Skip navigation
All Places > CA Security > CA Single Sign-On > Blog > 2015 > November > 24

CA Single Sign-On Tech Tip by Sau Lai Wong, Senior Support Engineer for 25th Nov 2015

 

QUESTION:

What is HLA, LLA/ LLAWP within the Advanced Authentication (SiteMinder) Webagent?

 

ANSWER:

The framework agents break the existing Web Agent’s access control functionality into logical blocks, called ‘managers’ e.g: Challenge Manager, Resource Manager. Managers are assigned specific tasks and are controlled by a single High-Level Agent (HLA) manager that implements the logic of SiteMinder access control.

 

The High Level Agent orchestrates the complete flow of servicing a request, from receiving the request to finally authorizing access to the requested resource.

 

The Low Level Agent Worker Process (LLAWP) implements the Agent-to-Policy Server DoManagement polling mechanism as well as writing log messages to the physical log medium and collating health data for the SiteMinder One-View Monitor. The Low Level Agent Worker Process uses shared memory to communicate between clients, and to facilitate logging and caching.

CA Single Sign-On Tech Tip by Sau Lai Wong, Senior Support Engineer for 25th Nov 2015

ISSUE:

Siteminder Webagent configuration wizard failed to detect the Apache running on the Windows server.

 

CAUSE:

For Apache, Siteminder Webagent configuration wizard is checking for the ServerRoot registry key entry from the following registry path:

  • 64-bit Apache 2.0: HKEY_LOCAL_MACHINE\SOFTWARE\Apache Group\Apache\<version>
  • 32-bit Apache 2.0: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Apache Group\Apache\<version>
  • 64-bit Apache 2.2/2.4: HKEY_LOCAL_MACHINE\SOFTWARE\Apache Software Foundation\Apache\<version>
  • 32-bit Apache 2.2/2.4: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Apache Software Foundation\Apache\<version>
  • 32-bit OHS: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ORACLE

 

If pre-compiled Apache is installed through console, it may not prompt user to input Apache installation directory path and registry key is not be created with the installation.

 

RESOLUTION:

Create the registry entry accordingly, referencing the Apache root folder, e.g:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Apache Software Foundation\Apache\2.2.25\ServerRoot = C:\Program Files (x86)\Apache Software Foundation\Apache2.2\

 

Update Apache installation directory path in httpd.conf file and re-run the Siteminder Webagent configuration wizard.

CA Single Sign-On Tech Tip by Sau Lai Wong, Senior Support Engineer for 25th Nov 2015

 

ISSUE:

Resources are protected with Integrated Windows Authentication (IWA) scheme.

 

User login via level 5 IWA. When users access resources that require higher authentication level (level 10) than the existing user session, Policy Server rejects the step-up user access with following error:

[9592][8908][Sm_Az_Message.cpp:595][CSm_Az_Message::ProcessMessage][s2393/r8][winagent][][][][highwinrealm][highwindomain][][][][][][][][][][][][][][** Status: Not Authorized. Session is not authorized for this security level][][][][][][][][][kMwBI49TESlO…4dFFGSC][][][cn=administrator,CN=Users,dc=test,dc=com]

 

CAUSE:

With IWA, Webagent redirects user to creds.ntc for authentication with CHALLENGE header value append to the query string, e.g:

http://support.ca.com/siteminderagent/ntlm/creds.ntc?CHALLENGE=-SM-Ju%2bV9mlAGDRNm27iWCZe4EJJ1NmhDutvLoOAA4KCOrnDElxgY72TsvjUWhAFZB5g&SMAGENTNAME=VVxwPoXpuA1x2lBT4BYdLQ6WS61uAfktANTcakLxikLmGzGPR0xvSBWYpNXp86tT&TARGET=-SM-http%3a%2f%2fkumna13--u139913%2enawal%2ecom%2fhighwin%2fpage1%2ehtml

 

The CHALLENGE header consists of the encrypted user name from the existing user session. Webagent compares the user authenticated by IIS with the user name passed from the CHALLENGE query string. If they matched, NTLM will challenge user again and if user login with same user credentials, Webagent validates the user against the existing authentication level. Policy Server then rejects user access again. Hence, the request is going in loop.

 

RESOLUTION:

Additional logic is added in Webagent to identify step-up authentication. It removes the CHALLENGE header from the query string when the logged-in user is accessing higher level protection realm..

Tentatively, fix will be incorporated with following releases:

  • R12.51 CR8
  • R12.52 SP1 CR4
  • R12.52 SP2

 

WORKAROUND:

Use same protection level across the authentication schemes to avoid getting into the deadlock.