IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  FBTAUT004E Authentication service receives invalid state ID

    Posted Thu August 31, 2023 09:58 AM

    Hi,

    We have implemented MFA branching, where SMS OTP and TOTP is presented as MFA options. We get an error "FBTAUT004E Authentication service receives invalid state ID" when a correct SMS OTP is provided.

    The strange behavior is, if I go through each step (i.e., login, select SMS OTP, enter OTP,  etc) by giving a pause of almost 7- 10 seconds within each step, everything works fine but if I go through each step as soon as I see the page, I get the error.

    What could be causing this issue?

    Thanks & regards,



    ------------------------------
    Naqvi
    ------------------------------



  • 2.  RE: FBTAUT004E Authentication service receives invalid state ID

    Posted Tue September 05, 2023 12:13 AM

    I'd be looking at things like how session state synchronization is configured, and whether or not you have session affinity back to the same server instance in the normal case.



    ------------------------------
    Shane Weeden
    IBM
    ------------------------------

    Original Message


  • 3.  RE: FBTAUT004E Authentication service receives invalid state ID

    Posted Tue September 05, 2023 12:04 PM
    Edited by Wendy Batten Wed September 06, 2023 07:44 AM

    Hi Shane,

    For the session synchronization we have DSC enabled. The session affinity is also enabled. However, in order to narrow down the cause, we have removed the server from cluster and disabled clustering. Even after that we are getting the same behavior.

    Regards,



    ------------------------------
    Syed Naqvi
    ------------------------------

    Original Message


  • 4.  RE: FBTAUT004E Authentication service receives invalid state ID

    Posted Tue September 05, 2023 04:30 PM

    Another reason it might be happening is a client side race condition. Some of our advanced policies use client-side XHR/AJAX calls to call back to the AAC authentication policy (typically via /mga/sps/apiauthsvc URLs). These will return a new stateid value, which we then use client-side javascript to "update" in the FORM POST URLs prior to them being submitted. I don't know for a fact if the policy you are using is doing this or not, but you could easily check it by inspecting the page templates and their javascript, and also just opening the network debugger tool in the browser and looking to see if there are in-progress XHR calls that are taking a while to return. If you were to submit the form page (i.e. in your case the SMS OTP) while one of those was in progress and it resubmitted the same stateid as the XHR call was using, that could explain this behaviour. A "fix" of sorts would be to hide or disable the UI elements allowing the page submission while this was happening, but the root cause needs to be determined first.



    ------------------------------
    Shane Weeden
    IBM
    ------------------------------

    Original Message


Related Content