View Only

Tech Tip - CA Single Sign-On: Request through SPS is not advancing as backend IIS returns status code of 301

By wonsa03 posted Jul 07, 2016 02:27 AM

Recommend

CA Single Sign-On Tech Tip by Sau Lai Wong, Principal Support Engineer for 7th July 2016

Issue:

Federation login is failing at IdP -- Secure Proxy Server as Identity Provider and third-party Federation Gateway as Service Provider. No error from the internet browser.

Environment:

Secure Proxy Server: R12.52 SP1 CR4

Cause:

The default page under IIS virtual directory is used to invoke IdP-initiated federation. However, the request failed at the point of where SPS is forwarding the request to the backend IIS.

== SPS agent trace ==

[07/05/2016][21:56:54][5936][5760][15a90c68-43f0a390-04e49fda-24d4e3bb-b3ea128e-3f56][ProxyValve::invoke][ProxyValve.invoke() Setting HTTP status to 200 allowing this request to proceeed. Return Code from HLA = 4]
[07/05/2016][21:56:54][5936][5760][15a90c68-43f0a390-04e49fda-24d4e3bb-b3ea128e-3f56][Tomcat5serializedAgentData.setStatus][Setting response status = 200]
[07/05/2016][21:56:54][5936][5760][15a90c68-43f0a390-04e49fda-24d4e3bb-b3ea128e-3f56][ProxyValve::invoke][The agent finished processing the request.]
[07/05/2016][21:56:54][5936][5760][15a90c68-43f0a390-04e49fda-24d4e3bb-b3ea128e-3f56][Noodle::service][Method is: GET Content length is: 0]
[07/05/2016][21:56:54][5936][5760][15a90c68-43f0a390-04e49fda-24d4e3bb-b3ea128e-3f56][addRequestHeaders][Need to preseve Proxy HOST Header.Sending Proxy Host to the backend web server]
[07/05/2016][21:56:54][5936][5760][15a90c68-43f0a390-04e49fda-24d4e3bb-b3ea128e-3f56][execute][Sending request to backend = support.ca.com url = http://support.ca.com/protected]
[07/05/2016][21:56:54][5936][5760][15a90c68-43f0a390-04e49fda-24d4e3bb-b3ea128e-3f56][requestConnection(): ][Get connection: HttpRoute[{}->http://support.ca.com], timeout = 180000]
[07/05/2016][21:56:54][5936][5760][15a90c68-43f0a390-04e49fda-24d4e3bb-b3ea128e-3f56][openConnection()][Connecting to support.ca.com/172.88.99.100]
[07/05/2016][21:56:54][5936][5760][15a90c68-43f0a390-04e49fda-24d4e3bb-b3ea128e-3f56][execute][Response status code from backend webserver is 301]
[07/05/2016][21:56:54][5936][5760][15a90c68-43f0a390-04e49fda-24d4e3bb-b3ea128e-3f56][Noodle::doGet][Received redirect status code = 301]

== HTTP Client log ==

Jul 05, 2016 9:56:54 PM org.apache.http.impl.conn.Wire wire
FINE: << "<head><title>Document Moved</title></head>[\n]"
Jul 05, 2016 9:56:54 PM org.apache.http.impl.conn.Wire wire
FINE: << "<body><h1>Object Moved</h1>This document may be found <a HREF=http://support.ca.com/protected/>here</a></body>"

The status code of 301 is returned because IIS is expecting trailing slash since the URI is referencing a directory:

https://support.microsoft.com/en-au/kb/298408

The user request ended at the redirection to the backend, with no further advancement.

Resolution:

Add trailing slash to the URL or specify the default page e.g: index.asp in the URL.

1 comment

2 views