NOTE:If any critical issue happens, you can disable Advanced Session Assurance for the specific URLs and user-agents. For information about how to disable Advanced Session Assurance, see Disabling Advanced Session Assurance.
The following are the locations of log files:
Identity Server:
You must select Echo to Console (Devices > Identity Servers > Edit > Auditing and Logging) to enable logging to these files.
Linux: /var/opt/novell/nam/logs/idp/tomcat/catalina.out
Windows: \Program Files (x86)\Novell\Tomcat\logs\stdout.log
Access Gateway ESP:
Linux: /var/opt/novell/nam/logs/mag/tomcat/catalina.out
Windows: \Program Files\Novell\Tomcat\logs\stdout.log
Access Gateway:
Linux: /var/log/novell-apache2/error_log
Windows: \Program Files\Novell\Apache\logs\error.log
For basic troubleshooting, enable the severe log level for Identity Server and Access Gateway ESP and the crit log level for Access Gateway.
Access Gateway:
Click Devices > Access Gateways > Edit > Advanced Options.
Add the following:
LogLevel crit
Identity Server:
Click Devices > Identity Servers > Edit > Auditing and Logging.
Select File Logging and Echo to Console.
Under Component File Logger Levels > Application, select severe.
If you want advanced troubleshooting, enable the debug level. See Using debug Logs.
These log snippets provide the following information:
User DN
Correlation ID (session ID)
Currently fetched device information
Device Fingerprint (Device fingerprint stored in the session)
Result
Failure cause
Offending Mandatory Attribute (information about the parameter that did not match)
Identity Server
<amLogEntry> 2016-09-23T09:59:06Z SEVERE NIDS Application: *************Device Fingerprint Evaluation Trace************* Evaluating device fingerprint for user: cn=admin,o=novell Correlation ID: d2ee43e3fbb2ca0487c9088fbc14c64cae552ecf6233412aa73fe6758a329598 Currently fetched device info: {"headerSet":{"user-agent":"Microsoft Office Protocol Discovery"}} Total number of known devices to compare against: 1 Overall Result: Mismatch *************Summary of comparison against known device************* Evaluation Result: Mismatch Device Fingerprint: {"user-agent":"Mozilla/5.0 (X11; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0"} Failure Cause: At least one individual attribute failed match/is unavailable. Offending individual attribute: user-agent ***************End of comparison against known device*************** ***************************Trace End************************* </amLogEntry> <amLogEntry> 2016-09-23T09:59:06Z SEVERE NIDS Application: The session might have been hijacked. Logging out </amLogEntry>
Access Gateway
The following is a snippet of the log when the crit level is enabled. This log records the session assurance failure message:
Sep 28 20:27:07 namiso httpd[9797]: [crit] AM#104600404 AMDEVICEID#ag-8B62635F46CD2776: AMAUTHID#965dce7b7f4963730fed0bebf93d4ef70e062fb90e590569729f2b9b9dfd: AMEVENTID#23: logging out user with DN=cn=admin,o=novell and session ID =965dce7b7f4963730fed0bebf93d4ef70e062fb90e590569729f2b9b9dfd because of session assurance mismatch
Debug logs include detailed information such as reason of failure, list of parameters and session interval value.
Perform the following steps to enable logging at the debug level:
Access Gateway:
Click Devices > Access Gateways > Edit > Advanced Options.
Add the following line:
LogLevel debug
Identity Server:
Click Devices > Identity Servers > Edit > Auditing and Logging.
Select File Logging and Echo to Console.
Under Component File Logger Levels > Application, select debug.
Device Fingerprint Evaluation Trace for Identity Server
This log snippet provides the following information:
User DN
Correlation ID (session ID)
Currently fetched device information
Device Fingerprint (Device fingerprint stored in the session)
Result
Failure cause
Offending Mandatory Attribute (information about the parameter that did not match)
List of parameters being considered in the fingerprinting
*************Device Fingerprint Evaluation Trace************* Evaluating device fingerprint for user: cn=admin,o=novell Correlation ID: CF0E200CA9FB92A3F29D79560140526E Currently fetched device info: {"availFontSet":{},"cpuArchitecture":{"cpuArchitecture_cpuArchitecture":"amd64"},"deviceLanguage":{"deviceLanguage_deviceLanguageSet":"en-US,en","deviceLanguage_deviceDefaultLanguage":"en-US"},"html5DataSet":{},"navigatorPlatform":{},"operatingSystem":{"operatingSystem_osName":"Windows","operatingSystem_osVersion":"7"},"screenResolution":{},"userAgent":{},"webglData":{},"nonce":"1470635556957","deviceType":"NA$NA$NA","deviceTouchPoints":0,"colorDepth":24,"headerSet":{},"userDN":{},"clientIP":{}} Total number of known devices to compare against: 1 Overall Result: Mismatch *************Summary of comparison against known device************* Evaluation Result: Mismatch Device Fingerprint: {"deviceType":"NA$NA$NA","deviceLanguage_deviceLanguageSet":"en-US,en,af","deviceLanguage_deviceDefaultLanguage":"en-US","deviceTouchPoints":"0","cpuArchitecture_cpuArchitecture":"amd64","colorDepth":"24","nonce":"1470635480882","operatingSystem_osName":"Windows","operatingSystem_osVersion":"7"} Failure Cause: Atleast one mandatory attribute failed match/is unavailable. Offending Mandatory Attribute: deviceLanguage_deviceLanguageSet ***************End of comparison against known device*************** ***************************Trace End************************* </amLogEntry> <amLogEntry> 2016-08-08T05:52:39Z SEVERE NIDS Application: Session seems to have got hijacked so logout! Trying to forcefully log out session CF0E200CA9FB92A3F29D79560140526E. Root cause: error during evaluating fingerprint. Evaluated nonce is null
Device Fingerprint Evaluation Trace for Access Gateway
Sep 29 18:03:05 lsb httpd[30697]: [info] AM#504600000 AMDEVICEID#ag-95F88CA3CFF470ED: AMAUTHID#: AMEVENTID#8568: configuring session assurance policy Sep 29 18:03:05 lsb httpd[30697]: [info] AM#504600000 AMDEVICEID#ag-95F88CA3CFF470ED: AMAUTHID#: AMEVENTID#8568: session assurance is enabled Sep 29 18:03:05 lsb httpd[30697]: [info] AM#504600000 AMDEVICEID#ag-95F88CA3CFF470ED: AMAUTHID#: AMEVENTID#8568: trigger time =1 Sep 29 18:03:05 lsb httpd[30697]: [info] AM#504600000 AMDEVICEID#ag-95F88CA3CFF470ED: AMAUTHID#: AMEVENTID#8568: list of attributes enabled for session assurance... Sep 29 18:03:05 lsb httpd[30697]: [info] AM#504600000 AMDEVICEID#ag-95F88CA3CFF470ED: AMAUTHID#: AMEVENTID#8568: server side finger print=clientip Sep 29 18:03:05 lsb httpd[30697]: [info] AM#504600000 AMDEVICEID#ag-95F88CA3CFF470ED: AMAUTHID#: AMEVENTID#8568: advanced session assurance = colorDepth Sep 29 18:03:05 lsb httpd[30697]: [info] AM#504600000 AMDEVICEID#ag-95F88CA3CFF470ED: AMAUTHID#: AMEVENTID#8568: advanced session assurance = cpuArchitecture_cpuArchitecture Sep 29 18:03:05 lsb httpd[30697]: [info] AM#504600000 AMDEVICEID#ag-95F88CA3CFF470ED: AMAUTHID#: AMEVENTID#8568: advanced session assurance = deviceTouchPoints Sep 29 18:03:05 lsb httpd[30697]: [info] AM#504600000 AMDEVICEID#ag-95F88CA3CFF470ED: AMAUTHID#: AMEVENTID#8568: advanced session assurance = deviceTouchSupport Sep 29 18:03:05 lsb httpd[30697]: [info] AM#504600000 AMDEVICEID#ag-95F88CA3CFF470ED: AMAUTHID#: AMEVENTID#8568: advanced session assurance = deviceType Sep 29 18:03:05 lsb httpd[30697]: [info] AM#504600000 AMDEVICEID#ag-95F88CA3CFF470ED: AMAUTHID#: AMEVENTID#8568: advanced session assurance = deviceLanguage_deviceLanguageSet Sep 29 18:03:05 lsb httpd[30697]: [info] AM#504600000 AMDEVICEID#ag-95F88CA3CFF470ED: AMAUTHID#: AMEVENTID#8568: advanced session assurance = deviceLanguage_deviceDefaultLanguage Sep 29 18:03:05 lsb httpd[30697]: [info] AM#504600000 AMDEVICEID#ag-95F88CA3CFF470ED: AMAUTHID#: AMEVENTID#8568: advanced session assurance = operatingSystem_osName Sep 29 18:03:05 lsb httpd[30697]: [info] AM#504600000 AMDEVICEID#ag-95F88CA3CFF470ED: AMAUTHID#: AMEVENTID#8568: advanced session assurance = operatingSystem_osVersion Sep 29 18:03:05 lsb httpd[30697]: [info] AM#504600000 AMDEVICEID#ag-95F88CA3CFF470ED: AMAUTHID#: AMEVENTID#8568: server side finger print=user-agent Sep 29 18:03:05 lsb httpd[30697]: [info] AM#504600000 AMDEVICEID#ag-95F88CA3CFF470ED: AMAUTHID#: AMEVENTID#8568: advanced session assurance = timezoneOffset Sep 29 18:03:05 lsb httpd[30697]: [info] AM#504600000 AMDEVICEID#ag-95F88CA3CFF470ED: AMAUTHID#: AMEVENTID#8568: advanced session assurance = dnt Sep 29 18:03:05 lsb httpd[30697]: [info] AM#504600000 AMDEVICEID#ag-95F88CA3CFF470ED: AMAUTHID#: AMEVENTID#8568: advanced session assurance = navigatorConcurrency Sep 29 18:03:05 lsb httpd[30697]: [info] AM#504600000 AMDEVICEID#ag-95F88CA3CFF470ED: AMAUTHID#: AMEVENTID#8568: advanced session assurance = navigatorPlatform_navigatorPlatform Sep 29 18:03:05 lsb httpd[30697]: [info] AM#504600000 AMDEVICEID#ag-95F88CA3CFF470ED: AMAUTHID#: AMEVENTID#8568: advanced session assurance = userAgent_uaName Sep 29 18:03:05 lsb httpd[30697]: [info] AM#504600000 AMDEVICEID#ag-95F88CA3CFF470ED: AMAUTHID#: AMEVENTID#8568: advanced session assurance = userAgent_uaVersion Sep 29 18:03:05 lsb httpd[30697]: [info] AM#504600000 AMDEVICEID#ag-95F88CA3CFF470ED: AMAUTHID#: AMEVENTID#8568: advanced session assurance = html5DataSet_html5AVData Sep 29 18:03:05 lsb httpd[30697]: [info] AM#504600000 AMDEVICEID#ag-95F88CA3CFF470ED: AMAUTHID#: AMEVENTID#8568: advanced session assurance = availFontSet_availableFonts Sep 29 18:03:05 lsb httpd[30697]: [info] AM#504600000 AMDEVICEID#ag-95F88CA3CFF470ED: AMAUTHID#: AMEVENTID#8568: advanced session assurance = webglData Sep 29 18:03:05 lsb httpd[30697]: [info] AM#504600000 AMDEVICEID#ag-95F88CA3CFF470ED: AMAUTHID#: AMEVENTID#8568: session assurance policy configured successfully
The following sections include important error messages along with required actions:
This message is logged when the session might have been hijacked. If the session is intact and still you get this error, contact the technical support team with debug logs.
This message is logged when the session might have hijacked. Contact the technical support team with debug logs and login again.
Check the log to see what error occurred. Mostly, this message is logged when the fingerprint does not match.
For example, you will see the following mismatch error when language settings do not match during a user session. This might be due to session hijacking as language settings would not match when two different users are trying to access the same session from separate devices.
You can check the configuration details in the debug log files. In the catalina.out or stdout.log, you can check whether Session Assurance is initialized, what parameters are enabled, and the time-frequency. The log file captures first request and further evaluation after login exceeds time interval.
If an error occurs while initializing Session Assurance, it gets disabled.
Example Log Snippets
Information about whether Session Assurance is enabled:
<amLogEntry> 2016-09-06T19:19:34Z DEBUG NIDS Application: Method: NIDPSessionAssurance.initializeFPConfiguration Thread: RMI TCP Connection(1)-127.0.0.1 Session assurance enabled true </amLogEntry>
Information about whether Session Assurance initialized
<amLogEntry> 2016-09-06T19:19:34Z DEBUG NIDS Application: Method: NIDPSessionAssurance.initializeExcludeListSetting Thread: RMI TCP Connection(1)-127.0.0.1 Session Assurance : User Agent Exclude list [NMA_Auth] </amLogEntry>
Session Assurance IDC cookie grace period is 20 seconds
<amLogEntry> 2016-09-06T19:19:34Z DEBUG NIDS Application: Method: NIDPSessionAssurance.getNidpConfigPropertyInt Thread: RMI TCP Connection(1)-127.0.0.1 Property read from edirectory configuration store --------> Property:SESSION ASSURANCE IDC COOKIE GRACEPERIOD Value: 20 </amLogEntry>
Session Assurance interval is 1.0 minute
<amLogEntry> 2016-09-06T19:19:34Z DEBUG NIDS Application: Method: NIDPSessionAssurance.initializeFPConfiguration Thread: RMI TCP Connection(1)-127.0.0.1 Session assurance interval 1.0minutes </amLogEntry>
Parameters being evaluated in the fingerprint are Client IP, User-agent, Hardware Parameters, Operating System, Screen Resolution and TimeZone Offset.
Session assurance plan <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <FingerprintConfiguration Enabled="true" ID="IDP" TriggerTimer="1" MatchLevel="100"> <PropertyParams PropertyName="clientIP" PropertyRequired="true"/> <PropertyParams PropertyName="colorDepth" PropertyRequired="true"/> <PropertyParams PropertyName="cpuArchitecture_cpuArchitecture" PropertyRequired="true"/> <PropertyParams PropertyName="deviceTouchPoints" PropertyRequired="true"/> <PropertyParams PropertyName="deviceType" PropertyRequired="true"/> <PropertyParams PropertyName="operatingSystem_osName" PropertyRequired="true"/> <PropertyParams PropertyName="operatingSystem_osVersion" PropertyRequired="true"/> <PropertyParams PropertyName="user-agent" PropertyRequired="true"/> <PropertyParams PropertyName="screenResolution_availableScreenResolution" PropertyRequired="true"/> <PropertyParams PropertyName="screenResolution_screenResolution" PropertyRequired="true"/> <PropertyParams PropertyName="timezoneOffset" PropertyRequired="true"/> </FingerprintConfiguration> </amLogEntry>
List of server-side parameters: Client IP and User Agent
<amLogEntry> 2016-09-06T19:19:34Z DEBUG NIDS Application: Method: NIDPSessionAssurance.initializeFPConfiguration Thread: RMI TCP Connection(1)-127.0.0.1 Server Side Fingerprint Attributes [clientIP, user-agent] </amLogEntry>
List of client-side parameters: Hardware Parameters, Operating System Parameters, Screen Resolution, Time Zone Offset
<amLogEntry> 2016-09-06T19:19:34Z DEBUG NIDS Application: Method: NIDPSessionAssurance.initializeFPConfiguration Thread: RMI TCP Connection(1)-127.0.0.1 Client Side Fingerprint Attributes [colorDepth, cpuArchitecture_cpuArchitecture, deviceTouchPoints, deviceType, operatingSystem_osName, operatingSystem_osVersion, screenResolution_availableScreenResolution, screenResolution_screenResolution, timezoneOffset] </amLogEntry>
Information about whether exclude has been configured for any resource
<amLogEntry> 2016-09-06T19:19:34Z DEBUG NIDS Application: Method: NIDPSessionAssurance.getNidpConfigPropertyString Thread: RMI TCP Connection(1)-127.0.0.1 Property read from edirectory configuration store --------> Property:SESSION ASSURANCE USER AGENT REGEX EXCLUDE LIST Value: Android 4\. </amLogEntry> <amLogEntry> 2016-09-06T19:19:34Z DEBUG NIDS Application: Method: NIDPSessionAssurance.initializeExcludeListSetting Thread: RMI TCP Connection(1)-127.0.0.1 Session Assurance : User Agent Regex Exclude list [Android 4\.] </amLogEntry>