SungHoon_Kim

Configuring an ALL-IN-ONE VM Image - Part 3

Blog Post created by SungHoon_Kim Employee on Jan 25, 2016

This is something I like to do once in a while. It takes long time to setup everything but to me it is a hobby. It is like putting zigsaw puzzles.

 

WARNING: THIS IS NOT SUPPORTED! THIS IS ONLY TO FULFILL YOUR CURIOSITY AND SATISFY YOUR SPIRIT GOING AGAINST ALL ODDS. THIS IS NOT A DEMONSTRATION ALLOWING YOU TO RUN SUCH CONFIGURATION IN YOUR DEV/TEST/QA/PROD ENVIRONMENT.

 

This environment is continuation from the "Creating an ALL-IN-ONE VM Image" series. (links below)

 

Creating an ALL-IN-ONE VM Image - Part 1

Creating an ALL-IN-ONE VM Image - Part 2

Creating an ALL-IN-ONE VM Image - Part 3

Creating an ALL-IN-ONE VM Image - Part 4

Creating an ALL-IN-ONE VM Image - Part 5

Creating an ALL-IN-ONE VM Image - Part 6

Creating an ALL-IN-ONE VM Image - Part 7

Creating an ALL-IN-ONE VM Image - Part 8

Creating an ALL-IN-ONE VM Image - Part 9

Creating an ALL-IN-ONE VM Image - Part 10-1

Creating an ALL-IN-ONE VM Image - Part 10-2

 

 

Following configuration will be setup.

 

01. Basic setup - Create application and protect using Forms Authentication.

     - Service configuration

     - Startup/Shutdown scripts

     - Logging

     - Basic Concepts

02. Standard Authentication Schemes

     - Basic Concepts

     - Basic

     - HTML Forms

     - HTML using UID and EMAIL

     - Basic over SSL

03. Certificate Authentication Schemes

     - X.509 Certificate Only

     - X.509 Certificate or Basic

     - X.509 Certificate and Basic

     - X.509 Certificate or Form

     - X.509 Certificate and Form

04. Windows Authentication Scheme

05. OAuth Authentication Scheme

06. Cookie Provider

07. Directory Mapping

08. Password Services

09. Impersonation

10. Session Assurance

11. SAML 2.0 Partnership Federation - SSO

12. SAML 2.0 Partnership Federation - SLO

13. SAML 2.0 Partnership Federation - RelayState

14. SAML 2.0 Partnership Federation - Negative Assertion

15. SAML 1.x Partnership Federation

16. Audit Log import

17. Generating Reports

18. SiteMinder Test Tool

19. Global Delivery Modules

20. Troubleshooting

 

 

02. Standard Authentication Schemes

     - Basic Concepts

 

CA Single Sign-On has Web Agent sitting on the Web Server as a plugin.

Web Agent intercepts all the requests (protected or not protected) and if it is for protected resource and if the user is not authenticated or authorized it will redirect to login page(aka Credential Collector).

 

So, the first call it makes when a request is received is "IsProtected" call (to Policy Server).

If the resource is protected, then Web Agent redirect to the URL defined in the Authentication Scheme that is linked to the protected resource(Realm).

 

Next is "IsAuthenticated" call.

The requesting resource must be protected in order to make this call.

If the user submits user credentials and if it is passed by Policy Server, then the user is authenticated.

This happens as Policy Server submits the user credential received from the login page to the user store.

If the user store finds a matching user and if the password match, then the Policy Server tells the agent that this user is "Authenticated".

Policy Server will generate a unique SessionID and assign it to the user session information(such as the user's UserDN and client IP, authenticated time and so on).

!! If the same user logon from 2 browser sessions, there will be 2 different SessionID. This SessionID allows us to determine which user(although they are the same user account) accessed which resource.

 

If this "IsAuthenticated" call is successful, then you get SMSESSION cookie.

Once you have SMSESSION cookie, you no longer need to submit user credential again unless you access a resource that is not allowed for your access.

!! There is Validation call and it is same as IsAuthenticated call except that IsAuthenticated is when you did not have SMSESSION and Validation is when you already have an SMSESSION cookie.

 

Last is "IsAuthorized" call.

You need to be authenticated before you can make this call.

Web Agent will parse the SMSESSION cookie and ask Policy Server if this user should be given access to the protected resource.

Evaluation is "Rule" + "User Policy".

The rule is created under a realm which defines the URI (such as /protected/).

Rule defines which action/method to allow (such as GET or POST).

User Policy defines which user (either comparing part of the DN, user group, or a specific user, or ALL users).

If they all match up then Policy Server will tell Web Agent this user is Authorized.

 

SMSESSION says you are "UID=user1,OU=People,DC=SM,DC=LAB".

This user is making request for http://www.sm.lab/protected/index.html".

The request method was "GET"

This resource is protected by Agent Name "agent1"

 

Policy Server finds :

* agentname matching "agent1".

* matching realm for the requested uri and protected by above agentname.

* rule having matching method (method was GET).

* policy that is linked to this rule

* userpolicy in that policy (userpolicy condition was to validate DN for "OU=People,DC=SM,DC=LAB")

* userDN matches the validateDN in the userpolicy

 

Now, as all the criteria match, Policy Server tells Web Agent that this user is authorized.

Web Agent then allows the user to access http://www.sm.lab/protected/index.html

 

Above was covered in the Chapter 1.

From now on we will be focusing on the "IsAuthenticated" call.

 

Most of our "CA Single Sign-On" credential collectors are hosted on different URL which requires a redirect(even if it is hosted from the same web server).

The only authentication scheme that does not require redirect is the "Basic" Authentication Scheme.

 

All the SiteMinder authentication schemes redirect to /siteminderagent/xxxx

For example, http://www.sm.lab/siteminder/forms/login.fcc

When it redirects, you need to ensure that the target web server hosting the resource and the login page hosting web server are on the same cookie domain.

 

*Cookie Domain*

 

TARGET Web Server: http://www.sm.lab/protected/index.html

LOGIN Web Server: http://login.sm.lab/siteminderagent/forms/login.fcc

 

So, when the user is authenticated, the user is authenticated at the Login Server and get SMSESSION cookie for ".sm.lab" cookie domain.

The login server will redirect the user back to the TARGET.

At the target, browser submits cookies that match the server's cookie domain and if SMSESSION was from the same cookie domain then it will be submitted.

If you configure this wrong so the TARGET and LOGIN cookie domain are different, then users will not gain access to the TARGET because SMSESSION cookie is not submitted at the TARGET.

 

!! For the 2 URLs above, the IsProtected/IsAuthenticated/IsAuthorized calls are made to each of them. Every individual requests are evaluated.

!! If IsProtected call returns "NO" then IsAuthenticated call is not needed. If IsAuthenticated call returns "NO" then IsAuthorized call is not needed.

 

*User Credential*

 

User credential can be any information that is required to prove your identity.

It can be username + password.

It can be a client certificate.

Anything that the server requires to identify the user.

 

In most cases, this is simple username and password thus login.fcc is used.

FCC stands for Form Credential Collector.

So, if you see xCC extension, it is to do with Credential collection.

 

     - Basic

We already setup the Basic Authentication Scheme in the previous chapter.

 

     - HTML Forms

We are now going to setup HTML Forms Authentication Scheme.

Logon to AdminUI and goto "Infrastructure ==> Authentication".

Click on "Create Authentication Scheme".

 

 

Select "Create a new object of type Authentication Scheme" and click "OK".

Fill in the following and click "Submit"

* "Name"

* "Authentication Scheme Type" (select "HTML Form Template" from dropdown menu)

* "Protection Level" (leave it as 5)

* "Target" (leave it as "/siteminderagent/forms/login.fcc")

* "Library" (leave it as "smauthhtml")

 

 

Other Authentication Schemes are basically same as how you configured "HTML Form Template" with little differences.

What is usually required is the "Name", "Authentication Scheme Type", "Web Server Name", others are usually left untouched.

 

Now that you have created the Authentication Scheme, goto "Policies ==> Application ==> Applications ==> www.sso.lab" and click modify button (the pencil icon at the right end, before the X icon to delete).

 

 

Click on the "Create Component" button.

Enter the following and click "OK".

* Component Name: HTML Realm

* Agent: agent.iis

* Resource Filter: /html/

* Default Resource Protection: Protected (leave it as is)

* Authentication Scheme: Login Form for www.sso.lab

You will be back at the www.sso.lab applications setting.

Click on the "Resources" tab.

At the "Select a context root", select "/html/" from the dropdown list and click on "Create" button.

Enter the following and click "OK"

* Name: Access HTML Rule

* Resource: *

* Allow Access (leave it as is)

* Action/Web AGent actions: GET, POST

You will be shown the Resource(rule) created for /html/.

Click on the "Policies" tab.

At the "Select a context root", select "/html/" from the dropdown list.

You will now see the "Access HTML Rule" application and the "Basic Role" and an empty checkbox for this relationship.

Tick the checkbox for "Access HTML Rule" application and the "Basic Role" and click "Submit" button to complete this setup.

 

 

To test this configuration, goto http://www.sso.lab/html/ and see how the new configuration works.

 

 

In the address bar, your can find the following URL.

 

http://www.sso.lab/siteminderagent/forms/login.fcc?TYPE=33554433&REALMOID=06-43eff5e5-5a70-412d-b5a4-8394a090d152&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-WO8xvFyi%2bqJqAacEXn7ORDOqfJeP9uaQyN9hFwER2htI0CbW%2fuYsc7%2fsBVpafN%2bZ&TARGET=-SM-http%3a%2f%2fwww%2esso%2elab%2fhtml%2f

 

You are redirected to this login page because the target http://www.sso.lab/html/ was protected.

 

You will find the following in the Web Agent Trace log file.

IsProtected/IsAuthenticated from target web agent

 

 

[01/25/2016][17:37:36][6152][6496][CSmHighLevelAgent.cpp:321][ProcessRequest][000080fe0000000097e114e8f8b90736-1808-56a5c2b0-1960-02f60029][][][][][][Start new request.]

[01/25/2016][17:37:36][6152][6496][CSmResourceManager.cpp:75][CSmResourceManager::ProcessResource][000080fe0000000097e114e8f8b90736-1808-56a5c2b0-1960-02f60029][][][][][][Calling SM_WAF_HTTP_PLUGIN->ProcessResource.]

[01/25/2016][17:37:36][6152][6496][CSmHttpPlugin.cpp:399][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1808-56a5c2b0-1960-02f60029][][][][][][Resolved HTTP_HOST: 'www.sso.lab'.]

[01/25/2016][17:37:36][6152][6496][CSmHttpPlugin.cpp:5249][Entered CSmHttpPlugin::ResolveFQServerName sHost: ][][][][][][][www.sso.lab]

[01/25/2016][17:37:36][6152][6496][CSmHttpPlugin.cpp:490][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1808-56a5c2b0-1960-02f60029][][][][][][Resolved hostname: 'www.sso.lab'.]

[01/25/2016][17:37:36][6152][6496][CSmHttpPlugin.cpp:509][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1808-56a5c2b0-1960-02f60029][][][][][][Resolved agentname: 'agent.iis'.]

[01/25/2016][17:37:36][6152][6496][CSmHttpPlugin.cpp:5602][CSmHttpPlugin::ResolveClientIp][000080fe0000000097e114e8f8b90736-1808-56a5c2b0-1960-02f60029][][][agent.iis][][][Resolved Client IP address '192.168.201.101'.]

[01/25/2016][17:37:36][6152][6496][CSmHttpPlugin.cpp:657][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1808-56a5c2b0-1960-02f60029][*192.168.201.101][][agent.iis][][][Resolved URL: '/html/'.]

[01/25/2016][17:37:36][6152][6496][CSmHttpPlugin.cpp:781][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1808-56a5c2b0-1960-02f60029][*192.168.201.101][][agent.iis][/html/][][Resolved METHOD: 'GET'.]

[01/25/2016][17:37:36][6152][6496][CSmHttpPlugin.cpp:834][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1808-56a5c2b0-1960-02f60029][*192.168.201.101][][agent.iis][/html/][][Resolved cookie domain: '.sso.lab'.]

[01/25/2016][17:37:36][6152][6496][CSmResourceManager.cpp:112][CSmResourceManager::ProcessResource][000080fe0000000097e114e8f8b90736-1808-56a5c2b0-1960-02f60029][*192.168.201.101][][agent.iis][/html/][][SM_WAF_HTTP_PLUGIN->ProcessResource returned SmSuccess.]

[01/25/2016][17:37:36][6152][6496][CSmSessionManager.cpp:82][CSmSessionManager::EstablishSession][000080fe0000000097e114e8f8b90736-1808-56a5c2b0-1960-02f60029][*192.168.201.101][][agent.iis][/html/][][Calling SM_WAF_HTTP_PLUGIN->EstablishSession.]

[01/25/2016][17:37:36][6152][6496][CSmSessionManager.cpp:126][CSmSessionManager::EstablishSession][000080fe0000000097e114e8f8b90736-1808-56a5c2b0-1960-02f60029][*192.168.201.101][][agent.iis][/html/][][SM_WAF_HTTP_PLUGIN->EstablishSession returned SmNoAction.]

[01/25/2016][17:37:36][6152][6496][CSmLowLevelAgent.cpp:503][IsResourceProtected][000080fe0000000097e114e8f8b90736-1808-56a5c2b0-1960-02f60029][*192.168.201.101][][agent.iis][/html/][][Resource is protected from Policy Server.]

[01/25/2016][17:37:36][6152][6496][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-1808-56a5c2b0-1960-02f60029][*192.168.201.101][][agent.iis][/html/][][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[01/25/2016][17:37:36][6152][6496][CSmHttpPlugin.cpp:2824][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-1808-56a5c2b0-1960-02f60029][*192.168.201.101][][agent.iis][/html/][][Processing IsProtected responses.]

[01/25/2016][17:37:36][6152][6496][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-1808-56a5c2b0-1960-02f60029][*192.168.201.101][][agent.iis][/html/][][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[01/25/2016][17:37:36][6152][6496][CSmCredentialManager.cpp:132][CSmCredentialManager::GatherCredentials][000080fe0000000097e114e8f8b90736-1808-56a5c2b0-1960-02f60029][*192.168.201.101][][agent.iis][/html/][][Calling SM_WAF_HTTP_PLUGIN->ProcessCredentials.]

[01/25/2016][17:37:36][6152][6496][CSmCredentialManager.cpp:176][CSmCredentialManager::GatherCredentials][000080fe0000000097e114e8f8b90736-1808-56a5c2b0-1960-02f60029][*192.168.201.101][][agent.iis][/html/][][SM_WAF_HTTP_PLUGIN->ProcessCredentials returned SmNoAction.]

[01/25/2016][17:37:36][6152][6496][CSmHighLevelAgent.cpp:583][ProcessRequest][000080fe0000000097e114e8f8b90736-1808-56a5c2b0-1960-02f60029][*192.168.201.101][][agent.iis][/html/][][CredentialManager returned SmNo or SmNoAction, calling ChallengeManager.]

[01/25/2016][17:37:36][6152][6496][CSmChallengeManager.cpp:105][CSmChallengeManager::DoChallenge][000080fe0000000097e114e8f8b90736-1808-56a5c2b0-1960-02f60029][*192.168.201.101][][agent.iis][/html/][][Calling SM_WAF_HTTP_PLUGIN->ProcessChallenge.]

[01/25/2016][17:37:36][6152][6496][CSmHttpCredCore.cpp:1680][CSmHttpCredCore::DoFormsChallenge][000080fe0000000097e114e8f8b90736-1808-56a5c2b0-1960-02f60029][*192.168.201.101][][agent.iis][/html/][][Executing forms challenge.]

[01/25/2016][17:37:36][6152][6496][CSmHttpCredCore.cpp:1973][CSmHttpCredCore::DoFormsChallenge][000080fe0000000097e114e8f8b90736-1808-56a5c2b0-1960-02f60029][*192.168.201.101][][agent.iis][/html/][][Redirecting to credential collector 'http://www.sso.lab/siteminderagent/forms/login.fcc?TYPE=33554433&REALMOID=06-43eff5e5-5a70-412d-b5a4-8394a090d152&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-WO8xvFyi%2bqJqAacEXn7ORDOqfJeP9uaQyN9hFwER2htI0CbW%2fuYsc7%2fsBVpafN%2bZ&TARGET=-SM-http%3a%2f%2fwww%2esso%2elab%2fhtml%2f'.]

[01/25/2016][17:37:36][6152][6496][SmPluginUtilities.cpp:405][HandleCredCollectorChallenge][000080fe0000000097e114e8f8b90736-1808-56a5c2b0-1960-02f60029][*192.168.201.101][][agent.iis][/html/][][Redirecting for credentials 'http://www.sso.lab/siteminderagent/forms/login.fcc?TYPE=33554433&REALMOID=06-43eff5e5-5a70-412d-b5a4-8394a090d152&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-WO8xvFyi%2bqJqAacEXn7ORDOqfJeP9uaQyN9hFwER2htI0CbW%2fuYsc7%2fsBVpafN%2bZ&TARGET=-SM-http%3a%2f%2fwww%2esso%2elab%2fhtml%2f'.]

[01/25/2016][17:37:36][6152][6496][CSmChallengeManager.cpp:124][CSmChallengeManager::DoChallenge][000080fe0000000097e114e8f8b90736-1808-56a5c2b0-1960-02f60029][*192.168.201.101][][agent.iis][/html/][][SM_WAF_HTTP_PLUGIN->ProcessChallenge returned SmExit.]

[01/25/2016][17:37:36][6152][6496][CSmHighLevelAgent.cpp:607][ProcessRequest][000080fe0000000097e114e8f8b90736-1808-56a5c2b0-1960-02f60029][*192.168.201.101][][agent.iis][/html/][][Challenge Manager returned SmExit, end new request.]

 

In the above log, you can find the request did not have an existing valid session so the Credential Manager checks for the linked Authentication Scheme and redirect.

The redirect URL is telling the Credential Collector Agent that the user requested request as below.

 

* REALM: 06-43eff5e5-5a70-412d-b5a4-8394a090d152

* METHOD: GET

* AGENTNNAME: encrypted agentname(for agent.iis).

* TARGET: http://www.sso.lab/html/

 

This Credential Collector Agent will then again need to ensure the TARGET is protected when user submits credentials.

 

 

IsProtected/IsAuthenticated from Credential Collector web agent and redirect back to target url

 

 

[01/25/2016][18:00:41][7080][7052][CSmHighLevelAgent.cpp:970][ProcessAdvancedAuthentication][000080fe0000000097e114e8f8b90736-1ba8-56a5c819-1b8c-03500029][][][][][][Start new request.]

[01/25/2016][18:00:41][7080][7052][CSmResourceManager.cpp:187][CSmResourceManager::ProcessAdvancedAuthResource][000080fe0000000097e114e8f8b90736-1ba8-56a5c819-1b8c-03500029][][][][][][Calling SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthResource.]

[01/25/2016][18:00:41][7080][7052][CSmHttpPlugin.cpp:8683][CSmHttpPlugin::ProcessAdvancedAuthResource][000080fe0000000097e114e8f8b90736-1ba8-56a5c819-1b8c-03500029][][][][][][Resolved HTTP_HOST: 'www.sso.lab'.]

[01/25/2016][18:00:41][7080][7052][CSmHttpPlugin.cpp:5249][Entered CSmHttpPlugin::ResolveFQServerName sHost: ][][][][][][][www.sso.lab]

[01/25/2016][18:00:41][7080][7052][CSmHttpPlugin.cpp:5602][CSmHttpPlugin::ResolveClientIp][000080fe0000000097e114e8f8b90736-1ba8-56a5c819-1b8c-03500029][][][][][][Resolved Client IP address '192.168.201.101'.]

[01/25/2016][18:00:41][7080][7052][SmFCC.cpp:2917][SmFcc::getLocalePath][000080fe0000000097e114e8f8b90736-1ba8-56a5c819-1b8c-03500029][*192.168.201.101][][][][][Localized Path = C:\Program Files\CA\webagent\win64\samples/forms_en-US/login_en-US.fcc, working locale = en-US]

[01/25/2016][18:00:41][7080][7052][CSmFormTemplateCache.cpp:209][CSmFormTemplateCache::GetForm][][][][][][][Form template 'C:\Program Files\CA\webagent\win64\samples/forms_en-US/login_en-US.fcc' not found in cache.]

[01/25/2016][18:00:41][7080][7052][CSmFormTemplateCache.cpp:226][CSmFormTemplateCache::GetForm][][][][][][][Serving form template 'C:\Program Files\CA\webagent\win64\samples/forms_en-US/login_en-US.fcc' from disk.]

[01/25/2016][18:00:41][7080][7052][CSmFormTemplateCache.cpp:269][CSmFormTemplateCache::GetForm][][][][][][][Form template 'C:\Program Files\CA\webagent\win64\samples/forms_en-US/login_en-US.fcc' stored in cache.]

[01/25/2016][18:00:41][7080][7052][SmAdvancedAuthCore.cpp:632][SmAdvancedAuthCore::parseTargetUrl][000080fe0000000097e114e8f8b90736-1ba8-56a5c819-1b8c-03500029][*192.168.201.101][][][/html/][][Resolved cookie domain '.sso.lab'.]

[01/25/2016][18:00:41][7080][7052][CSmResourceManager.cpp:225][CSmResourceManager::ProcessAdvancedAuthResource][000080fe0000000097e114e8f8b90736-1ba8-56a5c819-1b8c-03500029][*192.168.201.101][][agent.iis][/html/][][SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthResource returned SmSuccess.]

[01/25/2016][18:00:41][7080][7052][CSmLowLevelAgent.cpp:503][IsResourceProtected][000080fe0000000097e114e8f8b90736-1ba8-56a5c819-1b8c-03500029][*192.168.201.101][][agent.iis][/html/][][Resource is protected from Policy Server.]

[01/25/2016][18:00:41][7080][7052][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-1ba8-56a5c819-1b8c-03500029][*192.168.201.101][][agent.iis][/html/][][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[01/25/2016][18:00:41][7080][7052][CSmHttpPlugin.cpp:2824][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-1ba8-56a5c819-1b8c-03500029][*192.168.201.101][][agent.iis][/html/][][Processing IsProtected responses.]

[01/25/2016][18:00:41][7080][7052][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-1ba8-56a5c819-1b8c-03500029][*192.168.201.101][][agent.iis][/html/][][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[01/25/2016][18:00:41][7080][7052][CSmCredentialManager.cpp:222][CSmCredentialManager::GatherAdvancedAuthCredentials][000080fe0000000097e114e8f8b90736-1ba8-56a5c819-1b8c-03500029][*192.168.201.101][][agent.iis][/html/][][Calling SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthCredentials.]

[01/25/2016][18:00:41][7080][7052][SmFCC.cpp:703][SmFcc::getCredentials][000080fe0000000097e114e8f8b90736-1ba8-56a5c819-1b8c-03500029][*192.168.201.101][][agent.iis][/html/][][Success in collecting credentials.]

[01/25/2016][18:00:41][7080][7052][SmPluginUtilities.cpp:481][HandleCredCollectorReturn][000080fe0000000097e114e8f8b90736-1ba8-56a5c819-1b8c-03500029][*192.168.201.101][][agent.iis][/html/][][POST preservation, handling return from credential collector.]

[01/25/2016][18:00:41][7080][7052][SmPluginUtilities.cpp:618][HandleCredCollectorReturn][000080fe0000000097e114e8f8b90736-1ba8-56a5c819-1b8c-03500029][*192.168.201.101][][agent.iis][/html/][][http response http://www.sso.lab/html/]

[01/25/2016][18:00:41][7080][7052][CSmCredentialManager.cpp:260][CSmCredentialManager::GatherAdvancedAuthCredentials][000080fe0000000097e114e8f8b90736-1ba8-56a5c819-1b8c-03500029][*192.168.201.101][][agent.iis][/html/][][SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthCredentials returned SmSuccess.]

[01/25/2016][18:00:43][7080][7052][CSmLowLevelAgent.cpp:1200][AuthenticateUser][000080fe0000000097e114e8f8b90736-1ba8-56a5c819-1b8c-03500029][*192.168.201.101][][agent.iis][/html/][][User 'smuser' is authenticated by Policy Server.]

[01/25/2016][18:00:43][7080][7052][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-1ba8-56a5c819-1b8c-03500029][*192.168.201.101][][agent.iis][/html/][smuser][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[01/25/2016][18:00:43][7080][7052][CSmHttpPlugin.cpp:2992][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-1ba8-56a5c819-1b8c-03500029][*192.168.201.101][][agent.iis][/html/][smuser][Processing Authentication responses.]

[01/25/2016][18:00:43][7080][7052][SmPluginUtilities.cpp:166][DeleteCookie][000080fe0000000097e114e8f8b90736-1ba8-56a5c819-1b8c-03500029][*192.168.201.101][][agent.iis][/html/][smuser][Deleted cookie 'SMTRYNO'.]

[01/25/2016][18:00:43][7080][7052][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-1ba8-56a5c819-1b8c-03500029][*192.168.201.101][][agent.iis][/html/][smuser][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[01/25/2016][18:00:43][7080][7052][CSmSessionManager.cpp:209][CSmSessionManager::CreateSession][000080fe0000000097e114e8f8b90736-1ba8-56a5c819-1b8c-03500029][*192.168.201.101][][agent.iis][/html/][smuser][Calling SM_WAF_HTTP_PLUGIN->CreateSession.]

[01/25/2016][18:00:43][7080][7052][CSmHttpPlugin.cpp:1415][CSmHttpPlugin::CreateSession][000080fe0000000097e114e8f8b90736-1ba8-56a5c819-1b8c-03500029][*192.168.201.101][][agent.iis][/html/][smuser][SAVEDSESSION Cookie Created.]

[01/25/2016][18:00:43][7080][7052][CSmHttpPlugin.cpp:1605][CSmHttpPlugin::CreateSession][000080fe0000000097e114e8f8b90736-1ba8-56a5c819-1b8c-03500029][*192.168.201.101][][agent.iis][/html/][smuser][Generated SMSESSION cookie.]

[01/25/2016][18:00:43][7080][7052][CSmSessionManager.cpp:247][CSmSessionManager::CreateSession][000080fe0000000097e114e8f8b90736-1ba8-56a5c819-1b8c-03500029][*192.168.201.101][][agent.iis][/html/][smuser][SM_WAF_HTTP_PLUGIN->CreateSession returned SmSuccess.]

[01/25/2016][18:00:43][7080][7052][CSmHighLevelAgent.cpp:1282][ProcessAdvancedAuthentication][000080fe0000000097e114e8f8b90736-1ba8-56a5c819-1b8c-03500029][*192.168.201.101][][agent.iis][/html/][smuser][End new request.]

 

IsProtected/IsAuthenticated/IsAuthorized from target web agent

 

 

[01/25/2016][18:00:43][7080][7052][CSmHighLevelAgent.cpp:321][ProcessRequest][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][][][][][][Start new request.]

[01/25/2016][18:00:43][7080][7052][CSmResourceManager.cpp:75][CSmResourceManager::ProcessResource][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][][][][][][Calling SM_WAF_HTTP_PLUGIN->ProcessResource.]

[01/25/2016][18:00:43][7080][7052][CSmHttpPlugin.cpp:399][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][][][][][][Resolved HTTP_HOST: 'www.sso.lab'.]

[01/25/2016][18:00:43][7080][7052][CSmHttpPlugin.cpp:5249][Entered CSmHttpPlugin::ResolveFQServerName sHost: ][][][][][][][www.sso.lab]

[01/25/2016][18:00:43][7080][7052][CSmHttpPlugin.cpp:490][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][][][][][][Resolved hostname: 'www.sso.lab'.]

[01/25/2016][18:00:43][7080][7052][CSmHttpPlugin.cpp:509][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][][][][][][Resolved agentname: 'agent.iis'.]

[01/25/2016][18:00:43][7080][7052][CSmHttpPlugin.cpp:5602][CSmHttpPlugin::ResolveClientIp][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][][][agent.iis][][][Resolved Client IP address '192.168.201.101'.]

[01/25/2016][18:00:43][7080][7052][CSmHttpPlugin.cpp:657][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][][][Resolved URL: '/html/'.]

[01/25/2016][18:00:43][7080][7052][CSmHttpPlugin.cpp:781][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][][Resolved METHOD: 'GET'.]

[01/25/2016][18:00:43][7080][7052][CSmHttpPlugin.cpp:834][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][][Resolved cookie domain: '.sso.lab'.]

[01/25/2016][18:00:43][7080][7052][CSmResourceManager.cpp:112][CSmResourceManager::ProcessResource][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][][SM_WAF_HTTP_PLUGIN->ProcessResource returned SmSuccess.]

[01/25/2016][18:00:43][7080][7052][CSmSessionManager.cpp:82][CSmSessionManager::EstablishSession][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][][Calling SM_WAF_HTTP_PLUGIN->EstablishSession.]

[01/25/2016][18:00:43][7080][7052][CSmHttpPlugin.cpp:6609][CSmHttpPlugin::ProcessSessionCookie][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][smuser][Decoded SMSESSION cookie - User = 'CN=smuser,CN=Users,DC=sso,DC=lab', IP address = '192.168.201.101'.]

[01/25/2016][18:00:43][7080][7052][CSmHttpPlugin.cpp:2216][CSmHttpPlugin::EstablishSession][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][smuser][Processed SMSESSION cookie.]

[01/25/2016][18:00:43][7080][7052][CSmSessionManager.cpp:119][CSmSessionManager::EstablishSession][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][smuser][SM_WAF_HTTP_PLUGIN->EstablishSession returned SmSuccess.]

[01/25/2016][18:00:43][7080][7052][CSmLowLevelAgent.cpp:499][IsResourceProtected][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][smuser][Resource is protected from cache.]

[01/25/2016][18:00:43][7080][7052][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][smuser][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[01/25/2016][18:00:43][7080][7052][CSmHttpPlugin.cpp:2824][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][smuser][Processing IsProtected responses.]

[01/25/2016][18:00:43][7080][7052][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][smuser][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[01/25/2016][18:00:43][7080][7052][CSmCredentialManager.cpp:103][CSmCredentialManager::GatherCredentials][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][smuser][Found session, no credentials required.]

[01/25/2016][18:00:43][7080][7052][CSmLowLevelAgent.cpp:999][AuthenticateUser][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][smuser][Validating session 'XAEiYfEY6sD2bmJ9l6DXkd3nnV8=' for user 'CN=smuser,CN=Users,DC=sso,DC=lab' in zone 'SM'.]

[01/25/2016][18:00:43][7080][7052][CSmLowLevelAgent.cpp:1195][AuthenticateUser][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][smuser][User 'CN=smuser,CN=Users,DC=sso,DC=lab' is authenticated from cache.]

[01/25/2016][18:00:43][7080][7052][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][smuser][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[01/25/2016][18:00:43][7080][7052][CSmHttpPlugin.cpp:2992][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][smuser][Processing Authentication responses.]

[01/25/2016][18:00:43][7080][7052][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][smuser][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[01/25/2016][18:00:43][7080][7052][CSmSessionManager.cpp:209][CSmSessionManager::CreateSession][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][smuser][Calling SM_WAF_HTTP_PLUGIN->CreateSession.]

[01/25/2016][18:00:43][7080][7052][CSmHttpPlugin.cpp:1605][CSmHttpPlugin::CreateSession][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][smuser][Generated SMSESSION cookie.]

[01/25/2016][18:00:43][7080][7052][CSmSessionManager.cpp:247][CSmSessionManager::CreateSession][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][smuser][SM_WAF_HTTP_PLUGIN->CreateSession returned SmSuccess.]

[01/25/2016][18:00:43][7080][7052][CSmLowLevelAgent.cpp:2768][AuthorizeUser][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][smuser][User 'CN=smuser,CN=Users,DC=sso,DC=lab' is authorized by Policy Server.]

[01/25/2016][18:00:43][7080][7052][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][smuser][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[01/25/2016][18:00:43][7080][7052][CSmHttpPlugin.cpp:3270][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][smuser][Processing Authorization responses.]

[01/25/2016][18:00:43][7080][7052][CSmHttpPlugin.cpp:3277][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][smuser][Removing HTTP cache request headers.]

[01/25/2016][18:00:43][7080][7052][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][smuser][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[01/25/2016][18:00:43][7080][7052][CSmHighLevelAgent.cpp:801][ProcessRequest][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][smuser][AuthorizationManager returned SmYes, end new request.]

[01/25/2016][18:00:43][7080][7052][CSmHighLevelAgent.cpp:921][ProcessRequest][000080fe0000000097e114e8f8b90736-1ba8-56a5c81b-1b8c-00600f3e][*192.168.201.101][][agent.iis][/html/][smuser][End new request.]

 

In the above trace log at the target web agent, it is reporting that it has received SMSESSION cookie and the user is "CN=smuser,CN=Users,DC=sso,DC=lab" and the user was authenticated from IP "192.168.201.101".

 

Then it went on with IsProtected/IsAuthenticated/IsAuthorized.

 

As this is ALL-IN-ONE, the target web agent and the credential collector (login) web agent are the same.

So, the user was authenticated from cache when the user was redirected to the target from the login page.

Authorization was from Policy Server as this user has not been authorized by before.

 

Another thing to highlight is the Credential Collector web agent authenticated the user from http://www.sso.lab/siteminderagent/forms/login.fcc page.

This web site's cookie domain is ".sso.lab".

So, the SMSESSION cookie was generated for this cookie domain.

[Resolved cookie domain: '.sso.lab'.]

 

If the Credential Collector's cookie domain and the Target web agent's cookie domain did not match, the SMSESSION cookie would not have been submitted by the browser which will fail at IsAuthenticated call.

 

This will cause a redirect loop.

Fortunately, the "HTML Form Template" authentication scheme is not a seamless login(such as NTLM/IWA) so it is not looping by itself.

It is important that you check if the authentication scheme causes a loop or not for any error conditions.

 

In the next article, we will be adding one more user attribute for authentication(email).

 

This concludes "Configuring an ALL-IN-ONE VM Image - Part 3"

 

Outcomes