CA Single Sign-On Tech Tip by Sau Lai Wong, Senior Support Engineer for 17th Nov 2015

Issue:

IIS 7.x webserver hosts multiple websites, some are configured with Siteminder web agent and some are not, each website has its respective application pool.  When user attempts to access IIS website that is not configured with Siteminder web agent, they observed that LLAWP is initializing and the following warning is logged in Event Viewer application log:

Siteminder Web Agent not having write permission on host configuration file. Shared secret roll-over may not be supported. Permission denied. Please assign write permission to the user IUSR2 for the file C:\CA\webagent\win64\config\SmHost.conf”

IUSR2 user identity associates with the application pool of the website that is not configured with Siteminder web agent.

Cause:

With IIS 7.x, Web Agent is getting initialized at global module level and IIS global level functions are used. Hence, Siteminder Low-Level agent worker process (LLAWP) is invoked with the w3wp process.

Workaround:

Ensure that all application pool identity has read, write permissions to WebAgent.conf, SmHost.conf and Siteminder Web Agent log files.

Additional Information:

Web Agent Initialization logic is moved to local HTTP Module. Therefore, LLAWP will only get initialized with configured website.

Tentatively, the change will be addressed with following Siteminder Web Agent releases:

•        R12.5 CR5
•        R12.52 SP1 CR4
•        R12.52 SP2