7 Replies Latest reply on Nov 28, 2016 6:53 AM by Dino Filipovic

    SSO Error: Received SSO session reject message "CREDENTIAL_REJECTED"

    Iain Taylor

      Hi Everyone I am getting the following error after I have set up my proxy server

       

      configuration: 8.2 sp2 appserv on windows

      agents 8.2.sp2 on all RHEL and Windows Servers

      Application server type ALL

       

      ProxySvcPort set as: 9842

      ProxyServiceURL set as: service:proxysvc.bladelogic:blsess://TIBBSAAPP:9842

       

      Secure file on Application server

      rscd:port=4750:protocol=5:tls_mode=encryption_only:encryption=tls:

      default:port=4750:protocol=5:tls_mode=encryption_only:appserver_protocol=ssoproxy:encryption=tls:

       

      secure file on client servers with nsh set as

      rscd:port=4750:protocol=5:tls_mode=encryption_only:encryption=tls:

      default:port=4750:protocol=5:tls_mode=encryption_only:auth_profile=defaultProfile:appserver_protocol=ssoproxy:encryption=tls:

       

      run blcred authprofile add

      and then blcred cred -acquire successfully

       

      blcred authprofile -list shows the following output

       

      TIBRHEL03% blcred cred -list

      Username:         BLAdmin

      Authentication:   SRP

      Issuing Service:  service:authsvc.bladelogic:blauth://TIBBSAAPP:9840

      Expiration Time:  Fri Jul 12 20:23:32 UTC 2013

      Maximum Lifetime: Fri Jul 12 20:23:32 UTC 2013

      Client address:   192.168.3.26

      Authorized Roles:

          BLAdmins

       

      Destination URLs:

          service:appsvc.bladelogic:blsess://TIBBSAAPP:9841

          service:proxysvc.bladelogic:blsess://TIBBSAAPP:9842

       

      I have tried the blcred cred -destroy and blcred cred -acqurire again to see if that resolved

       

      Any help would be greatly appreciated

        • 1. Re: SSO Error: Received SSO session reject message "CREDENTIAL_REJECTED"
          Bill Robinson

          Can you post the appserver log from the instance running the proxy that covers when you get that message?

          • 2. Re: SSO Error: Received SSO session reject message "CREDENTIAL_REJECTED"
            Iain Taylor

            Hi Bill, I am getting the following when I look in the log

             

             

            ############################################################################################

            [12 Jul 2013 10:23:32,496] [Authentication-Service-Thread-2] [INFO] [BLAdmin::192.168.3.26] [Appserver] user authentication successful: BLAdmin

            [12 Jul 2013 10:23:32,557] [Authentication-Service-Thread-2] [INFO] [BLAdmin::192.168.3.26] [Appserver] Authentication Connection closed

            [12 Jul 2013 10:23:40,010] [Nsh-Proxy-Thread-6] [WARN] [Anonymous:Anonymous:5.79.23.74] [BLSSOPROXY] target service url in Session Request message does not match my URL: service:proxysvc.bladelogic:blsess://TIBBSAAPP:9842 != service:proxysvc.bladelogic:blsess://5.79.23.74:9842

            [12 Jul 2013 10:23:40,015] [Nsh-Proxy-Thread-6] [WARN] [Anonymous:Anonymous:5.79.23.74] [BLSSOPROXY] Client's session credential was rejected

            [12 Jul 2013 10:23:40,015] [Nsh-Proxy-Thread-6] [INFO] [Anonymous:Anonymous:5.79.23.74] [BLSSOPROXY] failure establishing session with proxy service

            [12 Jul 2013 10:23:54,964] [Nsh-Proxy-Thread-5] [WARN] [Anonymous:Anonymous:5.79.23.74] [BLSSOPROXY] target service url in Session Request message does not match my URL: service:proxysvc.bladelogic:blsess://TIBBSAAPP:9842 != service:proxysvc.bladelogic:blsess://5.79.23.74:9842

            [12 Jul 2013 10:23:54,967] [Nsh-Proxy-Thread-5] [WARN] [Anonymous:Anonymous:5.79.23.74] [BLSSOPROXY] Client's session credential was rejected

            [12 Jul 2013 10:23:54,967] [Nsh-Proxy-Thread-5] [INFO] [Anonymous:Anonymous:5.79.23.74] [BLSSOPROXY] failure establishing session with proxy service

            [12 Jul 2013 10:24:21,406] [Scheduled-System-Tasks-Thread-1] [INFO] [System:System:] [Memory Monitor] Total JVM (B): 1009451008,Free JVM (B): 387481544,Used JVM (B): 621969464,VSize (B): 1202065408,RSS (B): 1099100160,Used File Descriptors: 2154

            [12 Jul 2013 10:24:23,861] [Nsh-Proxy-Thread-11] [WARN] [Anonymous:Anonymous:5.79.23.74] [BLSSOPROXY] target service url in Session Request message does not match my URL: service:proxysvc.bladelogic:blsess://TIBBSAAPP:9842 != service:proxysvc.bladelogic:blsess://5.79.23.74:9842

            [12 Jul 2013 10:24:23,864] [Nsh-Proxy-Thread-11] [WARN] [Anonymous:Anonymous:5.79.23.74] [BLSSOPROXY] Client's session credential was rejected

            [12 Jul 2013 10:24:23,864] [Nsh-Proxy-Thread-11] [INFO] [Anonymous:Anonymous:5.79.23.74] [BLSSOPROXY] failure establishing session with proxy service

            [12 Jul 2013 10:24:23,909] [Nsh-Proxy-Thread-3] [WARN] [Anonymous:Anonymous:5.79.23.74] [BLSSOPROXY] target service url in Session Request message does not match my URL: service:proxysvc.bladelogic:blsess://TIBBSAAPP:9842 != service:proxysvc.bladelogic:blsess://5.79.23.74:9842

            [12 Jul 2013 10:24:23,912] [Nsh-Proxy-Thread-3] [WARN] [Anonymous:Anonymous:5.79.23.74] [BLSSOPROXY] Client's session credential was rejected

            [12 Jul 2013 10:24:23,912] [Nsh-Proxy-Thread-3] [INFO] [Anonymous:Anonymous:5.79.23.74] [BLSSOPROXY] failure establishing session with proxy

            ###########################################################################################

            So what I then did was to change the entry in the Hosts file of the appserver to point to the IPAddress of that Network card on the Appserver

             

            when I picked up the following error

            #######################################################################################

            [12 Jul 2013 14:26:28,263] [Nsh-Proxy-Thread-0] [WARN] [Anonymous:Anonymous:192.168.3.26] [BLSSOPROXY] client's IP address does not match that written into ticket: /192.168.3.26 != /5.79.23.74

            [12 Jul 2013 14:26:28,266] [Nsh-Proxy-Thread-0] [WARN] [Anonymous:Anonymous:192.168.3.26] [BLSSOPROXY] Client's session credential was rejected

            [12 Jul 2013 14:26:28,266] [Nsh-Proxy-Thread-0] [INFO] [Anonymous:Anonymous:192.168.3.26] [BLSSOPROXY] failure establishing session with proxy service

            [12 Jul 2013 14:26:28,322] [Nsh-Proxy-Thread-1] [WARN] [Anonymous:Anonymous:192.168.3.26] [BLSSOPROXY] client's IP address does not match that written into ticket: /192.168.3.26 != /5.79.23.74

            [12 Jul 2013 14:26:28,325] [Nsh-Proxy-Thread-1] [WARN] [Anonymous:Anonymous:192.168.3.26] [BLSSOPROXY] Client's session credential was rejected

            [12 Jul 2013 14:26:28,325] [Nsh-Proxy-Thread-1] [INFO] [Anonymous:Anonymous:192.168.3.26] [BLSSOPROXY] failure establishing session with proxy service

             

            ############################################################################################

             

            I then looked through some of the previous post and noticed that this could be resolved by setting the

            validateClientIpAddress

            validateRequestURL

            to false

            and that works, quick question by setting these to false what is that actually doing, and what effect will it have authenticating against each servers?

            • 3. Re: SSO Error: Received SSO session reject message "CREDENTIAL_REJECTED"
              Bill Robinson

              yeah - here's your problem:

              [BLSSOPROXY] target service url in Session Request message does not match my URL: service:proxysvc.bladelogic:blsess://TIBBSAAPP:9842 != service:proxysvc.bladelogic:blsess://5.79.23.74:9842

               

              if you change the validateRequestURL to false that should take care of this, otherwise you need to work out why the appserver host isn't resolving itself properly.

               

              this won't change any authentication, only allow the connection if the name resolution is a mismatch.

              • 4. Re: SSO Error: Received SSO session reject message "CREDENTIAL_REJECTED"
                Iain Taylor


                Thanks Bill, as mentioned setting the validateRequestURL to false did the trick.

                • 5. Re: SSO Error: Received SSO session reject message "CREDENTIAL_REJECTED"
                  Dino Filipovic

                  Where did you set up validateRequestURL to false?

                  • 6. Re: SSO Error: Received SSO session reject message "CREDENTIAL_REJECTED"
                    Dipak Gaigole

                    Use blasadmin command:

                                    set appserver ValidateRequestURL true|false

                    1 of 1 people found this helpful