286 Novell Access Manager 3.1 SP1 Identity Server Guidenovdocx (en) 19 February 2010 Use NTRadPing to test installations. Verify that the correct UDP port 1812 is specified. Verify that the RADIUS server can accept requests from the Identity Server. This might requirethe NAS-IP-Address attribute along with credentials. Verify that the user exists in the user store if multiple methods are added to a contract. Verify if user authentication works independent of Access Manager. Verify that the NMASTM server is local and no tree walks are occurring across the directory. Ensure that the NMAS_LOGIN_SEQUENCE property is defined correctly.12.3.7 Browser Hangs in an Authentication RedirectIf the browser hangs when the user attempts to authenticate at an identity provider, determinewhether a new authentication contract was created and set as the default contract on the IdentityServer. If this is the case and you have an Access Gateway resource set to accept any contract fromthe identity provider, you should navigate to the Overview tab for the protected resource and specifyAny again in the Contract drop-down menu. Then click OK, then update the Access Gateway.12.4 Translating the Identity ServerConfiguration PortIf your Identity Server must communicate through a firewall, you must either set up a hole in yourfirewall for TCP ports 8080 or 8443 (default ports used respectively for non secure and securecommunication with Identity Server), or configure the Identity Server service to use TCP port 80 or443.On a Windows Identity Server, you need to set the port in the Base URL and save the changes. Youthen need to modify the Tomcat server.xml file located in the \ProgramFiles\Novell\Tomcat\conf directory. Change the ports from 8080 and 8443 to 80 and 443, thenrestart the Tomcat service.On a Linux Identity Server, the steps are more complicated. The Identity Server service (hosted onTomcat) runs as a non-privileged user on Linux and cannot therefore bind to ports below 1024. Inorder to allow requests to port 80/443 while Tomcat is listening on 8080/8443, the preferredapproach is to use iptables to perform a port translation. Port translation allows the base URL of theIdentity Server to be configured for port 433 and to listen on this port, and the iptables translates it toport 8443 when communicating with Tomcat. If you have disabled the SLES 10 firewall and do not have any other Access Managercomponents installed on the Identity Server, you can use a simple iptables script to translate theports. See Section 12.4.1, “A Simple Redirect Script,” on page 287. If you have configured the SLES 10 firewall or have installed other Access Managercomponents on the Identity Server, you use a custom rule script that allows for multiple porttranslations. See Section 12.4.2, “Configuring iptables for Multiple Components,” onpage 289.