SungHoon_Kim

Configuring an ALL-IN-ONE VM Image - Part 6

Blog Post created by SungHoon_Kim Employee on Feb 10, 2016

This is something I like to do once in a while. It takes long time to setup everything but to me it is a hobby. It is like putting zigsaw puzzles.

 

WARNING: THIS IS NOT SUPPORTED! THIS IS ONLY TO FULFILL YOUR CURIOSITY AND SATISFY YOUR SPIRIT GOING AGAINST ALL ODDS. THIS IS NOT A DEMONSTRATION ALLOWING YOU TO RUN SUCH CONFIGURATION IN YOUR DEV/TEST/QA/PROD ENVIRONMENT.

 

This environment is continuation from the "Creating an ALL-IN-ONE VM Image" series. (links below)

 

Creating an ALL-IN-ONE VM Image - Part 1

Creating an ALL-IN-ONE VM Image - Part 2

Creating an ALL-IN-ONE VM Image - Part 3

Creating an ALL-IN-ONE VM Image - Part 4

Creating an ALL-IN-ONE VM Image - Part 5

Creating an ALL-IN-ONE VM Image - Part 6

Creating an ALL-IN-ONE VM Image - Part 7

Creating an ALL-IN-ONE VM Image - Part 8

Creating an ALL-IN-ONE VM Image - Part 9

Creating an ALL-IN-ONE VM Image - Part 10-1

Creating an ALL-IN-ONE VM Image - Part 10-2

 

 

Following configuration will be setup.

 

01. Basic setup - Create application and protect using Forms Authentication.

     - Service configuration

     - Startup/Shutdown scripts

     - Logging

     - Basic Concepts

02. Standard Authentication Schemes

     - Basic Concepts

     - Basic

     - HTML Forms

     - HTML using UID and EMAIL

     - Basic over SSL

03. Certificate Authentication Schemes

     - X.509 Certificate Only

     - X.509 Certificate or Basic

     - X.509 Certificate and Basic

     - X.509 Certificate or Form

     - X.509 Certificate and Form

04. Windows Authentication Scheme

05. OAuth Authentication Scheme

06. Cookie Provider

07. Directory Mapping

08. Password Services

09. Impersonation

10. Session Assurance

11. SAML 2.0 Partnership Federation - SSO

12. SAML 2.0 Partnership Federation - SLO

13. SAML 2.0 Partnership Federation - RelayState

14. SAML 2.0 Partnership Federation - Negative Assertion

15. SAML 1.x Partnership Federation

16. Audit Log import

17. Generating Reports

18. SiteMinder Test Tool

19. Global Delivery Modules

20. Troubleshooting

 

Continued from Part 5.

 

We have all the prerequisites (except for one configuration at the Web Server side) so we can now proceed to configure the "X.509 Certificate Only".

 

X.509 Certificate Only

 

We need the following to setup the use case.

 

* Make sure you have the content on your web server for /cert/ virtual directory.

* Create X.509 Certificate Authentication Scheme.

* Create Component and Resource from AdminUI to protect this resource.

* Create Certificate Mapping

* Configure "SSL Setting" for "/siteminderagent/cert".

 

Create X.509 Certificate Authentication Scheme

Previously demonstrated steps will be skipped.

 

Enter the following and submit.

 

Name: Certificate Only

Authentication Scheme Type: X509 Client Cert Template

Protection Level: 5

Server Name: www.sso.lab

Target: /siteminderagent/cert/smgetcred.scc

Library: smauthcert

 

Create Component and Resource from AdminUI to protect this resource.

 

Click on "Create Component".

Click "OK"

Click "Resources" tab.

 

Select "/cert/" from "Select a context root" and click "Create".

Enter the following and click "OK".

 

Name: Access Cert Only

Resource: *

Allow/Deny: Allow Access, Enabled

Action: Web Agent actions, GET, POST

 

Click on "OK"

 

Click on "Policies" tab and select "/cert/" from "Select a context root".

Then assign "Basic Role" to "Access Cert Only" resource.

 

Click "Submit".

 

Create Certificate Mapping

Certificate Mapping is registering the IssuerDN of the trusted Certificate Authority.

In order to create Certificate Mapping, you first need to know how SiteMinder reads the certificate.

It can be completely different from what you might expect, so we will enable the Policy Server trace profiler to get this information.

 

I am using the following profiler template.

<PS>/config/smtracedefault.txt

components: AgentFunc/IsProtected, AgentFunc/Login, AgentFunc/ChangePassword, AgentFunc/Validate, AgentFunc/Logout, AgentFunc/Authorize, AgentFunc/GetConfig, AgentFunc/DoManagement, AgentFunc/GetSingleUseCookie, AgentFunc/SetSingleUseCookie, AgentFunc/DelSingleUseCookie, IsProtected, Login_Logout/Authentication, Login_Logout/Policy_Evaluation, Login_Logout/Active_Expression, Login_Logout/Password_Service, Login_Logout/Certificates, Login_Logout/Session_Management, IsAuthorized/Policy_Evaluation, LDAP/Connection_Management, LDAP/Performance_Measurement, LDAP/Ldap_Error_Messages, Fed_Server/Assertion_Generator, Fed_Server/Auth_Scheme, Fed_Server/Configuration, Fed_Server/Single_Logout, Fed_Server/Saml_Requester

data: Date, Time, User, Message, Data, AgentName, Resource, AuthStatus, AuthReason, CertDistPt, Query, CallDetail, Pid, Tid, IssuerDN, SubjectDN

version: 1.1

 

So, above has 4 lines. "components", "data", "version" and one empty line.

It is not the minimal required so it will log much more data.

It is a template that I regularly use in general.

 

Now, if you visit http://www.sso.lab/cert/ your browser will redirect to https://www.sso.lab/siteminderagent/cert/1454918713/smgetcred.scc?TYPE=16777244&REALM=-SM-Certificate%20Only%20[19%3a05%…  and you will get "Access Forbidden HTML".

 

 

This is currently an expected behaviour.

This is where we need to configure the last prerequisite, the configuration at the Web Server side.

Load IIS Management Console and navigate to "/siteminderagent/cert" virtual directory.

 

 

At the right pane, click on "SSL Settings".

Set the following and click "Apply".

 

Require SSL: true

Client certificates: Require

 

Now, visit http://www.sso.lab/cert/ and this time you will get a certificate popup as below.

 

 

Depending on the browser, some browsers will automatically submit if there is only one client certificate.

In case of chrome, it will prompt.

Click "OK" to submit the certificate.

 

It is expected to fail at this stage because we do not have the certificate mapping configured yet.

What we are trying here is to submit a client certificate and capture from smtracedefault.log how the SiteMinder parses the IssuerDN of this certificate.

 

smtracedefault.log

[02/08/2016][19:38:10][][** Received request from agent][][agent.iis][][][][][][][3684][4420][][]

[02/08/2016][19:38:10][][Authenticating user.][][agent.iis][/cert/][5][0][][][][3684][4420][][]

[02/08/2016][19:38:10][][Using LDAP server bank #1][][][][][][][][][3684][4420][][]

[02/08/2016][19:38:10][][Enter function getSpecificScheme][][][][][][][][][3684][4420][][]

[02/08/2016][19:38:10][][Auth Scheme used: Cert][][][][][][][][][3684][4420][][]

[02/08/2016][19:38:10][][Enter function parseCert][][][][][][][][][3684][4420][][]

[02/08/2016][19:38:10][][length of serial is: 10][][][][][][][][][3684][4420][][]

[02/08/2016][19:38:10][][Printing serial: 61][][][][][][][][][3684][4420][][]

[02/08/2016][19:38:10][][Printing serial:  35][][][][][][][][][3684][4420][][]

[02/08/2016][19:38:10][][Printing serial:  DB][][][][][][][][][3684][4420][][]

[02/08/2016][19:38:10][][Printing serial:  32][][][][][][][][][3684][4420][][]

[02/08/2016][19:38:10][][Printing serial:  00][][][][][][][][][3684][4420][][]

[02/08/2016][19:38:10][][Printing serial:  00][][][][][][][][][3684][4420][][]

[02/08/2016][19:38:10][][Printing serial:  00][][][][][][][][][3684][4420][][]

[02/08/2016][19:38:10][][Printing serial:  00][][][][][][][][][3684][4420][][]

[02/08/2016][19:38:10][][Printing serial:  00][][][][][][][][][3684][4420][][]

[02/08/2016][19:38:10][][Printing serial:  07][][][][][][][][][3684][4420][][]

[02/08/2016][19:38:10][][CRL DPName = ldap:///CN=TESTLABCA,CN=TESTMC1,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=sso,DC=lab?certificateRevocationList?base?objectClass=cRLDistributionPoint][][][][][][][][][3684][4420][][]

[02/08/2016][19:38:10][][Parsed certificate for SubjectDN DC=lab,DC=sso,OU=People,CN=user1,E=user1@sso.lab][][][][][][][][][3684][4420][DC=lab,DC=sso,CN=TESTLABCA][DC=lab,DC=sso,OU=People,CN=user1,E=user1@sso.lab]

[02/08/2016][19:38:10][][currentCert.certBinLen: 1348][][][][][][][][][3684][4420][][]

[02/08/2016][19:38:10][][Print currentCert's subjectDN, issuerDN, serialNumber and CertDIstPt.][][][][][][ldap:///CN=TESTLABCA,CN=TESTMC1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=sso,DC=lab?certificateRevocationList?base?objectClass=cRLDistributionPoint][][][3684][4420][DC=lab,DC=sso,CN=TESTLABCA][DC=lab,DC=sso,OU=People,CN=user1,E=user1@sso.lab]

[02/08/2016][19:38:10][][Mapping issuerDN thing][][][][][][][][][3684][4420][][]

[02/08/2016][19:38:10][][Unable to find issuer DN in certificate mapping rules][][][][][][][][][3684][4420][][]

[02/08/2016][19:38:10][][Authentication failed][][][][][][][][][3684][4420][][]

[02/08/2016][19:38:10][][SmSamlDataContext::~SmSamlDataContext: Cleaning up][Cleaning up][][][][][][][][3684][4420][][]

[02/08/2016][19:38:10][][** Status: Authentication Attempt Failed. ][][agent.iis][][][][][][][3684][4420][][]

 

Look for the "Parsed certificate" and you will find [IssuerDN] and [SubjectDN] at the end of the line.

It was parsed as below.

IssuerDN: DC=lab,DC=sso,CN=TESTLABCA

SubjectDN: DC=lab,DC=sso,OU=People,CN=user1,E=user1@sso.lab

 

You can see it is in reverse. But there are certificates that will be parsed to have a space after a comma which in this case did not.

There can also be some escaped characters so getting the IssuerDN from smtracedefault.log is the best way.

 

Another way is to import the certificate in to Certificate Data Store and use smkeytool to list the certificates, which will also give the same parsed IssuerDN.

 

Logon to AdminUI and enter the Certificate Mapping as above.

Navigate to "Infrastructure ==> Directory ==> Certificate Mappings" and click "Create Certificate Mapping".

 

 

Enter the following and click "Submit".

 

IssuerDN: DC=lab,DC=sso,CN=TESTLABCA

     copy and pasting from smtracedefault.log

Directory Type: LDAP/AD

     This is where the sample user is stored.

Mapping: Single Attribute

Attribute Name: CN

     This tells the CN value from the certificate matches the username in the user store.

 

 

Open a new chrome instance and access http://www.sso.lab/cert/ and see the smtracedefault.log again.

smtracedefault.log

[02/08/2016][19:51:25][][** Received request from agent][][agent.iis][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Authenticating user.][][agent.iis][/cert/][5][0][][][][3684][4420][][]

[02/08/2016][19:51:25][][Using LDAP server bank #1][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Enter function getSpecificScheme][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Auth Scheme used: Cert][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Enter function parseCert][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][length of serial is: 10][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Printing serial: 61][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Printing serial:  35][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Printing serial:  DB][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Printing serial:  32][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Printing serial:  00][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Printing serial:  00][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Printing serial:  00][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Printing serial:  00][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Printing serial:  00][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Printing serial:  07][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][CRL DPName = ldap:///CN=TESTLABCA,CN=TESTMC1,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=sso,DC=lab?certificateRevocationList?base?objectClass=cRLDistributionPoint][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Parsed certificate for SubjectDN DC=lab,DC=sso,OU=People,CN=user1,E=user1@sso.lab][][][][][][][][][3684][4420][DC=lab,DC=sso,CN=TESTLABCA][DC=lab,DC=sso,OU=People,CN=user1,E=user1@sso.lab]

[02/08/2016][19:51:25][][currentCert.certBinLen: 1348][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Print currentCert's subjectDN, issuerDN, serialNumber and CertDIstPt.][][][][][][ldap:///CN=TESTLABCA,CN=TESTMC1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=sso,DC=lab?certificateRevocationList?base?objectClass=cRLDistributionPoint][][][3684][4420][DC=lab,DC=sso,CN=TESTLABCA][DC=lab,DC=sso,OU=People,CN=user1,E=user1@sso.lab]

[02/08/2016][19:51:25][][Mapping issuerDN thing][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Comparing to IssuerDN.][][][][][][][][][3684][4420][DC=lab,DC=sso,CN=TESTLABCA][]

[02/08/2016][19:51:25][][Apply Mapping(MapCertToName)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Enter function ApplyMapToLDAPRules][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][map subjectDN (DC=lab,DC=sso,OU=People,CN=user1,E=user1@sso.lab)  using string: '(%{CN})'][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][aname is (certSerialNumber)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][category.aname is (certSerialNumber).(certSerialNumber)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Name is (certSerialNumber.certSerialNumber) Value is (61 35 DB 32 00 00 00 00 00 07)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][aname is (IssuerDN)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][category.aname is (IssuerDN).(IssuerDN)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Name is (IssuerDN.IssuerDN) Value is (DC=lab,DC=sso,CN=TESTLABCA)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][aname is (DC)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][category.aname is (DC).(DC)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Name is (DC.DC) Value is (lab)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][aname is (DC)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][category.aname is (DC2).(DC)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Name is (DC2.DC) Value is (sso)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][aname is (OU)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][category.aname is (OU).(OU)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Name is (OU.OU) Value is (People)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][aname is (CN)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][category.aname is (CN).(CN)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Name is (CN.CN) Value is (user1)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][aname is (E)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][category.aname is (E).(E)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Name is (E.E) Value is (user1@sso.lab)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Final option 0 is 'CN'][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Parameter is CN][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Compared 'certSerialNumber' to 'CN' : No Match][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Compared 'certSerialNumber.certSerialNumber' to 'CN' : No Match][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Compared 'IssuerDN' to 'CN' : No Match][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Compared 'IssuerDN.IssuerDN' to 'CN' : No Match][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Compared 'DC' to 'CN' : No Match][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Compared 'DC.DC' to 'CN' : No Match][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Compared 'DC2' to 'CN' : No Match][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Compared 'DC2.DC' to 'CN' : No Match][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Compared 'OU' to 'CN' : No Match][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Compared 'OU.OU' to 'CN' : No Match][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Compared 'CN' to 'CN' : Match][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][returning success.][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][user1][Will be authenticating user.][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][LDAP search of (samaccountname=user1) took 0 seconds and 1000 microseconds][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][LDAP search of (&(samaccountname=user1)(objectclass=*)) took 0 seconds and 0 microseconds][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][LDAP search of (&(samaccountname=user1)(objectclass=*)) took 0 seconds and 0 microseconds][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][LDAP search of (&(samaccountname=user1)(objectclass=*)) took 0 seconds and 1000 microseconds][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Authenticating user by the auth scheme][LDAP://192.168.201.101 192.168.201.102/CN=user1,OU=People,DC=sso,DC=lab][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Enter function getSpecificScheme][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Auth Scheme used: Cert][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Enter function parseCert][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][length of serial is: 10][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Printing serial: 61][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Printing serial:  35][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Printing serial:  DB][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Printing serial:  32][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Printing serial:  00][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Printing serial:  00][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Printing serial:  00][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Printing serial:  00][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Printing serial:  00][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Printing serial:  07][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][CRL DPName = ldap:///CN=TESTLABCA,CN=TESTMC1,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=sso,DC=lab?certificateRevocationList?base?objectClass=cRLDistributionPoint][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Parsed certificate for SubjectDN DC=lab,DC=sso,OU=People,CN=user1,E=user1@sso.lab][][][][][][][][][3684][4420][DC=lab,DC=sso,CN=TESTLABCA][DC=lab,DC=sso,OU=People,CN=user1,E=user1@sso.lab]

[02/08/2016][19:51:25][][Print currentCert.certBinLen: 1348][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Print currentCert's subjectDN, issuerDN, CertSerial and CertDistPt][][][][][][ldap:///CN=TESTLABCA,CN=TESTMC1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=sso,DC=lab?certificateRevocationList?base?objectClass=cRLDistributionPoint][][][3684][4420][DC=lab,DC=sso,CN=TESTLABCA][DC=lab,DC=sso,OU=People,CN=user1,E=user1@sso.lab]

[02/08/2016][19:51:25][][Comparing to IssuerDN.][][][][][][][][][3684][4420][DC=lab,DC=sso,CN=TESTLABCA][]

[02/08/2016][19:51:25][][Certificate's Issuer DN found in mapping rules][][][][][][][][][3684][4420][DC=lab,DC=sso,CN=TESTLABCA][]

[02/08/2016][19:51:25][][Enter function ApplyMapToLDAPRules][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][map subjectDN (DC=lab,DC=sso,OU=People,CN=user1,E=user1@sso.lab)  using string: '(%{CN})'][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][aname is (certSerialNumber)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][category.aname is (certSerialNumber).(certSerialNumber)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Name is (certSerialNumber.certSerialNumber) Value is (61 35 DB 32 00 00 00 00 00 07)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][aname is (IssuerDN)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][category.aname is (IssuerDN).(IssuerDN)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Name is (IssuerDN.IssuerDN) Value is (DC=lab,DC=sso,CN=TESTLABCA)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][aname is (DC)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][category.aname is (DC).(DC)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Name is (DC.DC) Value is (lab)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][aname is (DC)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][category.aname is (DC2).(DC)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Name is (DC2.DC) Value is (sso)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][aname is (OU)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][category.aname is (OU).(OU)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Name is (OU.OU) Value is (People)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][aname is (CN)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][category.aname is (CN).(CN)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Name is (CN.CN) Value is (user1)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][aname is (E)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][category.aname is (E).(E)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Name is (E.E) Value is (user1@sso.lab)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Final option 0 is 'CN'][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Parameter is CN][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Compared 'certSerialNumber' to 'CN' : No Match][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Compared 'certSerialNumber.certSerialNumber' to 'CN' : No Match][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Compared 'IssuerDN' to 'CN' : No Match][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Compared 'IssuerDN.IssuerDN' to 'CN' : No Match][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Compared 'DC' to 'CN' : No Match][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Compared 'DC.DC' to 'CN' : No Match][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Compared 'DC2' to 'CN' : No Match][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Compared 'DC2.DC' to 'CN' : No Match][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Compared 'OU' to 'CN' : No Match][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Compared 'OU.OU' to 'CN' : No Match][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Compared 'CN' to 'CN' : Match][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][returning success.][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Failover is not enabled.][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][SessionAssurance is not enabled.][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][SmSamlDataContext::~SmSamlDataContext: Cleaning up][Cleaning up][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][** Status: Authenticated. ][][agent.iis][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][** Received agent request.][trust_testmc1][agent.iis][][][][][][][3684][4424][][]

[02/08/2016][19:51:25][][Validate session and session type for the user.][2][][][][][][][][3684][4424][][]

[02/08/2016][19:51:25][][Realm Authorization Mapping optimized][][][][][][][][][3684][4424][][]

[02/08/2016][19:51:25][][Failed to find any valid user using Identity Mapping][][][][][][][][][3684][4424][][]

[02/08/2016][19:51:25][][Using LDAP server bank #1][][][][][][][][][3684][4424][][]

[02/08/2016][19:51:25][][Authorizing user...][][agent.iis][][][][][][][3684][4424][][]

[02/08/2016][19:51:25][][Start of user policy analysis for realm.][][][][][][][][][3684][4424][][]

[02/08/2016][19:51:25][][Check the Policy.][][][][][][][][][3684][4424][][]

[02/08/2016][19:51:25][][Check the Rule][][][][][][][][][3684][4424][][]

[02/08/2016][19:51:25][][Evaluating policy...][][][][][][][][][3684][4424][][]

[02/08/2016][19:51:25][][EPMRoleEvaluator: Evaluating Role "Basic Role"][Evaluating Role "Basic Role"][][][][][][][][3684][4424][][]

[02/08/2016][19:51:25][][Processing Attribute [Property = SM_USERDN] [Trim Property = SM_USERDN] [Separator = ^]][][][][][][][][][3684][4424][][]

[02/08/2016][19:51:25][][Policy is not applicable. Skipped.][][][][][][][][][3684][4424][][]

[02/08/2016][19:51:25][][IsOk? No.][][][][][][][][][3684][4424][][]

[02/08/2016][19:51:25][][** Status: Not Authorized. ][][agent.iis][][][][][][][3684][4424][][]

 

I have highlighted the important part in red and blue.

You can see the parsed IssuerDN(red) and the Certificate Mapping IssuerDN(blue) and that they matched.

 

The user1 was found and is authenticated.

The user was not authorized because the Role "Basic Role" did not match the user.

 

That is because the "Basic Role" has the following expression which only matches users in "CN=Users,DC=sso,DC=lab".

user1 is in "OU=People,DC=sso,DC=lab" so it is an expected behaviour.

 

 

Lets modify the "Basic Role" to include "OU=People,DC=sso,DC=lab".

 

Above will authorize users from "CN=Users,DC=sso,DC=lab" container as well as "OU=People,DC=sso,DC=lab" container.

Submit the changes and test again.

 

 

This time, the user is authenticated and authorized.

You can also see from above that the CERT_ISSUER value does not match with the IssuerDN parsed by Policy Server.

That is why the best way is to copy from the smtracedefault.log or from "smkeytool -listcerts".

 

Note:

    * SMUSER header will be UserDN, not SubjectDN of the certificate.

    * Password Services are not involved as Certificate does not require user password.

 

Now, going back to why I created OU=People and not just use sample users in CN=Users?

Our Certificate Mapping was looking up a user by "CN".

In this case, PS will try to match the first CN found in the Certificate DN.

[DC=lab,DC=sso,OU=People,CN=user1,E=user1@sso.lab]

From the above CertificateDN, the first CN is "CN=user1" so it will lookup the "user1" in the user directory.

 

[DC=lab,DC=sso,CN=Users,CN=user1,E=user1@sso.lab]

From the above CertificateDN, the first CN is "CN=Users" so PS will try to lookup "Users" in the user directory and it will not find a user.

So, AuthAttempt will be the result.

 

If you must use the 2nd sample above, you can set the CertificateMapping to lookup "CN2".

This means PS will match the 2nd CN so it will find "user1".

"CN2" will not appear in the dropdown list so you will need to select "Customer" and enter "CN2".

 

X.509 Certificate or Basic

 

Once the "Certificate Only" authentication scheme works, the rest is easy.

There are only minor differences.

 

We need the following to setup the use case.

 

* Make sure you have the content on your web server for /certorbasic/ virtual directory.

* Create X.509 Certificate or Basic Authentication Scheme.

* Create Component and Resource from AdminUI to protect this resource.

* Create Certificate Mapping (skip this step as it is already configured)

* Configure "SSL Setting" for "/siteminderagent/certoptional".

 

Create X.509 Certificate or Basic Authentication Scheme.

Previously demonstrated steps will be skipped.

As we tried with Chrome for "Certificate Only", this time I will demonstrate using IE.

 

 

Firstly, you can check the existing certificate from "Internet Options ==> Content ==> Certificates".

user1 certificate will expire in 7th February 2017 as you can see above.

They are usually valid for 1 year.

 

Create "Certificate or Basic" Authentication Scheme.

Enter the following and click "Submit".

 

Name: Certificate or Basic

Authentication Scheme: X509 Client Cert or Basic Template

Protection Level: 5

Password Policies enabled: true

Server Name: www.sso.lab

Target: /siteminderagent/certoptional/smgetcred.scc

Library: smauthcert

 

It is assumed that the Certificate Challenge and Basic Challenge will be from the same server.

If that is not the case, you can select "Basic Credentials Over SSL" and enter the "Basic Server Name".

You also need to set the target for basic auth (Basic Target: /siteminderagent/nocert/smgetcred.scc)

 

 

Note that the target is "/siteminderagent/certoptional/***" for "Certificate or Basic" and it was "/siteminderagent/cert/***" for Certificate Only.

 

Create Component and Resource from AdminUI to protect this resource.

Previously demonstrated steps will be skipped.

 

Create a Component and Resource matching /certorbasic/ and assign the "Certificate or Basic" authentication scheme and "Basic Role" to this resource.

 

 

 

 

 

Load IIS Management Console and navigate to "/siteminderagent/certoptional" virtual directory.

Click on "SSL Settings" in the mid-pane.

Perform the configuration as below and click "Apply".

 

Require SSL: true

Client Certificates: Accept

 

 

 

 

Perform the Test.

 

Test1: visit http://www.sso.lab/certorbasic/ and submit client certificate.

Yay, the user is authenticated... what went wrong?

IE did not prompt me whether I want to submit the certificate or not.

It made its decision to submit the certificate.

 

Whether you agree with this or not, this is the default behavior for IE when there is only 1 client certificate.

If you chose "Enable strong private key protection", you would have a certificate popup regardless of whether you have only 1 certificate or not.

It would also ask you to enter the passphrase to access the private key.

You need to open "Internet Options ==> Security ==> Local intranet(or Internet if it is internet zone) ==> Custom level ==> Don't prompt for client certificate selection when only one certificate exists" and set it to "Disable"

 

Close and open a new IE session.

Visit http://www.sso.lab/certorbasic/ and submit client certificate.

webagenttrace.log

[02/10/2016][18:13:40][5240][2932][CSmHighLevelAgent.cpp:970][ProcessAdvancedAuthentication][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae4ae1][][][][][][Start new request.]

[02/10/2016][18:13:40][5240][2932][CSmResourceManager.cpp:187][CSmResourceManager::ProcessAdvancedAuthResource][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae4ae1][][][][][][Calling SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthResource.]

[02/10/2016][18:13:40][5240][2932][CSmHttpPlugin.cpp:8683][CSmHttpPlugin::ProcessAdvancedAuthResource][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae4ae1][][][][][][Resolved HTTP_HOST: 'www.sso.lab'.]

[02/10/2016][18:13:40][5240][2932][CSmHttpPlugin.cpp:5249][Entered CSmHttpPlugin::ResolveFQServerName sHost: ][][][][][][][www.sso.lab]

[02/10/2016][18:13:40][5240][2932][CSmHttpPlugin.cpp:5602][CSmHttpPlugin::ResolveClientIp][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae4ae1][][][][][][Resolved Client IP address '192.168.201.101'.]

[02/10/2016][18:13:40][5240][2932][SmAdvancedAuthCore.cpp:632][SmAdvancedAuthCore::parseTargetUrl][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae4ae1][*192.168.201.101][][][/certorbasic/][][Resolved cookie domain '.sso.lab'.]

[02/10/2016][18:13:40][5240][2932][CSmResourceManager.cpp:225][CSmResourceManager::ProcessAdvancedAuthResource][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae4ae1][*192.168.201.101][][agent.iis][/certorbasic/][][SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthResource returned SmSuccess.]

[02/10/2016][18:13:40][5240][2932][CSmLowLevelAgent.cpp:499][IsResourceProtected][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae4ae1][*192.168.201.101][][agent.iis][/certorbasic/][][Resource is protected from cache.]

[02/10/2016][18:13:40][5240][2932][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae4ae1][*192.168.201.101][][agent.iis][/certorbasic/][][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[02/10/2016][18:13:40][5240][2932][CSmHttpPlugin.cpp:2824][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae4ae1][*192.168.201.101][][agent.iis][/certorbasic/][][Processing IsProtected responses.]

[02/10/2016][18:13:40][5240][2932][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae4ae1][*192.168.201.101][][agent.iis][/certorbasic/][][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[02/10/2016][18:13:40][5240][2932][CSmCredentialManager.cpp:222][CSmCredentialManager::GatherAdvancedAuthCredentials][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae4ae1][*192.168.201.101][][agent.iis][/certorbasic/][][Calling SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthCredentials.]

[02/10/2016][18:13:40][5240][2932][SmSCC.cpp:247][SmScc::getCredentials][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae4ae1][*192.168.201.101][][agent.iis][/certorbasic/][][Certificate present]

[02/10/2016][18:13:40][5240][2932][SmSCC.cpp:418][SmScc::getCredentials][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae4ae1][*192.168.201.101][][agent.iis][/certorbasic/][][Success in collecting credentials.]

[02/10/2016][18:13:40][5240][2932][SmPluginUtilities.cpp:481][HandleCredCollectorReturn][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae4ae1][*192.168.201.101][][agent.iis][/certorbasic/][][POST preservation, handling return from credential collector.]

[02/10/2016][18:13:40][5240][2932][SmPluginUtilities.cpp:618][HandleCredCollectorReturn][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae4ae1][*192.168.201.101][][agent.iis][/certorbasic/][][http response https://www.sso.lab/certorbasic/]

[02/10/2016][18:13:40][5240][2932][CSmCredentialManager.cpp:260][CSmCredentialManager::GatherAdvancedAuthCredentials][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae4ae1][*192.168.201.101][][agent.iis][/certorbasic/][][SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthCredentials returned SmSuccess.]

[02/10/2016][18:13:40][5240][2932][CSmLowLevelAgent.cpp:1200][AuthenticateUser][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae4ae1][*192.168.201.101][][agent.iis][/certorbasic/][][User 'unknown' is authenticated by Policy Server.]

[02/10/2016][18:13:40][5240][2932][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae4ae1][*192.168.201.101][][agent.iis][/certorbasic/][][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[02/10/2016][18:13:40][5240][2932][CSmHttpPlugin.cpp:2992][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae4ae1][*192.168.201.101][][agent.iis][/certorbasic/][][Processing Authentication responses.]

[02/10/2016][18:13:40][5240][2932][CSmHttpPlugin.cpp:8040][CSmHttpPlugin::GenerateSSLChallengeDoneCookie][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae4ae1][*192.168.201.101][][agent.iis][/certorbasic/][][Generating SMCHALLENGE=SSL_CHALLENGE_DONE set-cookie response header.]

[02/10/2016][18:13:40][5240][2932][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae4ae1][*192.168.201.101][][agent.iis][/certorbasic/][][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[02/10/2016][18:13:40][5240][2932][CSmSessionManager.cpp:209][CSmSessionManager::CreateSession][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae4ae1][*192.168.201.101][][agent.iis][/certorbasic/][][Calling SM_WAF_HTTP_PLUGIN->CreateSession.]

[02/10/2016][18:13:40][5240][2932][CSmHttpPlugin.cpp:1605][CSmHttpPlugin::CreateSession][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae4ae1][*192.168.201.101][][agent.iis][/certorbasic/][][Generated SMSESSION cookie.]

[02/10/2016][18:13:40][5240][2932][CSmSessionManager.cpp:247][CSmSessionManager::CreateSession][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae4ae1][*192.168.201.101][][agent.iis][/certorbasic/][][SM_WAF_HTTP_PLUGIN->CreateSession returned SmSuccess.]

[02/10/2016][18:13:40][5240][2932][CSmHighLevelAgent.cpp:1282][ProcessAdvancedAuthentication][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae4ae1][*192.168.201.101][][agent.iis][/certorbasic/][][End new request.]

 

You can see from above, the "Certificate present" meaning the user has submitted client certificate.

So, Web Agent reports "Success in collecting credentials.".

Do not be alarmed by "User 'unknown' is authenticated by Policy Server.".

And "SMCHALLENGE=SSL_CHALLENGE_DONE" cookie is set so it will not cause a redirect loop if the user is not authenticated.

Lastly, "Generated SMSESSION cookie" confirms the user is authenticated successfully.

 

continued webagenttrace.log

[02/10/2016][18:13:40][5240][2932][CSmHighLevelAgent.cpp:321][ProcessRequest][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae440d][][][][][][Start new request.]

[02/10/2016][18:13:40][5240][2932][CSmResourceManager.cpp:75][CSmResourceManager::ProcessResource][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae440d][][][][][][Calling SM_WAF_HTTP_PLUGIN->ProcessResource.]

[02/10/2016][18:13:40][5240][2932][CSmHttpPlugin.cpp:399][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae440d][][][][][][Resolved HTTP_HOST: 'www.sso.lab'.]

[02/10/2016][18:13:40][5240][2932][CSmHttpPlugin.cpp:5249][Entered CSmHttpPlugin::ResolveFQServerName sHost: ][][][][][][][www.sso.lab]

[02/10/2016][18:13:40][5240][2932][CSmHttpPlugin.cpp:490][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae440d][][][][][][Resolved hostname: 'www.sso.lab'.]

[02/10/2016][18:13:40][5240][2932][CSmHttpPlugin.cpp:509][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae440d][][][][][][Resolved agentname: 'agent.iis'.]

[02/10/2016][18:13:40][5240][2932][CSmHttpPlugin.cpp:5602][CSmHttpPlugin::ResolveClientIp][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae440d][][][agent.iis][][][Resolved Client IP address '192.168.201.101'.]

[02/10/2016][18:13:40][5240][2932][CSmHttpPlugin.cpp:657][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae440d][*192.168.201.101][][agent.iis][][][Resolved URL: '/certorbasic/'.]

[02/10/2016][18:13:40][5240][2932][CSmHttpPlugin.cpp:781][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae440d][*192.168.201.101][][agent.iis][/certorbasic/][][Resolved METHOD: 'GET'.]

[02/10/2016][18:13:40][5240][2932][CSmHttpPlugin.cpp:834][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae440d][*192.168.201.101][][agent.iis][/certorbasic/][][Resolved cookie domain: '.sso.lab'.]

[02/10/2016][18:13:40][5240][2932][CSmResourceManager.cpp:112][CSmResourceManager::ProcessResource][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae440d][*192.168.201.101][][agent.iis][/certorbasic/][][SM_WAF_HTTP_PLUGIN->ProcessResource returned SmSuccess.]

[02/10/2016][18:13:40][5240][2932][CSmSessionManager.cpp:82][CSmSessionManager::EstablishSession][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae440d][*192.168.201.101][][agent.iis][/certorbasic/][][Calling SM_WAF_HTTP_PLUGIN->EstablishSession.]

[02/10/2016][18:13:40][5240][2932][CSmHttpPlugin.cpp:6609][CSmHttpPlugin::ProcessSessionCookie][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae440d][*192.168.201.101][][agent.iis][/certorbasic/][][Decoded SMSESSION cookie - User = 'CN=user1,OU=People,DC=sso,DC=lab', IP address = '192.168.201.101'.]

[02/10/2016][18:13:40][5240][2932][CSmHttpPlugin.cpp:2216][CSmHttpPlugin::EstablishSession][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae440d][*192.168.201.101][][agent.iis][/certorbasic/][][Processed SMSESSION cookie.]

[02/10/2016][18:13:40][5240][2932][CSmSessionManager.cpp:119][CSmSessionManager::EstablishSession][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae440d][*192.168.201.101][][agent.iis][/certorbasic/][][SM_WAF_HTTP_PLUGIN->EstablishSession returned SmSuccess.]

[02/10/2016][18:13:40][5240][2932][CSmLowLevelAgent.cpp:499][IsResourceProtected][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae440d][*192.168.201.101][][agent.iis][/certorbasic/][][Resource is protected from cache.]

[02/10/2016][18:13:40][5240][2932][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae440d][*192.168.201.101][][agent.iis][/certorbasic/][][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[02/10/2016][18:13:40][5240][2932][CSmHttpPlugin.cpp:2824][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae440d][*192.168.201.101][][agent.iis][/certorbasic/][][Processing IsProtected responses.]

[02/10/2016][18:13:40][5240][2932][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae440d][*192.168.201.101][][agent.iis][/certorbasic/][][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[02/10/2016][18:13:40][5240][2932][CSmCredentialManager.cpp:103][CSmCredentialManager::GatherCredentials][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae440d][*192.168.201.101][][agent.iis][/certorbasic/][][Found session, no credentials required.]

[02/10/2016][18:13:40][5240][2932][CSmLowLevelAgent.cpp:999][AuthenticateUser][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae440d][*192.168.201.101][][agent.iis][/certorbasic/][][Validating session 'tDnKBQINpvxWKHrYZ5VT3zVZhWo=' for user 'CN=user1,OU=People,DC=sso,DC=lab' in zone 'SM'.]

[02/10/2016][18:13:40][5240][2932][CSmLowLevelAgent.cpp:1195][AuthenticateUser][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae440d][*192.168.201.101][][agent.iis][/certorbasic/][][User 'CN=user1,OU=People,DC=sso,DC=lab' is authenticated from cache.]

[02/10/2016][18:13:40][5240][2932][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae440d][*192.168.201.101][][agent.iis][/certorbasic/][][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[02/10/2016][18:13:40][5240][2932][CSmHttpPlugin.cpp:2992][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae440d][*192.168.201.101][][agent.iis][/certorbasic/][][Processing Authentication responses.]

[02/10/2016][18:13:40][5240][2932][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae440d][*192.168.201.101][][agent.iis][/certorbasic/][][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[02/10/2016][18:13:40][5240][2932][CSmSessionManager.cpp:209][CSmSessionManager::CreateSession][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae440d][*192.168.201.101][][agent.iis][/certorbasic/][][Calling SM_WAF_HTTP_PLUGIN->CreateSession.]

[02/10/2016][18:13:40][5240][2932][CSmHttpPlugin.cpp:1605][CSmHttpPlugin::CreateSession][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae440d][*192.168.201.101][][agent.iis][/certorbasic/][][Generated SMSESSION cookie.]

[02/10/2016][18:13:40][5240][2932][CSmSessionManager.cpp:247][CSmSessionManager::CreateSession][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae440d][*192.168.201.101][][agent.iis][/certorbasic/][][SM_WAF_HTTP_PLUGIN->CreateSession returned SmSuccess.]

[02/10/2016][18:13:40][5240][2932][CSmLowLevelAgent.cpp:2768][AuthorizeUser][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae440d][*192.168.201.101][][agent.iis][/certorbasic/][][User 'CN=user1,OU=People,DC=sso,DC=lab' is authorized by Policy Server.]

[02/10/2016][18:13:40][5240][2932][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae440d][*192.168.201.101][][agent.iis][/certorbasic/][][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[02/10/2016][18:13:40][5240][2932][CSmHttpPlugin.cpp:3270][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae440d][*192.168.201.101][][agent.iis][/certorbasic/][][Processing Authorization responses.]

[02/10/2016][18:13:40][5240][2932][CSmHttpPlugin.cpp:3277][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae440d][*192.168.201.101][][agent.iis][/certorbasic/][][Removing HTTP cache request headers.]

[02/10/2016][18:13:40][5240][2932][SmPluginUtilities.cpp:166][DeleteCookie][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae440d][*192.168.201.101][][agent.iis][/certorbasic/][][Deleted cookie 'SMCHALLENGE'.]

[02/10/2016][18:13:40][5240][2932][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae440d][*192.168.201.101][][agent.iis][/certorbasic/][][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[02/10/2016][18:13:40][5240][2932][CSmHighLevelAgent.cpp:801][ProcessRequest][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae440d][*192.168.201.101][][agent.iis][/certorbasic/][][AuthorizationManager returned SmYes, end new request.]

[02/10/2016][18:13:40][5240][2932][CSmHighLevelAgent.cpp:921][ProcessRequest][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae440d][*192.168.201.101][][agent.iis][/certorbasic/][][End new request.]

 

You can see from above the user is recognized as "CN=user1,OU=People,DC=sso,DC=lab".

And after the user is authorized, SMCHALLENGE cookie gets deleted.

This completes the Certificate authentication.

 

Test2: visit http://www.sso.lab/certorbasic/ and cancel client certificate, enter basic credential.

Now, click on "Cancel" button so the certificate will not be submitted.

If you did not have a certificate, then you will immediately see the basic challenge.

Because you do have a certificate, you are given a choice to either submit or not.

 

You can see the basic challenge.

 

webagenttrace.log

[02/10/2016][18:56:51][8188][8076][CSmHighLevelAgent.cpp:970][ProcessAdvancedAuthentication][000080fe0000000097e114e8f8b90736-1ffc-56baed43-1f8c-01990029][][][][][][Start new request.]

[02/10/2016][18:56:51][8188][8076][CSmResourceManager.cpp:187][CSmResourceManager::ProcessAdvancedAuthResource][000080fe0000000097e114e8f8b90736-1ffc-56baed43-1f8c-01990029][][][][][][Calling SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthResource.]

[02/10/2016][18:56:51][8188][8076][CSmHttpPlugin.cpp:8683][CSmHttpPlugin::ProcessAdvancedAuthResource][000080fe0000000097e114e8f8b90736-1ffc-56baed43-1f8c-01990029][][][][][][Resolved HTTP_HOST: 'www.sso.lab'.]

[02/10/2016][18:56:51][8188][8076][CSmHttpPlugin.cpp:5249][Entered CSmHttpPlugin::ResolveFQServerName sHost: ][][][][][][][www.sso.lab]

[02/10/2016][18:56:51][8188][8076][CSmHttpPlugin.cpp:5602][CSmHttpPlugin::ResolveClientIp][000080fe0000000097e114e8f8b90736-1ffc-56baed43-1f8c-01990029][][][][][][Resolved Client IP address '192.168.201.101'.]

[02/10/2016][18:56:51][8188][8076][SmAdvancedAuthCore.cpp:632][SmAdvancedAuthCore::parseTargetUrl][000080fe0000000097e114e8f8b90736-1ffc-56baed43-1f8c-01990029][*192.168.201.101][][][/certorbasic/][][Resolved cookie domain '.sso.lab'.]

[02/10/2016][18:56:51][8188][8076][CSmResourceManager.cpp:225][CSmResourceManager::ProcessAdvancedAuthResource][000080fe0000000097e114e8f8b90736-1ffc-56baed43-1f8c-01990029][*192.168.201.101][][agent.iis][/certorbasic/][][SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthResource returned SmSuccess.]

[02/10/2016][18:56:51][8188][8076][CSmLowLevelAgent.cpp:499][IsResourceProtected][000080fe0000000097e114e8f8b90736-1ffc-56baed43-1f8c-01990029][*192.168.201.101][][agent.iis][/certorbasic/][][Resource is protected from cache.]

[02/10/2016][18:56:51][8188][8076][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-1ffc-56baed43-1f8c-01990029][*192.168.201.101][][agent.iis][/certorbasic/][][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[02/10/2016][18:56:51][8188][8076][CSmHttpPlugin.cpp:2824][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-1ffc-56baed43-1f8c-01990029][*192.168.201.101][][agent.iis][/certorbasic/][][Processing IsProtected responses.]

[02/10/2016][18:56:51][8188][8076][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-1ffc-56baed43-1f8c-01990029][*192.168.201.101][][agent.iis][/certorbasic/][][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[02/10/2016][18:56:51][8188][8076][CSmCredentialManager.cpp:222][CSmCredentialManager::GatherAdvancedAuthCredentials][000080fe0000000097e114e8f8b90736-1ffc-56baed43-1f8c-01990029][*192.168.201.101][][agent.iis][/certorbasic/][][Calling SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthCredentials.]

[02/10/2016][18:56:51][8188][8076][SmSCC.cpp:345][SmScc::getCredentials][000080fe0000000097e114e8f8b90736-1ffc-56baed43-1f8c-01990029][*192.168.201.101][][agent.iis][/certorbasic/][][Failed to get either Certificate or Basic credentials.]

[02/10/2016][18:56:51][8188][8076][CSmCredentialManager.cpp:267][CSmCredentialManager::GatherAdvancedAuthCredentials][000080fe0000000097e114e8f8b90736-1ffc-56baed43-1f8c-01990029][*192.168.201.101][][agent.iis][/certorbasic/][][SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthCredentials returned SmNoAction.]

[02/10/2016][18:56:51][8188][8076][CSmHighLevelAgent.cpp:1072][ProcessAdvancedAuthentication][000080fe0000000097e114e8f8b90736-1ffc-56baed43-1f8c-01990029][*192.168.201.101][][agent.iis][/certorbasic/][][CredentialManager returned SmNo or SmNoAction, calling ChallengeManager.]

[02/10/2016][18:56:51][8188][8076][CSmChallengeManager.cpp:194][CSmChallengeManager::DoAdvancedAuthChallenge][000080fe0000000097e114e8f8b90736-1ffc-56baed43-1f8c-01990029][*192.168.201.101][][agent.iis][/certorbasic/][][Calling SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthChallenge.]

[02/10/2016][18:56:51][8188][8076][CSmChallengeManager.cpp:214][CSmChallengeManager::DoAdvancedAuthChallenge][000080fe0000000097e114e8f8b90736-1ffc-56baed43-1f8c-01990029][*192.168.201.101][][agent.iis][/certorbasic/][][SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthChallenge returned SmExit.]

[02/10/2016][18:56:51][8188][8076][CSmHighLevelAgent.cpp:1096][ProcessAdvancedAuthentication][000080fe0000000097e114e8f8b90736-1ffc-56baed43-1f8c-01990029][*192.168.201.101][][agent.iis][/certorbasic/][][Challenge Manager returned SmExit, Time to challenge.]

[02/10/2016][18:56:51][8188][8076][CSmLowLevelAgent.cpp:3567][ReportHealthData][][][][][][][Accumulating HealthMonitorCtxt.]

[02/10/2016][18:56:56][8188][8076][CSmHighLevelAgent.cpp:321][ProcessRequest][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03b36784][][][][][][Start new request.]

[02/10/2016][18:56:56][8188][8076][CSmResourceManager.cpp:75][CSmResourceManager::ProcessResource][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03b36784][][][][][][Calling SM_WAF_HTTP_PLUGIN->ProcessResource.]

[02/10/2016][18:56:56][8188][8076][CSmHttpPlugin.cpp:399][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03b36784][][][][][][Resolved HTTP_HOST: 'www.sso.lab'.]

[02/10/2016][18:56:56][8188][8076][CSmHttpPlugin.cpp:5249][Entered CSmHttpPlugin::ResolveFQServerName sHost: ][][][][][][][www.sso.lab]

[02/10/2016][18:56:56][8188][8076][CSmHttpPlugin.cpp:490][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03b36784][][][][][][Resolved hostname: 'www.sso.lab'.]

[02/10/2016][18:56:56][8188][8076][CSmHttpPlugin.cpp:509][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03b36784][][][][][][Resolved agentname: 'agent.iis'.]

[02/10/2016][18:56:56][8188][8076][CSmHttpPlugin.cpp:5602][CSmHttpPlugin::ResolveClientIp][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03b36784][][][agent.iis][][][Resolved Client IP address '192.168.201.101'.]

[02/10/2016][18:56:56][8188][8076][CSmHttpPlugin.cpp:657][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03b36784][*192.168.201.101][][agent.iis][][][Resolved URL: '/siteminderagent/certoptional/1455091009/smgetcred.scc?TYPE=16777248&REALM=-SM-Certificate%20or%20Basic%20[18%3a56%3a49%3a6500]&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-WO8xvFyi%2bqJqAacEXn7ORDOqfJeP9uaQyN9hFwER2htI0CbW%2fuYsc7%2fsBVpafN%2bZ&TARGET=-SM-https%3a%2f%2fwww%2esso%2elab%2fcertorbasic%2f'.]

[02/10/2016][18:56:56][8188][8076][CSmHttpPlugin.cpp:5681][CSmHttpPlugin::AutoAuthorizedUrl][][][][][][][Auto-authorizing resource, matches IgnoreExt filter.]

[02/10/2016][18:56:56][8188][8076][CSmHttpPlugin.cpp:698][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03b36784][*192.168.201.101][][agent.iis][/siteminderagent/certoptional/1455091009/smgetcred.scc?TYPE=16777248&REALM=-SM-Certificate%20or%20Basic%20[18%3a56%3a49%3a6500]&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-WO8xvFyi%2bqJqAacEXn7ORDOqfJeP9uaQyN9hFwER2htI0CbW%2fuYsc7%2fsBVpafN%2bZ&TARGET=-SM-https%3a%2f%2fwww%2esso%2elab%2fcertorbasic%2f][][Autoauthorizing URL : 'https://www.sso.lab/siteminderagent/certoptional/1455091009/smgetcred.scc?TYPE=16777248&REALM=-SM-Certificate%20or%20Basic%20[18%3a56%3a49%3a6500]&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-WO8xvFyi%2bqJqAacEXn7ORDOqfJeP9uaQyN9hFwER2htI0CbW%2fuYsc7%2fsBVpafN%2bZ&TARGET=-SM-https%3a%2f%2fwww%2esso%2elab%2fcertorbasic%2f' , Method: 'GET' ]

[02/10/2016][18:56:56][8188][8076][CSmHttpPlugin.cpp:781][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03b36784][*192.168.201.101][][agent.iis][/siteminderagent/certoptional/1455091009/smgetcred.scc?TYPE=16777248&REALM=-SM-Certificate%20or%20Basic%20[18%3a56%3a49%3a6500]&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-WO8xvFyi%2bqJqAacEXn7ORDOqfJeP9uaQyN9hFwER2htI0CbW%2fuYsc7%2fsBVpafN%2bZ&TARGET=-SM-https%3a%2f%2fwww%2esso%2elab%2fcertorbasic%2f][][Resolved METHOD: 'GET'.]

[02/10/2016][18:56:56][8188][8076][CSmHttpPlugin.cpp:834][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03b36784][*192.168.201.101][][agent.iis][/siteminderagent/certoptional/1455091009/smgetcred.scc?TYPE=16777248&REALM=-SM-Certificate%20or%20Basic%20[18%3a56%3a49%3a6500]&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-WO8xvFyi%2bqJqAacEXn7ORDOqfJeP9uaQyN9hFwER2htI0CbW%2fuYsc7%2fsBVpafN%2bZ&TARGET=-SM-https%3a%2f%2fwww%2esso%2elab%2fcertorbasic%2f][][Resolved cookie domain: '.sso.lab'.]

[02/10/2016][18:56:56][8188][8076][CSmResourceManager.cpp:112][CSmResourceManager::ProcessResource][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03b36784][*192.168.201.101][][agent.iis][/siteminderagent/certoptional/1455091009/smgetcred.scc?TYPE=16777248&REALM=-SM-Certificate%20or%20Basic%20[18%3a56%3a49%3a6500]&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-WO8xvFyi%2bqJqAacEXn7ORDOqfJeP9uaQyN9hFwER2htI0CbW%2fuYsc7%2fsBVpafN%2bZ&TARGET=-SM-https%3a%2f%2fwww%2esso%2elab%2fcertorbasic%2f][][SM_WAF_HTTP_PLUGIN->ProcessResource returned SmSuccess.]

[02/10/2016][18:56:56][8188][8076][CSmSessionManager.cpp:82][CSmSessionManager::EstablishSession][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03b36784][*192.168.201.101][][agent.iis][/siteminderagent/certoptional/1455091009/smgetcred.scc?TYPE=16777248&REALM=-SM-Certificate%20or%20Basic%20[18%3a56%3a49%3a6500]&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-WO8xvFyi%2bqJqAacEXn7ORDOqfJeP9uaQyN9hFwER2htI0CbW%2fuYsc7%2fsBVpafN%2bZ&TARGET=-SM-https%3a%2f%2fwww%2esso%2elab%2fcertorbasic%2f][][Calling SM_WAF_HTTP_PLUGIN->EstablishSession.]

[02/10/2016][18:56:56][8188][8076][CSmSessionManager.cpp:126][CSmSessionManager::EstablishSession][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03b36784][*192.168.201.101][][agent.iis][/siteminderagent/certoptional/1455091009/smgetcred.scc?TYPE=16777248&REALM=-SM-Certificate%20or%20Basic%20[18%3a56%3a49%3a6500]&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-WO8xvFyi%2bqJqAacEXn7ORDOqfJeP9uaQyN9hFwER2htI0CbW%2fuYsc7%2fsBVpafN%2bZ&TARGET=-SM-https%3a%2f%2fwww%2esso%2elab%2fcertorbasic%2f][][SM_WAF_HTTP_PLUGIN->EstablishSession returned SmNoAction.]

[02/10/2016][18:56:56][8188][8076][CSmHighLevelAgent.cpp:405][ProcessRequest][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03b36784][*192.168.201.101][][agent.iis][/siteminderagent/certoptional/1455091009/smgetcred.scc?TYPE=16777248&REALM=-SM-Certificate%20or%20Basic%20[18%3a56%3a49%3a6500]&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-WO8xvFyi%2bqJqAacEXn7ORDOqfJeP9uaQyN9hFwER2htI0CbW%2fuYsc7%2fsBVpafN%2bZ&TARGET=-SM-https%3a%2f%2fwww%2esso%2elab%2fcertorbasic%2f][][ProtectionManager returned SmNo, end new request.]

[02/10/2016][18:56:56][8188][8076][CSmLowLevelAgent.cpp:3567][ReportHealthData][][][][][][][Accumulating HealthMonitorCtxt.]

[02/10/2016][18:56:56][8188][8076][CSmHighLevelAgent.cpp:970][ProcessAdvancedAuthentication][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03b36784][][][][][][Start new request.]

[02/10/2016][18:56:56][8188][8076][CSmResourceManager.cpp:187][CSmResourceManager::ProcessAdvancedAuthResource][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03b36784][][][][][][Calling SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthResource.]

[02/10/2016][18:56:56][8188][8076][CSmHttpPlugin.cpp:8683][CSmHttpPlugin::ProcessAdvancedAuthResource][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03b36784][][][][][][Resolved HTTP_HOST: 'www.sso.lab'.]

[02/10/2016][18:56:56][8188][8076][CSmHttpPlugin.cpp:5249][Entered CSmHttpPlugin::ResolveFQServerName sHost: ][][][][][][][www.sso.lab]

[02/10/2016][18:56:56][8188][8076][CSmHttpPlugin.cpp:5602][CSmHttpPlugin::ResolveClientIp][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03b36784][][][][][][Resolved Client IP address '192.168.201.101'.]

[02/10/2016][18:56:56][8188][8076][SmAdvancedAuthCore.cpp:632][SmAdvancedAuthCore::parseTargetUrl][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03b36784][*192.168.201.101][][][/certorbasic/][][Resolved cookie domain '.sso.lab'.]

[02/10/2016][18:56:56][8188][8076][CSmResourceManager.cpp:225][CSmResourceManager::ProcessAdvancedAuthResource][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03b36784][*192.168.201.101][][agent.iis][/certorbasic/][][SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthResource returned SmSuccess.]

[02/10/2016][18:56:56][8188][8076][CSmLowLevelAgent.cpp:499][IsResourceProtected][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03b36784][*192.168.201.101][][agent.iis][/certorbasic/][][Resource is protected from cache.]

[02/10/2016][18:56:56][8188][8076][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03b36784][*192.168.201.101][][agent.iis][/certorbasic/][][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[02/10/2016][18:56:56][8188][8076][CSmHttpPlugin.cpp:2824][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03b36784][*192.168.201.101][][agent.iis][/certorbasic/][][Processing IsProtected responses.]

[02/10/2016][18:56:56][8188][8076][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03b36784][*192.168.201.101][][agent.iis][/certorbasic/][][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[02/10/2016][18:56:56][8188][8076][CSmCredentialManager.cpp:222][CSmCredentialManager::GatherAdvancedAuthCredentials][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03b36784][*192.168.201.101][][agent.iis][/certorbasic/][][Calling SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthCredentials.]

[02/10/2016][18:56:56][8188][8076][SmPluginUtilities.cpp:166][DeleteCookie][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03b36784][*192.168.201.101][][agent.iis][/certorbasic/][][Deleted cookie 'SMCHALLENGE'.]

[02/10/2016][18:56:56][8188][8076][SmSCC.cpp:309][SmScc::getCredentials][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03b36784][*192.168.201.101][][agent.iis][/certorbasic/][][Decoded BASIC Context - User 'user1']

[02/10/2016][18:56:56][8188][8076][SmSCC.cpp:418][SmScc::getCredentials][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03b36784][*192.168.201.101][][agent.iis][/certorbasic/][][Success in collecting credentials.]

[02/10/2016][18:56:56][8188][8076][SmPluginUtilities.cpp:481][HandleCredCollectorReturn][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03b36784][*192.168.201.101][][agent.iis][/certorbasic/][][POST preservation, handling return from credential collector.]

[02/10/2016][18:56:56][8188][8076][SmPluginUtilities.cpp:618][HandleCredCollectorReturn][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03b36784][*192.168.201.101][][agent.iis][/certorbasic/][][http response https://www.sso.lab/certorbasic/]

[02/10/2016][18:56:56][8188][8076][CSmCredentialManager.cpp:260][CSmCredentialManager::GatherAdvancedAuthCredentials][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03b36784][*192.168.201.101][][agent.iis][/certorbasic/][][SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthCredentials returned SmSuccess.]

[02/10/2016][18:56:56][8188][8076][CSmLowLevelAgent.cpp:1200][AuthenticateUser][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03b36784][*192.168.201.101][][agent.iis][/certorbasic/][][User 'user1' is authenticated by Policy Server.]

[02/10/2016][18:56:56][8188][8076][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03b36784][*192.168.201.101][][agent.iis][/certorbasic/][user1][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[02/10/2016][18:56:56][8188][8076][CSmHttpPlugin.cpp:2992][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03b36784][*192.168.201.101][][agent.iis][/certorbasic/][user1][Processing Authentication responses.]

[02/10/2016][18:56:56][8188][8076][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03b36784][*192.168.201.101][][agent.iis][/certorbasic/][user1][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[02/10/2016][18:56:56][8188][8076][CSmSessionManager.cpp:209][CSmSessionManager::CreateSession][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03b36784][*192.168.201.101][][agent.iis][/certorbasic/][user1][Calling SM_WAF_HTTP_PLUGIN->CreateSession.]

[02/10/2016][18:56:56][8188][8076][CSmHttpPlugin.cpp:1605][CSmHttpPlugin::CreateSession][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03b36784][*192.168.201.101][][agent.iis][/certorbasic/][user1][Generated SMSESSION cookie.]

[02/10/2016][18:56:56][8188][8076][CSmSessionManager.cpp:247][CSmSessionManager::CreateSession][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03b36784][*192.168.201.101][][agent.iis][/certorbasic/][user1][SM_WAF_HTTP_PLUGIN->CreateSession returned SmSuccess.]

[02/10/2016][18:56:56][8188][8076][CSmHighLevelAgent.cpp:1282][ProcessAdvancedAuthentication][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03b36784][*192.168.201.101][][agent.iis][/certorbasic/][user1][End new request.]

[02/10/2016][18:56:56][8188][8076][CSmLowLevelAgent.cpp:3567][ReportHealthData][][][][][][][Accumulating HealthMonitorCtxt.]

[02/10/2016][18:56:56][8188][8076][CSmHighLevelAgent.cpp:321][ProcessRequest][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03c3305e][][][][][][Start new request.]

[02/10/2016][18:56:56][8188][8076][CSmResourceManager.cpp:75][CSmResourceManager::ProcessResource][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03c3305e][][][][][][Calling SM_WAF_HTTP_PLUGIN->ProcessResource.]

[02/10/2016][18:56:56][8188][8076][CSmHttpPlugin.cpp:399][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03c3305e][][][][][][Resolved HTTP_HOST: 'www.sso.lab'.]

[02/10/2016][18:56:56][8188][8076][CSmHttpPlugin.cpp:5249][Entered CSmHttpPlugin::ResolveFQServerName sHost: ][][][][][][][www.sso.lab]

[02/10/2016][18:56:56][8188][8076][CSmHttpPlugin.cpp:490][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03c3305e][][][][][][Resolved hostname: 'www.sso.lab'.]

[02/10/2016][18:56:56][8188][8076][CSmHttpPlugin.cpp:509][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03c3305e][][][][][][Resolved agentname: 'agent.iis'.]

[02/10/2016][18:56:56][8188][8076][CSmHttpPlugin.cpp:5602][CSmHttpPlugin::ResolveClientIp][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03c3305e][][][agent.iis][][][Resolved Client IP address '192.168.201.101'.]

[02/10/2016][18:56:56][8188][8076][CSmHttpPlugin.cpp:657][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03c3305e][*192.168.201.101][][agent.iis][][][Resolved URL: '/certorbasic/'.]

[02/10/2016][18:56:56][8188][8076][CSmHttpPlugin.cpp:781][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03c3305e][*192.168.201.101][][agent.iis][/certorbasic/][][Resolved METHOD: 'GET'.]

[02/10/2016][18:56:56][8188][8076][CSmHttpPlugin.cpp:834][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03c3305e][*192.168.201.101][][agent.iis][/certorbasic/][][Resolved cookie domain: '.sso.lab'.]

[02/10/2016][18:56:56][8188][8076][CSmResourceManager.cpp:112][CSmResourceManager::ProcessResource][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03c3305e][*192.168.201.101][][agent.iis][/certorbasic/][][SM_WAF_HTTP_PLUGIN->ProcessResource returned SmSuccess.]

[02/10/2016][18:56:56][8188][8076][CSmSessionManager.cpp:82][CSmSessionManager::EstablishSession][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03c3305e][*192.168.201.101][][agent.iis][/certorbasic/][][Calling SM_WAF_HTTP_PLUGIN->EstablishSession.]

[02/10/2016][18:56:56][8188][8076][CSmHttpPlugin.cpp:6609][CSmHttpPlugin::ProcessSessionCookie][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03c3305e][*192.168.201.101][][agent.iis][/certorbasic/][user1][Decoded SMSESSION cookie - User = 'CN=user1,OU=People,DC=sso,DC=lab', IP address = '192.168.201.101'.]

[02/10/2016][18:56:56][8188][8076][CSmHttpPlugin.cpp:2216][CSmHttpPlugin::EstablishSession][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03c3305e][*192.168.201.101][][agent.iis][/certorbasic/][user1][Processed SMSESSION cookie.]

[02/10/2016][18:56:56][8188][8076][CSmSessionManager.cpp:119][CSmSessionManager::EstablishSession][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03c3305e][*192.168.201.101][][agent.iis][/certorbasic/][user1][SM_WAF_HTTP_PLUGIN->EstablishSession returned SmSuccess.]

[02/10/2016][18:56:56][8188][8076][CSmLowLevelAgent.cpp:499][IsResourceProtected][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03c3305e][*192.168.201.101][][agent.iis][/certorbasic/][user1][Resource is protected from cache.]

[02/10/2016][18:56:56][8188][8076][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03c3305e][*192.168.201.101][][agent.iis][/certorbasic/][user1][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[02/10/2016][18:56:56][8188][8076][CSmHttpPlugin.cpp:2824][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03c3305e][*192.168.201.101][][agent.iis][/certorbasic/][user1][Processing IsProtected responses.]

[02/10/2016][18:56:56][8188][8076][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03c3305e][*192.168.201.101][][agent.iis][/certorbasic/][user1][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[02/10/2016][18:56:56][8188][8076][CSmCredentialManager.cpp:103][CSmCredentialManager::GatherCredentials][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03c3305e][*192.168.201.101][][agent.iis][/certorbasic/][user1][Found session, no credentials required.]

[02/10/2016][18:56:56][8188][8076][CSmLowLevelAgent.cpp:999][AuthenticateUser][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03c3305e][*192.168.201.101][][agent.iis][/certorbasic/][user1][Validating session 'yqt9Pi0lr7VK2sezhRRIOYLaOOs=' for user 'CN=user1,OU=People,DC=sso,DC=lab' in zone 'SM'.]

[02/10/2016][18:56:56][8188][8076][CSmLowLevelAgent.cpp:1195][AuthenticateUser][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03c3305e][*192.168.201.101][][agent.iis][/certorbasic/][user1][User 'CN=user1,OU=People,DC=sso,DC=lab' is authenticated from cache.]

[02/10/2016][18:56:56][8188][8076][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03c3305e][*192.168.201.101][][agent.iis][/certorbasic/][user1][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[02/10/2016][18:56:56][8188][8076][CSmHttpPlugin.cpp:2992][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03c3305e][*192.168.201.101][][agent.iis][/certorbasic/][user1][Processing Authentication responses.]

[02/10/2016][18:56:56][8188][8076][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03c3305e][*192.168.201.101][][agent.iis][/certorbasic/][user1][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[02/10/2016][18:56:56][8188][8076][CSmSessionManager.cpp:209][CSmSessionManager::CreateSession][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03c3305e][*192.168.201.101][][agent.iis][/certorbasic/][user1][Calling SM_WAF_HTTP_PLUGIN->CreateSession.]

[02/10/2016][18:56:56][8188][8076][CSmHttpPlugin.cpp:1605][CSmHttpPlugin::CreateSession][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03c3305e][*192.168.201.101][][agent.iis][/certorbasic/][user1][Generated SMSESSION cookie.]

[02/10/2016][18:56:56][8188][8076][CSmSessionManager.cpp:247][CSmSessionManager::CreateSession][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03c3305e][*192.168.201.101][][agent.iis][/certorbasic/][user1][SM_WAF_HTTP_PLUGIN->CreateSession returned SmSuccess.]

[02/10/2016][18:56:56][8188][8076][CSmLowLevelAgent.cpp:2768][AuthorizeUser][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03c3305e][*192.168.201.101][][agent.iis][/certorbasic/][user1][User 'CN=user1,OU=People,DC=sso,DC=lab' is authorized by Policy Server.]

[02/10/2016][18:56:56][8188][8076][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03c3305e][*192.168.201.101][][agent.iis][/certorbasic/][user1][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[02/10/2016][18:56:56][8188][8076][CSmHttpPlugin.cpp:3270][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03c3305e][*192.168.201.101][][agent.iis][/certorbasic/][user1][Processing Authorization responses.]

[02/10/2016][18:56:56][8188][8076][CSmHttpPlugin.cpp:3277][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03c3305e][*192.168.201.101][][agent.iis][/certorbasic/][user1][Removing HTTP cache request headers.]

[02/10/2016][18:56:56][8188][8076][SmPluginUtilities.cpp:166][DeleteCookie][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03c3305e][*192.168.201.101][][agent.iis][/certorbasic/][user1][Deleted cookie 'SMCHALLENGE'.]

[02/10/2016][18:56:56][8188][8076][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03c3305e][*192.168.201.101][][agent.iis][/certorbasic/][user1][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[02/10/2016][18:56:56][8188][8076][CSmHighLevelAgent.cpp:801][ProcessRequest][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03c3305e][*192.168.201.101][][agent.iis][/certorbasic/][user1][AuthorizationManager returned SmYes, end new request.]

[02/10/2016][18:56:56][8188][8076][CSmHighLevelAgent.cpp:921][ProcessRequest][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03c3305e][*192.168.201.101][][agent.iis][/certorbasic/][user1][End new request.]

 

Certificate was not submitted and the user credentials are not submitted yet so WA reports "Failed to get either Certificate or Basic credentials."

Then it prompts for basic challenge and you enter the credentials.

This will set "Authorization" header with the encoded user credentials.

As this is a basic challenge, SMCHALLENGE cookie is set to ensure the session cookie can be set as well.

You can see it is deleting the SMCHALLENGE cookie and reads the Authorization header.

Decoded BASIC Context - User 'user1'

 

Now, with this credential, user is authenticated.

"User 'user1' is authenticated by Policy Server."

 

And after the user is authorized, the SMCHALLENGE cookie is deleted.

 

In the next article, we will continue setting up "Certificate and Basic" authentication and continue the journey into Certificate and/or Forms Authentication.

 

It is not much different from what is done here.

Outcomes