View Only

Tech Tip - CA Single Sign-On: "Unable to verify tryno count" error

By wonsa03 posted Aug 02, 2016 06:28 PM

Recommend

CA Single Sign-On Tech Tip by Sau Lai Wong, Senior Support Engineer for 3rd August 2016

Introduction:

Customer observes following errors in Webagent log, every now and then:

== Webagent log ==
[15951/3267352320][Tue May 10 2016 11:03:34][CSmResponseManager.cpp:222][ERROR][sm-AgentFramework-00460] HLA: Analyzer from module 'SM_WAF_HTTP_PLUGIN' returned unknown response code '-1' for component 'Response Manager'.

[15951/3267352320][Tue May 10 2016 11:03:34][CSmHighLevelAgent.cpp:1244][ERROR][sm-AgentFramework-00420] HLA: Component reported fatal error: 'Authentication Manager'.

Question:

What invokes the above HLA/LLA error and how to resolve it?

Environment:

Apply to all R12.x webagents that protect resources with form authentication.

Answer:

Following are the log snippets corresponding to the HLA/LLA error in Webagent log:

== Webagent Trace ==

[05/10/2016][11:03:34][15951][3267352320][CSmHighLevelAgent.cpp:960][ProcessAdvancedAuthentication][c2bfd700-149d60cceda2][][][][][][Start new request.]
[05/10/2016][11:03:34][15951][3267352320][CSmResourceManager.cpp:180][CSmResourceManager::ProcessAdvancedAuthResource][c2bfd700-149d60cceda2][][][][][][Calling SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthResource.]
[05/10/2016][11:03:34][15951][3267352320][CSmHttpPlugin.cpp:8554][CSmHttpPlugin::ProcessAdvancedAuthResource][c2bfd700-149d60cceda2][][][][][][Resolved HTTP_HOST: 'www.support.com'.]
[05/10/2016][11:03:34][15951][3267352320][CSmHttpPlugin.cpp:5165][Entered CSmHttpPlugin::ResolveFQServerName sHost: ][][][][][][][www.support.com]
[05/10/2016][11:03:34][15951][3267352320][CSmHttpPlugin.cpp:5509][CSmHttpPlugin::ResolveClientIp][c2bfd700-149d60cceda2][][][][][][Resolved Client IP address '202.123.49.123' from header 'X-Forwarded-For'.]
[05/10/2016][11:03:34][15951][3267352320][SmFCC.cpp:2915][SmFcc::getLocalePath][c2bfd700-149d60cceda2][*202.111.49.196][][][][][Localized Path = /opt/CA/webagent/siteminderagent/login.fcc, working locale = default]
[05/10/2016][11:03:34][15951][3267352320][CSmFormTemplateCache.cpp:196][CSmFormTemplateCache::GetForm][][][][][][][Serving form template '/opt/CA/webagent/siteminderagent/login.fcc' from cache.]
[05/10/2016][11:03:34][15951][3267352320][SmAdvancedAuthCore.cpp:632][SmAdvancedAuthCore::parseTargetUrl][c2bfd700-149d60cceda2][*202.111.49.196][][][/nikko/app?action][][Resolved cookie domain '.support.com'.]
[05/10/2016][11:03:34][15951][3267352320][CSmResourceManager.cpp:218][CSmResourceManager::ProcessAdvancedAuthResource][c2bfd700-149d60cceda2][*202.111.49.196][][agent.apache][/nikko/app?action][][SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthResource returned SmSuccess.]
[05/10/2016][11:03:34][15951][3267352320][CSmLowLevelAgent.cpp:499][IsResourceProtected][c2bfd700-149d60cceda2][*202.111.49.196][][agent.apache][/nikko/app?action][][Resource is protected from cache.]
[05/10/2016][11:03:34][15951][3267352320][CSmResponseManager.cpp:193][ProcessResponses][c2bfd700-149d60cceda2][*202.111.49.196][][agent.apache][/nikko/app?action][][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]
[05/10/2016][11:03:34][15951][3267352320][CSmHttpPlugin.cpp:2777][CSmHttpPlugin::ProcessResponses][c2bfd700-149d60cceda2][*202.111.49.196][][agent.apache][/nikko/app?action][][Processing IsProtected responses.]
[05/10/2016][11:03:34][15951][3267352320][CSmResponseManager.cpp:231][ProcessResponses][c2bfd700-149d60cceda2][*202.111.49.196][][agent.apache][/nikko/app?action][][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]
[05/10/2016][11:03:34][15951][3267352320][CSmCredentialManager.cpp:222][CSmCredentialManager::GatherAdvancedAuthCredentials][c2bfd700-149d60cceda2][*202.111.49.196][][agent.apache][/nikko/app?action][][Calling SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthCredentials.]
[05/10/2016][11:03:34][15951][3267352320][SmFCC.cpp:703][SmFcc::getCredentials][c2bfd700-149d60cceda2][*202.111.49.196][][agent.apache][/nikko/app?action][][Success in collecting credentials.]
[05/10/2016][11:03:34][15951][3267352320][SmPluginUtilities.cpp:481][HandleCredCollectorReturn][c2bfd700-149d60cceda2][*202.111.49.196][][agent.apache][/nikko/app?action][][POST preservation, handling return from credential collector.]
[05/10/2016][11:03:34][15951][3267352320][SmPluginUtilities.cpp:618][HandleCredCollectorReturn][c2bfd700-149d60cceda2][*202.111.49.196][][agent.apache][/nikko/app?action][][http response HTTP://www.support.com/nikko/app?action]
[05/10/2016][11:03:34][15951][3267352320][CSmCredentialManager.cpp:260][CSmCredentialManager::GatherAdvancedAuthCredentials][c2bfd700-149d60cceda2][*202.111.49.196][][agent.apache][/nikko/app?action][][SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthCredentials returned SmSuccess.]
[05/10/2016][11:03:34][15951][3267352320][CSmLowLevelAgent.cpp:1332][AuthenticateUser][c2bfd700-149d60cceda2][*202.111.49.196][][agent.apache][/nikko/app?action][][User 'wonsa03' is not authenticated by Policy Server.]
[05/10/2016][11:03:34][15951][3267352320][CSmResponseManager.cpp:193][ProcessResponses][c2bfd700-149d60cceda2][*202.111.49.196][][agent.apache][/nikko/app?action][][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]
[05/10/2016][11:03:34][15951][3267352320][CSmHttpPlugin.cpp:2942][CSmHttpPlugin::ProcessResponses][c2bfd700-149d60cceda2][*202.111.49.196][][agent.apache][/nikko/app?action][][Processing Authentication responses.]
[05/10/2016][11:03:34][15951][3267352320][SmFCC.cpp:2915][SmFcc::getLocalePath][c2bfd700-149d60cceda2][*202.111.49.196][][agent.apache][/nikko/app?action][][Localized Path = /opt/CA/webagent/siteminderagent/login.fcc, working locale = default]
[05/10/2016][11:03:34][15951][3267352320][SmFCC.cpp:2409][SmFcc::doUnauthorized][c2bfd700-149d60cceda2][*202.111.49.196][][agent.apache][/nikko/app?action][][Displaying error page: '/opt/CA/webagent/siteminderagent/login.unauth'.]
[05/10/2016][11:03:34][15951][3267352320][CSmFormTemplateCache.cpp:196][CSmFormTemplateCache::GetForm][][][][][][][Serving form template '/var/www/html/login/login.unauth' from cache.]
[05/10/2016][11:03:34][15951][3267352320][CSmHttpPlugin.cpp:3025][CSmHttpPlugin::ProcessResponses][c2bfd700-149d60cceda2][*202.111.49.196][][agent.apache][/nikko/app?action][][Unable to verify tryno count, exiting with SmFailure.]
[05/10/2016][11:03:34][15951][3267352320][SmPluginUtilities.cpp:166][DeleteCookie][c2bfd700-149d60cceda2][*202.111.49.196][][agent.apache][/nikko/app?action][][Deleted cookie 'SMTRYNO'.]
[05/10/2016][11:03:34][15951][3267352320][CSmResponseManager.cpp:223][ProcessResponses][c2bfd700-149d60cceda2][*202.111.49.196][][agent.apache][/nikko/app?action][][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmFailure.]
[05/10/2016][11:03:34][15951][3267352320][CSmAuthenticationManager.cpp:207][CSmAuthenticationManager::AuthenticateUser][c2bfd700-149d60cceda2][*202.111.49.196][][agent.apache][/nikko/app?action][][ResponseManager ProcessResponses returned SmFailure.]
[05/10/2016][11:03:34][15951][3267352320][CSmHighLevelAgent.cpp:1246][ProcessAdvancedAuthentication][c2bfd700-149d60cceda2][*202.111.49.196][][agent.apache][/nikko/app?action][][AuthenticationManager returned SmFailure, end new request.]
[05/10/2016][11:03:34][15951][3267352320][CSmLowLevelAgent.cpp:3466][ReportHealthData][][][][][][][Accumulating HealthMonitorCtxt.]

== Policy Server log ==
[1853/4086664048][Tue May 10 2016 11:03:34][SmDsLdapFunctionImpl.cpp:494][ERROR][sm-Ldap-00770] (AuthenticateUser) DN: 'uid=wonsa03,dc=support, dc=com' . Status: Error 49 . Invalid credentials

By design, the error is logged when the failed login attempt count tracked by the SMTRYNO cookie >= to the limit defined with smretries directive in the login form.

In customer case, the smretries was set to 1. Hence, whenever user failed to be authenticated, the error is invoked. Hence, the error is expected and it does not impact the web agent operations.

To avoid the error, set smretries to 0, meaning to say user has unlimited login attempts unless limited by password policy.

0 comments

16 views