
    at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:260)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237)
    at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
    at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
    at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
    at java.security.AccessController.doPrivileged(Native Method)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
    at ch.ivyteam.ivy.webserver.internal.PerformanceLogValve.invoke(PerformanceLogValve.java:55)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:423)
    at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:190)
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625)
    at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Thread.java:745)
Caused by: javax.naming.directory.InvalidSearchFilterException: Missing 'equals'; remaining name 'CN=hcmc-4axonivy,OU=AAVN_HCM,DC=aavn,DC=local'
    at com.sun.jndi.ldap.Filter.encodeSimpleFilter(Filter.java:330)
    at com.sun.jndi.ldap.Filter.encodeFilter(Filter.java:146)
    at com.sun.jndi.ldap.Filter.encodeFilterList(Filter.java:741)
    at com.sun.jndi.ldap.Filter.encodeComplexFilter(Filter.java:657)
    at com.sun.jndi.ldap.Filter.encodeFilter(Filter.java:104)
    at com.sun.jndi.ldap.Filter.encodeFilterString(Filter.java:74)
    at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:548)
    at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1985)
    at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1844)
    at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1769)
    at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:392)
    at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:358)
    at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:276)
    at ch.ivyteam.ivy.security.internal.jndi.dircontext.LazyBindingDirContextAccess.search(LazyBindingDirContextAccess.java:47)
    at ch.ivyteam.ivy.security.internal.jndi.JndiSecuritySystem$3$1.execute(JndiSecuritySystem.java:1063)
    at ch.ivyteam.ivy.security.internal.jndi.JndiSecuritySystem$3$1.execute(JndiSecuritySystem.java:1)
    at ch.ivyteam.ivy.security.internal.jndi.JndiSecuritySystem.execute(JndiSecuritySystem.java:613)
    at ch.ivyteam.ivy.security.internal.jndi.JndiSecuritySystem$3.call(JndiSecuritySystem.java:1058)
    at ch.ivyteam.ivy.security.internal.jndi.JndiSecuritySystem$3.call(JndiSecuritySystem.java:1)
    at ch.ivyteam.ivy.security.internal.jndi.JndiSecuritySystem.executeWithCachedContext(JndiSecuritySystem.java:637)

asked 13.06.2016 at 13:03

qtdan93's gravatar image

qtdan93
(suspended)
accept rate: 100%

One Answer:
active answersoldestnewestmost voted
0

Hello

Your right IIS does the authentication. The authentication depends on the setting you choose on IIS. Normally you configure the AD Domain you want to authenticate user against. After IIS has authenticated a user it forwards the request to ivy and provides the name of the user that he has authenticated. On ivy the name of the user is taken and an ivy user with that name is searched. If one is found it will be automatically logged into the current session. If no user with that name is found the current session will keept unauthenticated (unknown session user). And therefore a 404 or 403 should be returned.

The error above should not happend. Can you please report an issue to our support with additional information like your AD settings and the name of the user that tries to login.

Thanks for reporting the error.

link

answered 16.06.2016 at 11:57

Reto%20Weiss's gravatar image

Reto Weiss ♦♦
4.9k202857
accept rate: 74%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×7

Asked: 13.06.2016 at 13:03

Seen: 1,947 times

Last updated: 16.06.2016 at 11:57

Related questions

How to authenticate a user that is provided by a Single Sign On (SSO) proxy.

Single Sign On with IE11 and IIS does not work?

Calling NTLM protected REST service with SSO

SSO on Apache: not logged in to Ivy but in tomcat?

Login Process for SSO

Logging last login of a user