7.9 Authorization and Identity Injection Issues

7.9.1 Authorization and Identity Injection Error Messages

If you have already configured the Identity Injection policies, you might receive the following errors while trying to send a browser request:

  • Service provider is in halted state. Please contact your administrator to restart Service Provider from Administrator Console.

  • Policy engine is sending invalid response. Please contact your administrator to restart Service Provider from Administrator Console.

  • Unable to process your request.

  • Unable to process your request due to parseXML failure.

These errors indicate that the Embedded Service Provider is down. Every Identity Injection policy has a policy ID, which is sent to the Access Gateway by the Embedded Service Provider. If the Embedded Service Provider is down, the Access Gateway does not get the policy ID, and an error is thrown. Restart the Embedded Service Provider from the Administration Console as follows:

  1. In the Administration Console, click Devices > Access Gateways.

  2. Select the server, then click Actions.

  3. Click Service Provider > Restart Service Provider.

  4. Click OK.

7.9.2 Identity Injection Failures

Identity injection might fail while trying to inject authentication headers because of improper policy configuration or because the Identity Server is not sending values to the Access Gateway.

Check the /var/log/ics_dyn.log file for the following error messages:

  • Customer Header Injection Failed.

  • Query String Injection Failed.

  • Authentication Header Injection Failed.

To receive help resolving identity injection failures, send the following information to Novell Support:

7.9.3 Identity Injection Problems When Using a Password Management Service

If you have configured the Identity Server to use a password management service and you have also configured resources to use Identity Injection policies that inject the user’s password, you need to enable the following touch file:


This file causes the Access Gateway to refresh the user’s credentials so that they match password changes. If the file is not enabled and users authenticate and then change their passwords, the Access Gateway uses the old password in Identity Injection policies.