Skip navigation
All People > SungHoon_Kim > Sung Hoon Kim's Blog > 2016 > January > 25

This is something I like to do once in a while. It takes long time to setup everything but to me it is a hobby. It is like putting zigsaw puzzles.

 

WARNING: THIS IS NOT SUPPORTED! THIS IS ONLY TO FULFILL YOUR CURIOSITY AND SATISFY YOUR SPIRIT GOING AGAINST ALL ODDS. THIS IS NOT A DEMONSTRATION ALLOWING YOU TO RUN SUCH CONFIGURATION IN YOUR DEV/TEST/QA/PROD ENVIRONMENT.

 

This environment is continuation from the "Creating an ALL-IN-ONE VM Image" series. (links below)

 

Creating an ALL-IN-ONE VM Image - Part 1

Creating an ALL-IN-ONE VM Image - Part 2

Creating an ALL-IN-ONE VM Image - Part 3

Creating an ALL-IN-ONE VM Image - Part 4

Creating an ALL-IN-ONE VM Image - Part 5

Creating an ALL-IN-ONE VM Image - Part 6

Creating an ALL-IN-ONE VM Image - Part 7

Creating an ALL-IN-ONE VM Image - Part 8

Creating an ALL-IN-ONE VM Image - Part 9

Creating an ALL-IN-ONE VM Image - Part 10-1

Creating an ALL-IN-ONE VM Image - Part 10-2

 

 

Following configuration will be setup.

 

01. Basic setup - Create application and protect using Forms Authentication.

     - Service configuration

     - Startup/Shutdown scripts

     - Logging

     - Basic Concepts

02. Standard Authentication Schemes

     - Basic Concepts

     - Basic

     - HTML Forms

     - HTML using UID and EMAIL

     - Basic over SSL

03. Certificate Authentication Schemes

     - X.509 Certificate Only

     - X.509 Certificate or Basic

     - X.509 Certificate and Basic

     - X.509 Certificate or Form

     - X.509 Certificate and Form

04. Windows Authentication Scheme

05. OAuth Authentication Scheme

06. Cookie Provider

07. Directory Mapping

08. Password Services

09. Impersonation

10. Session Assurance

11. SAML 2.0 Partnership Federation - SSO

12. SAML 2.0 Partnership Federation - SLO

13. SAML 2.0 Partnership Federation - RelayState

14. SAML 2.0 Partnership Federation - Negative Assertion

15. SAML 1.x Partnership Federation

16. Audit Log import

17. Generating Reports

18. SiteMinder Test Tool

19. Global Delivery Modules

20. Troubleshooting

 

 

02. Standard Authentication Schemes

     - Basic Concepts

 

CA Single Sign-On has Web Agent sitting on the Web Server as a plugin.

Web Agent intercepts all the requests (protected or not protected) and if it is for protected resource and if the user is not authenticated or authorized it will redirect to login page(aka Credential Collector).

 

So, the first call it makes when a request is received is "IsProtected" call (to Policy Server).

If the resource is protected, then Web Agent redirect to the URL defined in the Authentication Scheme that is linked to the protected resource(Realm).

 

Next is "IsAuthenticated" call.

The requesting resource must be protected in order to make this call.

If the user submits user credentials and if it is passed by Policy Server, then the user is authenticated.

This happens as Policy Server submits the user credential received from the login page to the user store.

If the user store finds a matching user and if the password match, then the Policy Server tells the agent that this user is "Authenticated".

Policy Server will generate a unique SessionID and assign it to the user session information(such as the user's UserDN and client IP, authenticated time and so on).

!! If the same user logon from 2 browser sessions, there will be 2 different SessionID. This SessionID allows us to determine which user(although they are the same user account) accessed which resource.

 

If this "IsAuthenticated" call is successful, then you get SMSESSION cookie.

Once you have SMSESSION cookie, you no longer need to submit user credential again unless you access a resource that is not allowed for your access.

!! There is Validation call and it is same as IsAuthenticated call except that IsAuthenticated is when you did not have SMSESSION and Validation is when you already have an SMSESSION cookie.

 

Last is "IsAuthorized" call.

You need to be authenticated before you can make this call.

Web Agent will parse the SMSESSION cookie and ask Policy Server if this user should be given access to the protected resource.

Evaluation is "Rule" + "User Policy".

The rule is created under a realm which defines the URI (such as /protected/).

Rule defines which action/method to allow (such as GET or POST).

User Policy defines which user (either comparing part of the DN, user group, or a specific user, or ALL users).

If they all match up then Policy Server will tell Web Agent this user is Authorized.

 

SMSESSION says you are "UID=user1,OU=People,DC=SM,DC=LAB".

This user is making request for http://www.sm.lab/protected/index.html".

The request method was "GET"

This resource is protected by Agent Name "agent1"

 

Policy Server finds :

* agentname matching "agent1".

* matching realm for the requested uri and protected by above agentname.

* rule having matching method (method was GET).

* policy that is linked to this rule

* userpolicy in that policy (userpolicy condition was to validate DN for "OU=People,DC=SM,DC=LAB")

* userDN matches the validateDN in the userpolicy

 

Now, as all the criteria match, Policy Server tells Web Agent that this user is authorized.

Web Agent then allows the user to access http://www.sm.lab/protected/index.html

 

Above was covered in the Chapter 1.

From now on we will be focusing on the "IsAuthenticated" call.

 

Most of our "CA Single Sign-On" credential collectors are hosted on different URL which requires a redirect(even if it is hosted from the same web server).

The only authentication scheme that does not require redirect is the "Basic" Authentication Scheme.

 

All the SiteMinder authentication schemes redirect to /siteminderagent/xxxx

For example, http://www.sm.lab/siteminder/forms/login.fcc

When it redirects, you need to ensure that the target web server hosting the resource and the login page hosting web server are on the same cookie domain.

 

*Cookie Domain*

 

TARGET Web Server: http://www.sm.lab/protected/index.html

LOGIN Web Server: http://login.sm.lab/siteminderagent/forms/login.fcc

 

So, when the user is authenticated, the user is authenticated at the Login Server and get SMSESSION cookie for ".sm.lab" cookie domain.

The login server will redirect the user back to the TARGET.

At the target, browser submits cookies that match the server's cookie domain and if SMSESSION was from the same cookie domain then it will be submitted.

If you configure this wrong so the TARGET and LOGIN cookie domain are different, then users will not gain access to the TARGET because SMSESSION cookie is not submitted at the TARGET.

 

!! For the 2 URLs above, the IsProtected/IsAuthenticated/IsAuthorized calls are made to each of them. Every individual requests are evaluated.

!! If IsProtected call returns "NO" then IsAuthenticated call is not needed. If IsAuthenticated call returns "NO" then IsAuthorized call is not needed.

 

*User Credential*

 

User credential can be any information that is required to prove your identity.

It can be username + password.

It can be a client certificate.

Anything that the server requires to identify the user.

 

In most cases, this is simple username and password thus login.fcc is used.

FCC stands for Form Credential Collector.

So, if you see xCC extension, it is to do with Credential collection.

 

     - Basic

We already setup the Basic Authentication Scheme in the previous chapter.

 

     - HTML Forms

We are now going to setup HTML Forms Authentication Scheme.

Logon to AdminUI and goto "Infrastructure ==> Authentication".

Click on "Create Authentication Scheme".

 

 

Select "Create a new object of type Authentication Scheme" and click "OK".

Fill in the following and click "Submit"

* "Name"

* "Authentication Scheme Type" (select "HTML Form Template" from dropdown menu)

* "Protection Level" (leave it as 5)

* "Target" (leave it as "/siteminderagent/forms/login.fcc")

* "Library" (leave it as "smauthhtml")

 

 

Other Authentication Schemes are basically same as how you configured "HTML Form Template" with little differences.

What is usually required is the "Name", "Authentication Scheme Type", "Web Server Name", others are usually left untouched.

 

Now that you have created the Authentication Scheme, goto "Policies ==> Application ==> Applications ==> www.sso.lab" and click modify button (the pencil icon at the right end, before the X icon to delete).

 

 

Click on the "Create Component" button.

Enter the following and click "OK".

* Component Name: HTML Realm

* Agent: agent.iis

* Resource Filter: /html/

* Default Resource Protection: Protected (leave it as is)

* Authentication Scheme: Login Form for www.sso.lab

You will be back at the www.sso.lab applications setting.

Click on the "Resources" tab.

At the "Select a context root", select "/html/" from the dropdown list and click on "Create" button.

Enter the following and click "OK"

* Name: Access HTML Rule

* Resource: *

* Allow Access (leave it as is)

* Action/Web AGent actions: GET, POST

You will be shown the Resource(rule) created for /html/.

Click on the "Policies" tab.

At the "Select a context root", select "/html/" from the dropdown list.

You will now see the "Access HTML Rule" application and the "Basic Role" and an empty checkbox for this relationship.

Tick the checkbox for "Access HTML Rule" application and the "Basic Role" and click "Submit" button to complete this setup.

 

 

To test this configuration, goto http://www.sso.lab/html/ and see how the new configuration works.

 

 

In the address bar, your can find the following URL.

 

http://www.sso.lab/siteminderagent/forms/login.fcc?TYPE=33554433&REALMOID=06-43eff5e5-5a70-412d-b5a4-8394a090d152&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-WO8xvFyi%2bqJqAacEXn7ORDOqfJeP9uaQyN9hFwER2htI0CbW%2fuYsc7%2fsBVpafN%2bZ&TARGET=-SM-http%3a%2f%2fwww%2esso%2elab%2fhtml%2f

 

You are redirected to this login page because the target http://www.sso.lab/html/ was protected.

 

You will find the following in the Web Agent Trace log file.

IsProtected/IsAuthenticated from target web agent

 

 

[01/25/2016][17:37:36][6152][6496][CSmHighLevelAgent.cpp:321][ProcessRequest][000080fe0000000097e114e8f8b90736-1808-56a5c2b0-1960-02f60029][][][][][][Start new request.]

[01/25/2016][17:37:36][6152][6496][CSmResourceManager.cpp:75][CSmResourceManager::ProcessResource][000080fe0000000097e114e8f8b90736-1808-56a5c2b0-1960-02f60029][][][][][][Calling SM_WAF_HTTP_PLUGIN->ProcessResource.]

[01/25/2016][17:37:36][6152][6496][CSmHttpPlugin.cpp:399][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1808-56a5c2b0-1960-02f60029][][][][][][Resolved HTTP_HOST: 'www.sso.lab'.]

[01/25/2016][17:37:36][6152][6496][CSmHttpPlugin.cpp:5249][Entered CSmHttpPlugin::ResolveFQServerName sHost: ][][][][][][][www.sso.lab]

[01/25/2016][17:37:36][6152][6496][CSmHttpPlugin.cpp:490][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1808-56a5c2b0-1960-02f60029][][][][][][Resolved hostname: 'www.sso.lab'.]

[01/25/2016][17:37:36][6152][6496][CSmHttpPlugin.cpp:509][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1808-56a5c2b0-1960-02f60029][][][][][][Resolved agentname: 'agent.iis'.]

[01/25/2016][17:37:36][6152][6496][CSmHttpPlugin.cpp:5602][CSmHttpPlugin::ResolveClientIp][000080fe0000000097e114e8f8b90736-1808-56a5c2b0-1960-02f60029][][][agent.iis][][][Resolved Client IP address '192.168.201.101'.]

[01/25/2016][17:37:36][6152][6496][CSmHttpPlugin.cpp:657][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1808-56a5c2b0-1960-02f60029][*192.168.201.101][][agent.iis][][][Resolved URL: '/html/'.]

[01/25/2016][17:37:36][6152][6496][CSmHttpPlugin.cpp:781][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1808-56a5c2b0-1960-02f60029][*192.168.201.101][][agent.iis][/html/][][Resolved METHOD: 'GET'.]

[01/25/2016][17:37:36][6152][6496][CSmHttpPlugin.cpp:834][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1808-56a5c2b0-1960-02f60029][*192.168.201.101][][agent.iis][/html/][][Resolved cookie domain: '.sso.lab'.]

[01/25/2016][17:37:36][6152][6496][CSmResourceManager.cpp:112][CSmResourceManager::ProcessResource][000080fe0000000097e114e8f8b90736-1808-56a5c2b0-1960-02f60029][*192.168.201.101][][agent.iis][/html/][][SM_WAF_HTTP_PLUGIN->ProcessResource returned SmSuccess.]

[01/25/2016][17:37:36][6152][6496][CSmSessionManager.cpp:82][CSmSessionManager::EstablishSession][000080fe0000000097e114e8f8b90736-1808-56a5c2b0-1960-02f60029][*192.168.201.101][][agent.iis][/html/][][Calling SM_WAF_HTTP_PLUGIN->EstablishSession.]

[01/25/2016][17:37:36][6152][6496][CSmSessionManager.cpp:126][CSmSessionManager::EstablishSession][000080fe0000000097e114e8f8b90736-1808-56a5c2b0-1960-02f60029][*192.168.201.101][][agent.iis][/html/][][SM_WAF_HTTP_PLUGIN->EstablishSession returned SmNoAction.]

[01/25/2016][17:37:36][6152][6496][CSmLowLevelAgent.cpp:503][IsResourceProtected][000080fe0000000097e114e8f8b90736-1808-56a5c2b0-1960-02f60029][*192.168.201.101][][agent.iis][/html/][][Resource is protected from Policy Server.]

[01/25/2016][17:37:36][6152][6496][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-1808-56a5c2b0-1960-02f60029][*192.168.201.101][][agent.iis][/html/][][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[01/25/2016][17:37:36][6152][6496][CSmHttpPlugin.cpp:2824][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-1808-56a5c2b0-1960-02f60029][*192.168.201.101][][agent.iis][/html/][][Processing IsProtected responses.]

[01/25/2016][17:37:36][6152][6496][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-1808-56a5c2b0-1960-02f60029][*192.168.201.101][][agent.iis][/html/][][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[01/25/2016][17:37:36][6152][6496][CSmCredentialManager.cpp:132][CSmCredentialManager::GatherCredentials][000080fe0000000097e114e8f8b90736-1808-56a5c2b0-1960-02f60029][*192.168.201.101][][agent.iis][/html/][][Calling SM_WAF_HTTP_PLUGIN->ProcessCredentials.]

[01/25/2016][17:37:36][6152][6496][CSmCredentialManager.cpp:176][CSmCredentialManager::GatherCredentials][000080fe0000000097e114e8f8b90736-1808-56a5c2b0-1960-02f60029][*192.168.201.101][][agent.iis][/html/][][SM_WAF_HTTP_PLUGIN->ProcessCredentials returned SmNoAction.]

[01/25/2016][17:37:36][6152][6496][CSmHighLevelAgent.cpp:583][ProcessRequest][000080fe0000000097e114e8f8b90736-1808-56a5c2b0-1960-02f60029][*192.168.201.101][][agent.iis][/html/][][CredentialManager returned SmNo or SmNoAction, calling ChallengeManager.]

[01/25/2016][17:37:36][6152][6496][CSmChallengeManager.cpp:105][CSmChallengeManager::DoChallenge][000080fe0000000097e114e8f8b90736-1808-56a5c2b0-1960-02f60029][*192.168.201.101][][agent.iis][/html/][][Calling SM_WAF_HTTP_PLUGIN->ProcessChallenge.]

[01/25/2016][17:37:36][6152][6496][CSmHttpCredCore.cpp:1680][CSmHttpCredCore::DoFormsChallenge][000080fe0000000097e114e8f8b90736-1808-56a5c2b0-1960-02f60029][*192.168.201.101][][agent.iis][/html/][][Executing forms challenge.]

[01/25/2016][17:37:36][6152][6496][CSmHttpCredCore.cpp:1973][CSmHttpCredCore::DoFormsChallenge][000080fe0000000097e114e8f8b90736-1808-56a5c2b0-1960-02f60029][*192.168.201.101][][agent.iis][/html/][][Redirecting to credential collector 'http://www.sso.lab/siteminderagent/forms/login.fcc?TYPE=33554433&REALMOID=06-43eff5e5-5a70-412d-b5a4-8394a090d152&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-WO8xvFyi%2bqJqAacEXn7ORDOqfJeP9uaQyN9hFwER2htI0CbW%2fuYsc7%2fsBVpafN%2bZ&TARGET=-SM-http%3a%2f%2fwww%2esso%2elab%2fhtml%2f'.]

[01/25/2016][17:37:36][6152][6496][SmPluginUtilities.cpp:405][HandleCredCollectorChallenge][000080fe0000000097e114e8f8b90736-1808-56a5c2b0-1960-02f60029][*192.168.201.101][][agent.iis][/html/][][Redirecting for credentials 'http://www.sso.lab/siteminderagent/forms/login.fcc?TYPE=33554433&REALMOID=06-43eff5e5-5a70-412d-b5a4-8394a090d152&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-WO8xvFyi%2bqJqAacEXn7ORDOqfJeP9uaQyN9hFwER2htI0CbW%2fuYsc7%2fsBVpafN%2bZ&TARGET=-SM-http%3a%2f%2fwww%2esso%2elab%2fhtml%2f'.]

[01/25/2016][17:37:36][6152][6496][CSmChallengeManager.cpp:124][CSmChallengeManager::DoChallenge][000080fe0000000097e114e8f8b90736-1808-56a5c2b0-1960-02f60029][*192.168.201.101][][agent.iis][/html/][][SM_WAF_HTTP_PLUGIN->ProcessChallenge returned SmExit.]

[01/25/2016][17:37:36][6152][6496][CSmHighLevelAgent.cpp:607][ProcessRequest][000080fe0000000097e114e8f8b90736-1808-56a5c2b0-1960-02f60029][*192.168.201.101][][agent.iis][/html/][][Challenge Manager returned SmExit, end new request.]

 

In the above log, you can find the request did not have an existing valid session so the Credential Manager checks for the linked Authentication Scheme and redirect.

The redirect URL is telling the Credential Collector Agent that the user requested request as below.

 

* REALM: 06-43eff5e5-5a70-412d-b5a4-8394a090d152

* METHOD: GET

* AGENTNNAME: encrypted agentname(for agent.iis).

* TARGET: http://www.sso.lab/html/

 

This Credential Collector Agent will then again need to ensure the TARGET is protected when user submits credentials.

 

 

IsProtected/IsAuthenticated from Credential Collector web agent and redirect back to target url

 

 

[01/25/2016][18:00:41][7080][7052][CSmHighLevelAgent.cpp:970][ProcessAdvancedAuthentication][000080fe0000000097e114e8f8b90736-1ba8-56a5c819-1b8c-03500029][][][][][][Start new request.]

[01/25/2016][18:00:41][7080][7052][CSmResourceManager.cpp:187][CSmResourceManager::ProcessAdvancedAuthResource][000080fe0000000097e114e8f8b90736-1ba8-56a5c819-1b8c-03500029][][][][][][Calling SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthResource.]

[01/25/2016][18:00:41][7080][7052][CSmHttpPlugin.cpp:8683][CSmHttpPlugin::ProcessAdvancedAuthResource][000080fe0000000097e114e8f8b90736-1ba8-56a5c819-1b8c-03500029][][][][][][Resolved HTTP_HOST: 'www.sso.lab'.]

[01/25/2016][18:00:41][7080][7052][CSmHttpPlugin.cpp:5249][Entered CSmHttpPlugin::ResolveFQServerName sHost: ][][][][][][][www.sso.lab]

[01/25/2016][18:00:41][7080][7052][CSmHttpPlugin.cpp:5602][CSmHttpPlugin::ResolveClientIp][000080fe0000000097e114e8f8b90736-1ba8-56a5c819-1b8c-03500029][][][][][][Resolved Client IP address '192.168.201.101'.]

[01/25/2016][18:00:41][7080][7052][SmFCC.cpp:2917][SmFcc::getLocalePath][000080fe0000000097e114e8f8b90736-1ba8-56a5c819-1b8c-03500029][*192.168.201.101][][][][][Localized Path = C:\Program Files\CA\webagent\win64\samples/forms_en-US/login_en-US.fcc, working locale = en-US]

[01/25/2016][18:00:41][7080][7052][CSmFormTemplateCache.cpp:209][CSmFormTemplateCache::GetForm][][][][][][][Form template 'C:\Program Files\CA\webagent\win64\samples/forms_en-US/login_en-US.fcc' not found in cache.]

[01/25/2016][18:00:41][7080][7052][CSmFormTemplateCache.cpp:226][CSmFormTemplateCache::GetForm][][][][][][][Serving form template 'C:\Program Files\CA\webagent\win64\samples/forms_en-US/login_en-US.fcc' from disk.]

[01/25/2016][18:00:41][7080][7052][CSmFormTemplateCache.cpp:269][CSmFormTemplateCache::GetForm][][][][][][][Form template 'C:\Program Files\CA\webagent\win64\samples/forms_en-US/login_en-US.fcc' stored in cache.]

[01/25/2016][18:00:41][7080][7052][SmAdvancedAuthCore.cpp:632][SmAdvancedAuthCore::parseTargetUrl][000080fe0000000097e114e8f8b90736-1ba8-56a5c819-1b8c-03500029][*192.168.201.101][][][/html/][][Resolved cookie domain '.sso.lab'.]

[01/25/2016][18:00:41][7080][7052][CSmResourceManager.cpp:225][CSmResourceManager::ProcessAdvancedAuthResource][000080fe0000000097e114e8f8b90736-1ba8-56a5c819-1b8c-03500029][*192.168.201.101][][agent.iis][/html/][][SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthResource returned SmSuccess.]

[01/25/2016][18:00:41][7080][7052][CSmLowLevelAgent.cpp:503][IsResourceProtected][000080fe0000000097e114e8f8b90736-1ba8-56a5c819-1b8c-03500029][*192.168.201.101][][agent.iis][/html/][][Resource is protected from Policy Server.]

[01/25/2016][18:00:41][7080][7052][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-1ba8-56a5c819-1b8c-03500029][*192.168.201.101][][agent.iis][/html/][][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[01/25/2016][18:00:41][7080][7052][CSmHttpPlugin.cpp:2824][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-1ba8-56a5c819-1b8c-03500029][*192.168.201.101][][agent.iis][/html/][][Processing IsProtected responses.]

[01/25/2016][18:00:41][7080][7052][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-1ba8-56a5c819-1b8c-03500029][*192.168.201.101][][agent.iis][/html/][][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[01/25/2016][18:00:41][7080][7052][CSmCredentialManager.cpp:222][CSmCredentialManager::GatherAdvancedAuthCredentials][000080fe0000000097e114e8f8b90736-1ba8-56a5c819-1b8c-03500029][*192.168.201.101][][agent.iis][/html/][][Calling SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthCredentials.]

[01/25/2016][18:00:41][7080][7052][SmFCC.cpp:703][SmFcc::getCredentials][000080fe0000000097e114e8f8b90736-1ba8-56a5c819-1b8c-03500029][*192.168.201.101][][agent.iis][/html/][][Success in collecting credentials.]

[01/25/2016][18:00:41][7080][7052][SmPluginUtilities.cpp:481][HandleCredCollectorReturn][000080fe0000000097e114e8f8b90736-1ba8-56a5c819-1b8c-03500029][*192.168.201.101][][agent.iis][/html/][][POST preservation, handling return from credential collector.]

[01/25/2016][18:00:41][7080][7052][SmPluginUtilities.cpp:618][HandleCredCollectorReturn][000080fe0000000097e114e8f8b90736-1ba8-56a5c819-1b8c-03500029][*192.168.201.101][][agent.iis][/html/][][http response http://www.sso.lab/html/]

[01/25/2016][18:00:41][7080][7052][CSmCredentialManager.cpp:260][CSmCredentialManager::GatherAdvancedAuthCredentials][000080fe0000000097e114e8f8b90736-1ba8-56a5c819-1b8c-03500029][*192.168.201.101][][agent.iis][/html/][][SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthCredentials returned SmSuccess.]

[01/25/2016][18:00:43][7080][7052][CSmLowLevelAgent.cpp:1200][AuthenticateUser][000080fe0000000097e114e8f8b90736-1ba8-56a5c819-1b8c-03500029][*192.168.201.101][][agent.iis][/html/][][User 'smuser' is authenticated by Policy Server.]

[01/25/2016][18:00:43][7080][7052][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-1ba8-56a5c819-1b8c-03500029][*192.168.201.101][][agent.iis][/html/][smuser][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[01/25/2016][18:00:43][7080][7052][CSmHttpPlugin.cpp:2992][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-1ba8-56a5c819-1b8c-03500029][*192.168.201.101][][agent.iis][/html/][smuser][Processing Authentication responses.]

[01/25/2016][18:00:43][7080][7052][SmPluginUtilities.cpp:166][DeleteCookie][000080fe0000000097e114e8f8b90736-1ba8-56a5c819-1b8c-03500029][*192.168.201.101][][agent.iis][/html/][smuser][Deleted cookie 'SMTRYNO'.]

[01/25/2016][18:00:43][7080][7052][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-1ba8-56a5c819-1b8c-03500029][*192.168.201.101][][agent.iis][/html/][smuser][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[01/25/2016][18:00:43][7080][7052][CSmSessionManager.cpp:209][CSmSessionManager::CreateSession][000080fe0000000097e114e8f8b90736-1ba8-56a5c819-1b8c-03500029][*192.168.201.101][][agent.iis][/html/][smuser][Calling SM_WAF_HTTP_PLUGIN->CreateSession.]

[01/25/2016][18:00:43][7080][7052][CSmHttpPlugin.cpp:1415][CSmHttpPlugin::CreateSession][000080fe0000000097e114e8f8b90736-1ba8-56a5c819-1b8c-03500029][*192.168.201.101][][agent.iis][/html/][smuser][SAVEDSESSION Cookie Created.]

[01/25/2016][18:00:43][7080][7052][CSmHttpPlugin.cpp:1605][CSmHttpPlugin::CreateSession][000080fe0000000097e114e8f8b90736-1ba8-56a5c819-1b8c-03500029][*192.168.201.101][][agent.iis][/html/][smuser][Generated SMSESSION cookie.]

[01/25/2016][18:00:43][7080][7052][CSmSessionManager.cpp:247][CSmSessionManager::CreateSession][000080fe0000000097e114e8f8b90736-1ba8-56a5c819-1b8c-03500029][*192.168.201.101][][agent.iis][/html/][smuser][SM_WAF_HTTP_PLUGIN->CreateSession returned SmSuccess.]

[01/25/2016][18:00:43][7080][7052][CSmHighLevelAgent.cpp:1282][ProcessAdvancedAuthentication][000080fe0000000097e114e8f8b90736-1ba8-56a5c819-1b8c-03500029][*192.168.201.101][][agent.iis][/html/][smuser][End new request.]

 

IsProtected/IsAuthenticated/IsAuthorized from target web agent

 

 

[01/25/2016][18:00:43][7080][7052][CSmHighLevelAgent.cpp:321][ProcessRequest][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][][][][][][Start new request.]

[01/25/2016][18:00:43][7080][7052][CSmResourceManager.cpp:75][CSmResourceManager::ProcessResource][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][][][][][][Calling SM_WAF_HTTP_PLUGIN->ProcessResource.]

[01/25/2016][18:00:43][7080][7052][CSmHttpPlugin.cpp:399][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][][][][][][Resolved HTTP_HOST: 'www.sso.lab'.]

[01/25/2016][18:00:43][7080][7052][CSmHttpPlugin.cpp:5249][Entered CSmHttpPlugin::ResolveFQServerName sHost: ][][][][][][][www.sso.lab]

[01/25/2016][18:00:43][7080][7052][CSmHttpPlugin.cpp:490][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][][][][][][Resolved hostname: 'www.sso.lab'.]

[01/25/2016][18:00:43][7080][7052][CSmHttpPlugin.cpp:509][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][][][][][][Resolved agentname: 'agent.iis'.]

[01/25/2016][18:00:43][7080][7052][CSmHttpPlugin.cpp:5602][CSmHttpPlugin::ResolveClientIp][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][][][agent.iis][][][Resolved Client IP address '192.168.201.101'.]

[01/25/2016][18:00:43][7080][7052][CSmHttpPlugin.cpp:657][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][][][Resolved URL: '/html/'.]

[01/25/2016][18:00:43][7080][7052][CSmHttpPlugin.cpp:781][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][][Resolved METHOD: 'GET'.]

[01/25/2016][18:00:43][7080][7052][CSmHttpPlugin.cpp:834][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][][Resolved cookie domain: '.sso.lab'.]

[01/25/2016][18:00:43][7080][7052][CSmResourceManager.cpp:112][CSmResourceManager::ProcessResource][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][][SM_WAF_HTTP_PLUGIN->ProcessResource returned SmSuccess.]

[01/25/2016][18:00:43][7080][7052][CSmSessionManager.cpp:82][CSmSessionManager::EstablishSession][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][][Calling SM_WAF_HTTP_PLUGIN->EstablishSession.]

[01/25/2016][18:00:43][7080][7052][CSmHttpPlugin.cpp:6609][CSmHttpPlugin::ProcessSessionCookie][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][smuser][Decoded SMSESSION cookie - User = 'CN=smuser,CN=Users,DC=sso,DC=lab', IP address = '192.168.201.101'.]

[01/25/2016][18:00:43][7080][7052][CSmHttpPlugin.cpp:2216][CSmHttpPlugin::EstablishSession][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][smuser][Processed SMSESSION cookie.]

[01/25/2016][18:00:43][7080][7052][CSmSessionManager.cpp:119][CSmSessionManager::EstablishSession][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][smuser][SM_WAF_HTTP_PLUGIN->EstablishSession returned SmSuccess.]

[01/25/2016][18:00:43][7080][7052][CSmLowLevelAgent.cpp:499][IsResourceProtected][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][smuser][Resource is protected from cache.]

[01/25/2016][18:00:43][7080][7052][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][smuser][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[01/25/2016][18:00:43][7080][7052][CSmHttpPlugin.cpp:2824][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][smuser][Processing IsProtected responses.]

[01/25/2016][18:00:43][7080][7052][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][smuser][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[01/25/2016][18:00:43][7080][7052][CSmCredentialManager.cpp:103][CSmCredentialManager::GatherCredentials][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][smuser][Found session, no credentials required.]

[01/25/2016][18:00:43][7080][7052][CSmLowLevelAgent.cpp:999][AuthenticateUser][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][smuser][Validating session 'XAEiYfEY6sD2bmJ9l6DXkd3nnV8=' for user 'CN=smuser,CN=Users,DC=sso,DC=lab' in zone 'SM'.]

[01/25/2016][18:00:43][7080][7052][CSmLowLevelAgent.cpp:1195][AuthenticateUser][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][smuser][User 'CN=smuser,CN=Users,DC=sso,DC=lab' is authenticated from cache.]

[01/25/2016][18:00:43][7080][7052][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][smuser][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[01/25/2016][18:00:43][7080][7052][CSmHttpPlugin.cpp:2992][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][smuser][Processing Authentication responses.]

[01/25/2016][18:00:43][7080][7052][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][smuser][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[01/25/2016][18:00:43][7080][7052][CSmSessionManager.cpp:209][CSmSessionManager::CreateSession][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][smuser][Calling SM_WAF_HTTP_PLUGIN->CreateSession.]

[01/25/2016][18:00:43][7080][7052][CSmHttpPlugin.cpp:1605][CSmHttpPlugin::CreateSession][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][smuser][Generated SMSESSION cookie.]

[01/25/2016][18:00:43][7080][7052][CSmSessionManager.cpp:247][CSmSessionManager::CreateSession][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][smuser][SM_WAF_HTTP_PLUGIN->CreateSession returned SmSuccess.]

[01/25/2016][18:00:43][7080][7052][CSmLowLevelAgent.cpp:2768][AuthorizeUser][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][smuser][User 'CN=smuser,CN=Users,DC=sso,DC=lab' is authorized by Policy Server.]

[01/25/2016][18:00:43][7080][7052][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][smuser][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[01/25/2016][18:00:43][7080][7052][CSmHttpPlugin.cpp:3270][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][smuser][Processing Authorization responses.]

[01/25/2016][18:00:43][7080][7052][CSmHttpPlugin.cpp:3277][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][smuser][Removing HTTP cache request headers.]

[01/25/2016][18:00:43][7080][7052][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][smuser][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[01/25/2016][18:00:43][7080][7052][CSmHighLevelAgent.cpp:801][ProcessRequest][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][smuser][AuthorizationManager returned SmYes, end new request.]

[01/25/2016][18:00:43][7080][7052][CSmHighLevelAgent.cpp:921][ProcessRequest][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][smuser][End new request.]

 

In the above trace log at the target web agent, it is reporting that it has received SMSESSION cookie and the user is "CN=smuser,CN=Users,DC=sso,DC=lab" and the user was authenticated from IP "192.168.201.101".

 

Then it went on with IsProtected/IsAuthenticated/IsAuthorized.

 

As this is ALL-IN-ONE, the target web agent and the credential collector (login) web agent are the same.

So, the user was authenticated from cache when the user was redirected to the target from the login page.

Authorization was from Policy Server as this user has not been authorized by before.

 

Another thing to highlight is the Credential Collector web agent authenticated the user from http://www.sso.lab/siteminderagent/forms/login.fcc page.

This web site's cookie domain is ".sso.lab".

So, the SMSESSION cookie was generated for this cookie domain.

[Resolved cookie domain: '.sso.lab'.]

 

If the Credential Collector's cookie domain and the Target web agent's cookie domain did not match, the SMSESSION cookie would not have been submitted by the browser which will fail at IsAuthenticated call.

 

This will cause a redirect loop.

Fortunately, the "HTML Form Template" authentication scheme is not a seamless login(such as NTLM/IWA) so it is not looping by itself.

It is important that you check if the authentication scheme causes a loop or not for any error conditions.

 

In the next article, we will be adding one more user attribute for authentication(email).

 

This concludes "Configuring an ALL-IN-ONE VM Image - Part 3"

 

ASF Apache 2.4 is certified with Web Agent on Windows Platform.

However, Apache service will not startup when Web Agent is integrated.

It is getting stack overflow exception.

 

The instruction is to use editbin and set the stack size to 512KB.

editbin /STACK:524288 httpd.exe

 

In many online documents are suggesting the default stack size is 1MB.

Then are we reducing the stack size by setting it to 512KB?

 

From research, the default stack size for httpd.exe from ASF Apache 2.4 was as below.

You will need to have "link.exe" that ships with Studio.

 

link /dump /headers httpd.exe

Original httpd.exe from ASF Apache 2.4.17

Microsoft (R) COFF/PE Dumper Version 8.00.50727.42

Copyright (C) Microsoft Corporation.  All rights reserved.

 

 

 

 

Dump of file httpd.exe

 

 

PE signature found

 

 

File Type: EXECUTABLE IMAGE

 

 

FILE HEADER VALUES

            8664 machine (x64)

               6 number of sections

        561A2F0A time date stamp Sun Oct 11 20:42:34 2015

               0 file pointer to symbol table

               0 number of symbols

              F0 size of optional header

              22 characteristics

                   Executable

                   Application can handle large (>2GB) addresses

 

 

OPTIONAL HEADER VALUES

             20B magic # (PE32+)

           14.00 linker version

            2C00 size of code

            4200 size of initialized data

               0 size of uninitialized data

            2FBC entry point (0000000140002FBC)

            1000 base of code

       140000000 image base (0000000140000000 to 000000014000BFFF)

            1000 section alignment

             200 file alignment

            6.00 operating system version

            0.00 image version

            6.00 subsystem version

               0 Win32 version

            C000 size of image

             400 size of headers

            C001 checksum

               3 subsystem (Windows CUI)

            8160 DLL characteristics

                   RESERVED - UNKNOWN

                   RESERVED - UNKNOWN

                   NX compatible

                   Terminal Server Aware

           40000 size of stack reserve

            1000 size of stack commit

          100000 size of heap reserve

            1000 size of heap commit

               0 loader flags

              10 number of directories

            58E0 [      4C] RVA [size] of Export Directory

            592C [      F0] RVA [size] of Import Directory

            9000 [    1034] RVA [size] of Resource Directory

            8000 [     1E0] RVA [size] of Exception Directory

               0 [       0] RVA [size] of Certificates Directory

            B000 [      28] RVA [size] of Base Relocation Directory

            53A0 [      54] RVA [size] of Debug Directory

               0 [       0] RVA [size] of Architecture Directory

               0 [       0] RVA [size] of Global Pointer Directory

               0 [       0] RVA [size] of Thread Storage Directory

            5400 [      94] RVA [size] of Load Configuration Directory

               0 [       0] RVA [size] of Bound Import Directory

            4000 [     470] RVA [size] of Import Address Table Directory

               0 [       0] RVA [size] of Delay Import Directory

               0 [       0] RVA [size] of COM Descriptor Directory

               0 [       0] RVA [size] of Reserved Directory

 

 

 

 

SECTION HEADER #1

   .text name

    2A68 virtual size

    1000 virtual address (0000000140001000 to 0000000140003A67)

    2C00 size of raw data

     400 file pointer to raw data (00000400 to 00002FFF)

       0 file pointer to relocation table

       0 file pointer to line numbers

       0 number of relocations

       0 number of line numbers

60000020 flags

         Code

         Execute Read

 

 

SECTION HEADER #2

  .rdata name

    2976 virtual size

    4000 virtual address (0000000140004000 to 0000000140006975)

    2A00 size of raw data

    3000 file pointer to raw data (00003000 to 000059FF)

       0 file pointer to relocation table

       0 file pointer to line numbers

       0 number of relocations

       0 number of line numbers

40000040 flags

         Initialized Data

         Read Only

 

 

  Debug Directories

 

 

        Time Type       Size      RVA  Pointer

    -------- ------ -------- -------- --------

    561A2F0A cv           49 00005494     4494    Format: RSDS, {71EB6E18-61F7-45A9-9AC2-01D9BE320001}, 2, C:\VC14\Win64\httpd-2.4.17\x64\Release\httpd.pdb

    561A2F0A (   C)       14 000054E0     44E0

    561A2F0A (   D)      27C 000054F4     44F4

 

 

SECTION HEADER #3

   .data name

     6F8 virtual size

    7000 virtual address (0000000140007000 to 00000001400076F7)

     200 size of raw data

    5A00 file pointer to raw data (00005A00 to 00005BFF)

       0 file pointer to relocation table

       0 file pointer to line numbers

       0 number of relocations

       0 number of line numbers

C0000040 flags

         Initialized Data

         Read Write

 

 

SECTION HEADER #4

  .pdata name

     1E0 virtual size

    8000 virtual address (0000000140008000 to 00000001400081DF)

     200 size of raw data

    5C00 file pointer to raw data (00005C00 to 00005DFF)

       0 file pointer to relocation table

       0 file pointer to line numbers

       0 number of relocations

       0 number of line numbers

40000040 flags

         Initialized Data

         Read Only

 

 

SECTION HEADER #5

   .rsrc name

    1034 virtual size

    9000 virtual address (0000000140009000 to 000000014000A033)

    1200 size of raw data

    5E00 file pointer to raw data (00005E00 to 00006FFF)

       0 file pointer to relocation table

       0 file pointer to line numbers

       0 number of relocations

       0 number of line numbers

40000040 flags

         Initialized Data

         Read Only

 

 

SECTION HEADER #6

  .reloc name

      28 virtual size

    B000 virtual address (000000014000B000 to 000000014000B027)

     200 size of raw data

    7000 file pointer to raw data (00007000 to 000071FF)

       0 file pointer to relocation table

       0 file pointer to line numbers

       0 number of relocations

       0 number of line numbers

42000040 flags

         Initialized Data

         Discardable

         Read Only

 

 

  Summary

 

 

        1000 .data

        1000 .pdata

        3000 .rdata

        1000 .reloc

        2000 .rsrc

        3000 .text

 

The HEX 40000 is 262144 (256KB).

So, what this confirms is that the instruction to set stack size to 512KB is basically doubling up the stack size.

 

Thanks to Ujwol for revealing this.

After finding this information, we ran the same on the ASF Apache 2.2 and the stack size remained the same.

So, the memory requirement for Web Agent module for Apache 2.4 seems to have increased.

 

I did not have a full Studio installed but there was editbin and link package found on internet that worked.

http://people.sju.edu/~ggrevera/cscCV/stack/