On Tue, Jun 16, 2009 7:11 PM, WenChen Hol <[email protected]> wrote:
> I am getting the error message after login through our unisign server,
> ----------------------
> Login error
> Your browser is looping...
> We have detected that your browser is caught in an infinite loop.
> Please delete your cookies, restart your browser, and try again. If
> you need assistance, contact your computer support staff.
> ----------------------
>
> Have done my part of deleting cookies, restart browser etc, but still
> the same error. I think it should be my stupid server setting, but as
> a first-timer, I have no clue where I am setting wrong.
> Does anyone encounter issues like this before, and what might be the
> area I need to check ?
>
First, check your Apache HTTPD error log file to see what message is
being written there. You may also want to contact the people who run
your central weblogin server to see what they are seeing in their log
files (for both the web server and for cosignd).
Looping can be caused by a number of things, particularly under cosign
3.x. You really should check the log files for evidence that will point
you to the cause of the looping. However, there is one particular case
that I think bears mentioning here...
We're seeing an increasing number of ISPs worldwide that are using
multiplem, redundant network uplinks (which is a good thing) each of
which is using Network Address Translation (NAT) independent of the
other uplink (which is a bad thing). Users of such an ISP often wind
up using one IP address consistently to contact the central weblogin
server and using second IP address consistently to contact the
cosign-protected web server. When IP checking is turned on for cosign
(which is the default), the cosign-protected web server always sends the
user back to the central weblogin server, since the two IP addresses are
different. But since the user is authenticated, the central weblogin
server sends the user back to the service, thus creating the loop.
There are a number of solutions:
1. Stop using multipath NAT, it's evil.
2. Have the user use a VPN client to get an non-NAT'd IP address that is
always the same regardless of which web server they go to.
3. Turn off IP checking in cosign by setting "CosignCheckIP never". If
you do this, security will be decreased a little under cosign 3 or a lot
under cosign 2. If you are using cosign 2, upgrade your entire
environment to cosign 3 first.
Keep in mind, though, that multipath NAT and IP checking may not be the
cause of your problem, they are just something I wanted to talk about.
Check your log files for evidence of what is causing the looping that
you are seeing.
Mark Montague
ITCS Web/Database Team
The University of Michigan
[email protected]
------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing
server and web deployment.
http://p.sf.net/sfu/businessobjects
_______________________________________________
Cosign-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/cosign-discuss
