SungHoon_Kim

Configuring an ALL-IN-ONE VM Image - Part 7

Blog Post created by SungHoon_Kim Employee on Feb 15, 2016

This is something I like to do once in a while. It takes long time to setup everything but to me it is a hobby. It is like putting zigsaw puzzles.

 

WARNING: THIS IS NOT SUPPORTED! THIS IS ONLY TO FULFILL YOUR CURIOSITY AND SATISFY YOUR SPIRIT GOING AGAINST ALL ODDS. THIS IS NOT A DEMONSTRATION ALLOWING YOU TO RUN SUCH CONFIGURATION IN YOUR DEV/TEST/QA/PROD ENVIRONMENT.

 

This environment is continuation from the "Creating an ALL-IN-ONE VM Image" series. (links below)

Decided to put a complete list of the articles.

========================================

Creating an ALL-IN-ONE VM Image - Part 1

Creating an ALL-IN-ONE VM Image - Part 2

Creating an ALL-IN-ONE VM Image - Part 3

Creating an ALL-IN-ONE VM Image - Part 4

Creating an ALL-IN-ONE VM Image - Part 5

Creating an ALL-IN-ONE VM Image - Part 6

Creating an ALL-IN-ONE VM Image - Part 7

Creating an ALL-IN-ONE VM Image - Part 8

Creating an ALL-IN-ONE VM Image - Part 9

Creating an ALL-IN-ONE VM Image - Part 10-1

Creating an ALL-IN-ONE VM Image - Part 10-2

========================================

Configuring an ALL-IN-ONE VM Image - Part 1

Configuring an ALL-IN-ONE VM Image - Part 2

Configuring an ALL-IN-ONE VM Image - Part 3

Configuring an ALL-IN-ONE VM Image - Part 4

Configuring an ALL-IN-ONE VM Image - Part 5

Configuring an ALL-IN-ONE VM Image - Part 6

========================================

 

Following configuration will be setup.

 

Following configuration will be setup.

 

01. Basic setup - Create application and protect using Forms Authentication.

     - Service configuration

     - Startup/Shutdown scripts

     - Logging

     - Basic Concepts

02. Standard Authentication Schemes

     - Basic Concepts

     - Basic

     - HTML Forms

     - HTML using UID and EMAIL

     - Basic over SSL

03. Certificate Authentication Schemes

     - X.509 Certificate Only

     - X.509 Certificate or Basic

     - X.509 Certificate and Basic

     - X.509 Certificate or Form

     - X.509 Certificate and Form

04. Windows Authentication Scheme

05. OAuth Authentication Scheme

06. Cookie Provider

07. Directory Mapping

08. Password Services

09. Impersonation

10. Session Assurance

11. SAML 2.0 Partnership Federation - SSO

12. SAML 2.0 Partnership Federation - SLO

13. SAML 2.0 Partnership Federation - RelayState

14. SAML 2.0 Partnership Federation - Negative Assertion

15. SAML 1.x Partnership Federation

16. Audit Log import

17. Generating Reports

18. SiteMinder Test Tool

19. Global Delivery Modules

20. Troubleshooting

 

Continued from Part 6.

 

X.509 Certificate and Basic

 

We need the following to setup the use case.

 

* Make sure you have the content on your web server for /certandbasic/ virtual directory.

* Create "X.509 Certificate and Basic Authentication" Scheme.

* Create Component and Resource from AdminUI to protect this resource.

* Create Certificate Mapping (skip this step as it is already configured)

* Configure "SSL Setting" for "/siteminderagent/cert" (skip this step as it is already configured)

 

 

 

Create "X.509 Certificate and Basic Authentication" Scheme.

 

As usual, previously demonstrated steps will be skipped.

This is our first "Two Factor Authentication" aka 2FA, 1) Certificate plus the 2) User Credentials.

Create "Certificate and Basic" Authentication Scheme as below.

Fill in -

Name: Certificate and Basic

Authentication Scheme Type: X509 Client Cert and Basic Template

Protection Level: 15

     Note: As this is a 2FA, its default security protection level is higher than the previous authentication schemes.

Password Policies enabled for this Authentication Scheme: true

     Note: The basic authentication part involves password so the password policy can be applied here.

Server Name: www.sso.lab

Target: /siteminderagent/cert/smgetcred.scc

Library: smauthcert

     Note: The Parameter will show "smgetcred.scc?cert+basic" to recognize it is a cert plus the basic authentication scheme.

You can see from below,

 

Create Component and Resource from AdminUI to protect this resource.

 

Create Component as below and click "OK".

Component Name: Certificate and Basic

Agent Type: Web Agent

Agent: agent.iis

Resource Filter: /certandbasic/

Default Resource Protection: Protected

Authentication Scheme: Certificate and Basic

 

Click on "Resources" and select "/certandbasic/" context root and click "Create".

Fill in the below and click "OK".

Name: Access Cert and Basic

Resource: *

Allow/Deny: Allow Access, Enabled

Action: GET, POST

Click on "Policies" tab and select "/certandbasic/" from context root.

Assign "Basic Role" to "Access Cert and Basic" resource. Click on "SUBMIT".

 

 

Now test by visiting http://www.sso.lab/certandbasic/

 

You MUST submit the certificate AND submit the correct credential.

 

You will find the SMUSER value is "user1" and not the userDN.

 

Now, you will get to find interesting thing in this transaction.

From user perspective, you submitted Certificate first followed by the user credentials.

 

When you submitted the certificate, agent finds the user credentials are missing.

 

webagenttrace.log

[02/12/2016][18:18:07][6940][6572][CSmHighLevelAgent.cpp:970][ProcessAdvancedAuthentication][000080fe0000000097e114e8f8b90736-1b1c-56bd872f-19ac-03274823][][][][][][Start new request.]

[02/12/2016][18:18:07][6940][6572][CSmResourceManager.cpp:187][CSmResourceManager::ProcessAdvancedAuthResource][000080fe0000000097e114e8f8b90736-1b1c-56bd872f-19ac-03274823][][][][][][Calling SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthResource.]

[02/12/2016][18:18:07][6940][6572][CSmHttpPlugin.cpp:8683][CSmHttpPlugin::ProcessAdvancedAuthResource][000080fe0000000097e114e8f8b90736-1b1c-56bd872f-19ac-03274823][][][][][][Resolved HTTP_HOST: 'www.sso.lab'.]

[02/12/2016][18:18:07][6940][6572][CSmHttpPlugin.cpp:5249][Entered CSmHttpPlugin::ResolveFQServerName sHost: ][][][][][][][www.sso.lab]

[02/12/2016][18:18:07][6940][6572][CSmHttpPlugin.cpp:5602][CSmHttpPlugin::ResolveClientIp][000080fe0000000097e114e8f8b90736-1b1c-56bd872f-19ac-03274823][][][][][][Resolved Client IP address '192.168.201.101'.]

[02/12/2016][18:18:07][6940][6572][SmAdvancedAuthCore.cpp:632][SmAdvancedAuthCore::parseTargetUrl][000080fe0000000097e114e8f8b90736-1b1c-56bd872f-19ac-03274823][*192.168.201.101][][][/certandbasic/][][Resolved cookie domain '.sso.lab'.]

[02/12/2016][18:18:07][6940][6572][CSmResourceManager.cpp:225][CSmResourceManager::ProcessAdvancedAuthResource][000080fe0000000097e114e8f8b90736-1b1c-56bd872f-19ac-03274823][*192.168.201.101][][agent.iis][/certandbasic/][][SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthResource returned SmSuccess.]

[02/12/2016][18:18:07][6940][6572][CSmLowLevelAgent.cpp:499][IsResourceProtected][000080fe0000000097e114e8f8b90736-1b1c-56bd872f-19ac-03274823][*192.168.201.101][][agent.iis][/certandbasic/][][Resource is protected from cache.]

[02/12/2016][18:18:07][6940][6572][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-1b1c-56bd872f-19ac-03274823][*192.168.201.101][][agent.iis][/certandbasic/][][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[02/12/2016][18:18:07][6940][6572][CSmHttpPlugin.cpp:2824][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-1b1c-56bd872f-19ac-03274823][*192.168.201.101][][agent.iis][/certandbasic/][][Processing IsProtected responses.]

[02/12/2016][18:18:07][6940][6572][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-1b1c-56bd872f-19ac-03274823][*192.168.201.101][][agent.iis][/certandbasic/][][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[02/12/2016][18:18:07][6940][6572][CSmCredentialManager.cpp:222][CSmCredentialManager::GatherAdvancedAuthCredentials][000080fe0000000097e114e8f8b90736-1b1c-56bd872f-19ac-03274823][*192.168.201.101][][agent.iis][/certandbasic/][][Calling SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthCredentials.]

[02/12/2016][18:18:07][6940][6572][SmSCC.cpp:247][SmScc::getCredentials][000080fe0000000097e114e8f8b90736-1b1c-56bd872f-19ac-03274823][*192.168.201.101][][agent.iis][/certandbasic/][][Certificate present]

[02/12/2016][18:18:07][6940][6572][SmSCC.cpp:390][SmScc::getCredentials][000080fe0000000097e114e8f8b90736-1b1c-56bd872f-19ac-03274823][*192.168.201.101][][agent.iis][/certandbasic/][][Failed to get Basic credentials.]

[02/12/2016][18:18:07][6940][6572][CSmCredentialManager.cpp:267][CSmCredentialManager::GatherAdvancedAuthCredentials][000080fe0000000097e114e8f8b90736-1b1c-56bd872f-19ac-03274823][*192.168.201.101][][agent.iis][/certandbasic/][][SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthCredentials returned SmNoAction.]

[02/12/2016][18:18:07][6940][6572][CSmHighLevelAgent.cpp:1072][ProcessAdvancedAuthentication][000080fe0000000097e114e8f8b90736-1b1c-56bd872f-19ac-03274823][*192.168.201.101][][agent.iis][/certandbasic/][][CredentialManager returned SmNo or SmNoAction, calling ChallengeManager.]

[02/12/2016][18:18:07][6940][6572][CSmChallengeManager.cpp:194][CSmChallengeManager::DoAdvancedAuthChallenge][000080fe0000000097e114e8f8b90736-1b1c-56bd872f-19ac-03274823][*192.168.201.101][][agent.iis][/certandbasic/][][Calling SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthChallenge.]

[02/12/2016][18:18:07][6940][6572][CSmChallengeManager.cpp:214][CSmChallengeManager::DoAdvancedAuthChallenge][000080fe0000000097e114e8f8b90736-1b1c-56bd872f-19ac-03274823][*192.168.201.101][][agent.iis][/certandbasic/][][SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthChallenge returned SmExit.]

[02/12/2016][18:18:07][6940][6572][CSmHighLevelAgent.cpp:1096][ProcessAdvancedAuthentication][000080fe0000000097e114e8f8b90736-1b1c-56bd872f-19ac-03274823][*192.168.201.101][][agent.iis][/certandbasic/][][Challenge Manager returned SmExit, Time to challenge.]

 

 

You can see from above, WA is actually expecting Certificate AND BASIC credentials at the same time.

Obviously it will not find the basic credentials(Authorization BASIC xxxx header in the request) so it challenges the user.

So, you saw the basic popup and submitted your credentials.

 

 

webagenttrace.log

[02/12/2016][18:19:24][6940][6572][CSmHighLevelAgent.cpp:970][ProcessAdvancedAuthentication][000080fe0000000097e114e8f8b90736-1b1c-56bd877c-19ac-02c24ae1][][][][][][Start new request.]

[02/12/2016][18:19:24][6940][6572][CSmResourceManager.cpp:187][CSmResourceManager::ProcessAdvancedAuthResource][000080fe0000000097e114e8f8b90736-1b1c-56bd877c-19ac-02c24ae1][][][][][][Calling SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthResource.]

[02/12/2016][18:19:24][6940][6572][CSmHttpPlugin.cpp:8683][CSmHttpPlugin::ProcessAdvancedAuthResource][000080fe0000000097e114e8f8b90736-1b1c-56bd877c-19ac-02c24ae1][][][][][][Resolved HTTP_HOST: 'www.sso.lab'.]

[02/12/2016][18:19:24][6940][6572][CSmHttpPlugin.cpp:5249][Entered CSmHttpPlugin::ResolveFQServerName sHost: ][][][][][][][www.sso.lab]

[02/12/2016][18:19:24][6940][6572][CSmHttpPlugin.cpp:5602][CSmHttpPlugin::ResolveClientIp][000080fe0000000097e114e8f8b90736-1b1c-56bd877c-19ac-02c24ae1][][][][][][Resolved Client IP address '192.168.201.101'.]

[02/12/2016][18:19:24][6940][6572][SmAdvancedAuthCore.cpp:632][SmAdvancedAuthCore::parseTargetUrl][000080fe0000000097e114e8f8b90736-1b1c-56bd877c-19ac-02c24ae1][*192.168.201.101][][][/certandbasic/][][Resolved cookie domain '.sso.lab'.]

[02/12/2016][18:19:24][6940][6572][CSmResourceManager.cpp:225][CSmResourceManager::ProcessAdvancedAuthResource][000080fe0000000097e114e8f8b90736-1b1c-56bd877c-19ac-02c24ae1][*192.168.201.101][][agent.iis][/certandbasic/][][SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthResource returned SmSuccess.]

[02/12/2016][18:19:24][6940][6572][CSmLowLevelAgent.cpp:499][IsResourceProtected][000080fe0000000097e114e8f8b90736-1b1c-56bd877c-19ac-02c24ae1][*192.168.201.101][][agent.iis][/certandbasic/][][Resource is protected from cache.]

[02/12/2016][18:19:24][6940][6572][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-1b1c-56bd877c-19ac-02c24ae1][*192.168.201.101][][agent.iis][/certandbasic/][][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[02/12/2016][18:19:24][6940][6572][CSmHttpPlugin.cpp:2824][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-1b1c-56bd877c-19ac-02c24ae1][*192.168.201.101][][agent.iis][/certandbasic/][][Processing IsProtected responses.]

[02/12/2016][18:19:24][6940][6572][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-1b1c-56bd877c-19ac-02c24ae1][*192.168.201.101][][agent.iis][/certandbasic/][][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[02/12/2016][18:19:24][6940][6572][CSmCredentialManager.cpp:222][CSmCredentialManager::GatherAdvancedAuthCredentials][000080fe0000000097e114e8f8b90736-1b1c-56bd877c-19ac-02c24ae1][*192.168.201.101][][agent.iis][/certandbasic/][][Calling SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthCredentials.]

[02/12/2016][18:19:24][6940][6572][SmSCC.cpp:247][SmScc::getCredentials][000080fe0000000097e114e8f8b90736-1b1c-56bd877c-19ac-02c24ae1][*192.168.201.101][][agent.iis][/certandbasic/][][Certificate present]

[02/12/2016][18:19:24][6940][6572][SmPluginUtilities.cpp:166][DeleteCookie][000080fe0000000097e114e8f8b90736-1b1c-56bd877c-19ac-02c24ae1][*192.168.201.101][][agent.iis][/certandbasic/][][Deleted cookie 'SMCHALLENGE'.]

[02/12/2016][18:19:24][6940][6572][SmSCC.cpp:309][SmScc::getCredentials][000080fe0000000097e114e8f8b90736-1b1c-56bd877c-19ac-02c24ae1][*192.168.201.101][][agent.iis][/certandbasic/][][Decoded BASIC Context - User 'user1']

[02/12/2016][18:19:24][6940][6572][SmSCC.cpp:418][SmScc::getCredentials][000080fe0000000097e114e8f8b90736-1b1c-56bd877c-19ac-02c24ae1][*192.168.201.101][][agent.iis][/certandbasic/][][Success in collecting credentials.]

[02/12/2016][18:19:24][6940][6572][SmPluginUtilities.cpp:481][HandleCredCollectorReturn][000080fe0000000097e114e8f8b90736-1b1c-56bd877c-19ac-02c24ae1][*192.168.201.101][][agent.iis][/certandbasic/][][POST preservation, handling return from credential collector.]

[02/12/2016][18:19:24][6940][6572][SmPluginUtilities.cpp:618][HandleCredCollectorReturn][000080fe0000000097e114e8f8b90736-1b1c-56bd877c-19ac-02c24ae1][*192.168.201.101][][agent.iis][/certandbasic/][][http response https://www.sso.lab/certandbasic/]

[02/12/2016][18:19:24][6940][6572][CSmCredentialManager.cpp:260][CSmCredentialManager::GatherAdvancedAuthCredentials][000080fe0000000097e114e8f8b90736-1b1c-56bd877c-19ac-02c24ae1][*192.168.201.101][][agent.iis][/certandbasic/][][SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthCredentials returned SmSuccess.]

[02/12/2016][18:19:26][6940][6572][CSmLowLevelAgent.cpp:1200][AuthenticateUser][000080fe0000000097e114e8f8b90736-1b1c-56bd877c-19ac-02c24ae1][*192.168.201.101][][agent.iis][/certandbasic/][][User 'user1' is authenticated by Policy Server.]

[02/12/2016][18:19:26][6940][6572][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-1b1c-56bd877c-19ac-02c24ae1][*192.168.201.101][][agent.iis][/certandbasic/][user1][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[02/12/2016][18:19:26][6940][6572][CSmHttpPlugin.cpp:2992][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-1b1c-56bd877c-19ac-02c24ae1][*192.168.201.101][][agent.iis][/certandbasic/][user1][Processing Authentication responses.]

[02/12/2016][18:19:26][6940][6572][CSmHttpPlugin.cpp:8040][CSmHttpPlugin::GenerateSSLChallengeDoneCookie][000080fe0000000097e114e8f8b90736-1b1c-56bd877c-19ac-02c24ae1][*192.168.201.101][][agent.iis][/certandbasic/][user1][Generating SMCHALLENGE=SSL_CHALLENGE_DONE set-cookie response header.]

[02/12/2016][18:19:26][6940][6572][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-1b1c-56bd877c-19ac-02c24ae1][*192.168.201.101][][agent.iis][/certandbasic/][user1][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[02/12/2016][18:19:26][6940][6572][CSmSessionManager.cpp:209][CSmSessionManager::CreateSession][000080fe0000000097e114e8f8b90736-1b1c-56bd877c-19ac-02c24ae1][*192.168.201.101][][agent.iis][/certandbasic/][user1][Calling SM_WAF_HTTP_PLUGIN->CreateSession.]

[02/12/2016][18:19:26][6940][6572][CSmHttpPlugin.cpp:1605][CSmHttpPlugin::CreateSession][000080fe0000000097e114e8f8b90736-1b1c-56bd877c-19ac-02c24ae1][*192.168.201.101][][agent.iis][/certandbasic/][user1][Generated SMSESSION cookie.]

[02/12/2016][18:19:26][6940][6572][CSmSessionManager.cpp:247][CSmSessionManager::CreateSession][000080fe0000000097e114e8f8b90736-1b1c-56bd877c-19ac-02c24ae1][*192.168.201.101][][agent.iis][/certandbasic/][user1][SM_WAF_HTTP_PLUGIN->CreateSession returned SmSuccess.]

[02/12/2016][18:19:26][6940][6572][CSmHighLevelAgent.cpp:1282][ProcessAdvancedAuthentication][000080fe0000000097e114e8f8b90736-1b1c-56bd877c-19ac-02c24ae1][*192.168.201.101][][agent.iis][/certandbasic/][user1][End new request.]

 

[02/12/2016][18:19:26][6940][6572][CSmHighLevelAgent.cpp:321][ProcessRequest][000080fe0000000097e114e8f8b90736-1b1c-56bd877e-19ac-00ed440d][][][][][][Start new request.]

[02/12/2016][18:19:26][6940][6572][CSmResourceManager.cpp:75][CSmResourceManager::ProcessResource][000080fe0000000097e114e8f8b90736-1b1c-56bd877e-19ac-00ed440d][][][][][][Calling SM_WAF_HTTP_PLUGIN->ProcessResource.]

[02/12/2016][18:19:26][6940][6572][CSmHttpPlugin.cpp:399][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1b1c-56bd877e-19ac-00ed440d][][][][][][Resolved HTTP_HOST: 'www.sso.lab'.]

[02/12/2016][18:19:26][6940][6572][CSmHttpPlugin.cpp:5249][Entered CSmHttpPlugin::ResolveFQServerName sHost: ][][][][][][][www.sso.lab]

[02/12/2016][18:19:26][6940][6572][CSmHttpPlugin.cpp:490][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1b1c-56bd877e-19ac-00ed440d][][][][][][Resolved hostname: 'www.sso.lab'.]

[02/12/2016][18:19:26][6940][6572][CSmHttpPlugin.cpp:509][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1b1c-56bd877e-19ac-00ed440d][][][][][][Resolved agentname: 'agent.iis'.]

[02/12/2016][18:19:26][6940][6572][CSmHttpPlugin.cpp:5602][CSmHttpPlugin::ResolveClientIp][000080fe0000000097e114e8f8b90736-1b1c-56bd877e-19ac-00ed440d][][][agent.iis][][][Resolved Client IP address '192.168.201.101'.]

[02/12/2016][18:19:26][6940][6572][CSmHttpPlugin.cpp:657][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1b1c-56bd877e-19ac-00ed440d][*192.168.201.101][][agent.iis][][][Resolved URL: '/certandbasic/'.]

[02/12/2016][18:19:26][6940][6572][CSmHttpPlugin.cpp:781][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1b1c-56bd877e-19ac-00ed440d][*192.168.201.101][][agent.iis][/certandbasic/][][Resolved METHOD: 'GET'.]

[02/12/2016][18:19:26][6940][6572][CSmHttpPlugin.cpp:834][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1b1c-56bd877e-19ac-00ed440d][*192.168.201.101][][agent.iis][/certandbasic/][][Resolved cookie domain: '.sso.lab'.]

[02/12/2016][18:19:26][6940][6572][CSmResourceManager.cpp:112][CSmResourceManager::ProcessResource][000080fe0000000097e114e8f8b90736-1b1c-56bd877e-19ac-00ed440d][*192.168.201.101][][agent.iis][/certandbasic/][][SM_WAF_HTTP_PLUGIN->ProcessResource returned SmSuccess.]

[02/12/2016][18:19:26][6940][6572][CSmSessionManager.cpp:82][CSmSessionManager::EstablishSession][000080fe0000000097e114e8f8b90736-1b1c-56bd877e-19ac-00ed440d][*192.168.201.101][][agent.iis][/certandbasic/][][Calling SM_WAF_HTTP_PLUGIN->EstablishSession.]

[02/12/2016][18:19:26][6940][6572][CSmHttpPlugin.cpp:6609][CSmHttpPlugin::ProcessSessionCookie][000080fe0000000097e114e8f8b90736-1b1c-56bd877e-19ac-00ed440d][*192.168.201.101][][agent.iis][/certandbasic/][user1][Decoded SMSESSION cookie - User = 'CN=user1,OU=People,DC=sso,DC=lab', IP address = '192.168.201.101'.]

[02/12/2016][18:19:26][6940][6572][CSmHttpPlugin.cpp:2216][CSmHttpPlugin::EstablishSession][000080fe0000000097e114e8f8b90736-1b1c-56bd877e-19ac-00ed440d][*192.168.201.101][][agent.iis][/certandbasic/][user1][Processed SMSESSION cookie.]

[02/12/2016][18:19:26][6940][6572][CSmSessionManager.cpp:119][CSmSessionManager::EstablishSession][000080fe0000000097e114e8f8b90736-1b1c-56bd877e-19ac-00ed440d][*192.168.201.101][][agent.iis][/certandbasic/][user1][SM_WAF_HTTP_PLUGIN->EstablishSession returned SmSuccess.]

[02/12/2016][18:19:26][6940][6572][CSmLowLevelAgent.cpp:499][IsResourceProtected][000080fe0000000097e114e8f8b90736-1b1c-56bd877e-19ac-00ed440d][*192.168.201.101][][agent.iis][/certandbasic/][user1][Resource is protected from cache.]

[02/12/2016][18:19:26][6940][6572][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-1b1c-56bd877e-19ac-00ed440d][*192.168.201.101][][agent.iis][/certandbasic/][user1][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[02/12/2016][18:19:26][6940][6572][CSmHttpPlugin.cpp:2824][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-1b1c-56bd877e-19ac-00ed440d][*192.168.201.101][][agent.iis][/certandbasic/][user1][Processing IsProtected responses.]

[02/12/2016][18:19:26][6940][6572][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-1b1c-56bd877e-19ac-00ed440d][*192.168.201.101][][agent.iis][/certandbasic/][user1][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[02/12/2016][18:19:26][6940][6572][CSmCredentialManager.cpp:103][CSmCredentialManager::GatherCredentials][000080fe0000000097e114e8f8b90736-1b1c-56bd877e-19ac-00ed440d][*192.168.201.101][][agent.iis][/certandbasic/][user1][Found session, no credentials required.]

[02/12/2016][18:19:26][6940][6572][CSmLowLevelAgent.cpp:999][AuthenticateUser][000080fe0000000097e114e8f8b90736-1b1c-56bd877e-19ac-00ed440d][*192.168.201.101][][agent.iis][/certandbasic/][user1][Validating session 'K0TJSsFO24ywObE2mmcIt7uxTvc=' for user 'CN=user1,OU=People,DC=sso,DC=lab' in zone 'SM'.]

[02/12/2016][18:19:26][6940][6572][CSmLowLevelAgent.cpp:1195][AuthenticateUser][000080fe0000000097e114e8f8b90736-1b1c-56bd877e-19ac-00ed440d][*192.168.201.101][][agent.iis][/certandbasic/][user1][User 'CN=user1,OU=People,DC=sso,DC=lab' is authenticated from cache.]

[02/12/2016][18:19:26][6940][6572][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-1b1c-56bd877e-19ac-00ed440d][*192.168.201.101][][agent.iis][/certandbasic/][user1][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[02/12/2016][18:19:26][6940][6572][CSmHttpPlugin.cpp:2992][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-1b1c-56bd877e-19ac-00ed440d][*192.168.201.101][][agent.iis][/certandbasic/][user1][Processing Authentication responses.]

[02/12/2016][18:19:26][6940][6572][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-1b1c-56bd877e-19ac-00ed440d][*192.168.201.101][][agent.iis][/certandbasic/][user1][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[02/12/2016][18:19:26][6940][6572][CSmSessionManager.cpp:209][CSmSessionManager::CreateSession][000080fe0000000097e114e8f8b90736-1b1c-56bd877e-19ac-00ed440d][*192.168.201.101][][agent.iis][/certandbasic/][user1][Calling SM_WAF_HTTP_PLUGIN->CreateSession.]

[02/12/2016][18:19:26][6940][6572][CSmHttpPlugin.cpp:1605][CSmHttpPlugin::CreateSession][000080fe0000000097e114e8f8b90736-1b1c-56bd877e-19ac-00ed440d][*192.168.201.101][][agent.iis][/certandbasic/][user1][Generated SMSESSION cookie.]

[02/12/2016][18:19:26][6940][6572][CSmSessionManager.cpp:247][CSmSessionManager::CreateSession][000080fe0000000097e114e8f8b90736-1b1c-56bd877e-19ac-00ed440d][*192.168.201.101][][agent.iis][/certandbasic/][user1][SM_WAF_HTTP_PLUGIN->CreateSession returned SmSuccess.]

[02/12/2016][18:19:26][6940][6572][CSmLowLevelAgent.cpp:2768][AuthorizeUser][000080fe0000000097e114e8f8b90736-1b1c-56bd877e-19ac-00ed440d][*192.168.201.101][][agent.iis][/certandbasic/][user1][User 'CN=user1,OU=People,DC=sso,DC=lab' is authorized by Policy Server.]

[02/12/2016][18:19:26][6940][6572][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-1b1c-56bd877e-19ac-00ed440d][*192.168.201.101][][agent.iis][/certandbasic/][user1][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[02/12/2016][18:19:26][6940][6572][CSmHttpPlugin.cpp:3270][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-1b1c-56bd877e-19ac-00ed440d][*192.168.201.101][][agent.iis][/certandbasic/][user1][Processing Authorization responses.]

[02/12/2016][18:19:26][6940][6572][CSmHttpPlugin.cpp:3277][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-1b1c-56bd877e-19ac-00ed440d][*192.168.201.101][][agent.iis][/certandbasic/][user1][Removing HTTP cache request headers.]

[02/12/2016][18:19:26][6940][6572][SmPluginUtilities.cpp:166][DeleteCookie][000080fe0000000097e114e8f8b90736-1b1c-56bd877e-19ac-00ed440d][*192.168.201.101][][agent.iis][/certandbasic/][user1][Deleted cookie 'SMCHALLENGE'.]

[02/12/2016][18:19:26][6940][6572][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-1b1c-56bd877e-19ac-00ed440d][*192.168.201.101][][agent.iis][/certandbasic/][user1][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[02/12/2016][18:19:26][6940][6572][CSmHighLevelAgent.cpp:801][ProcessRequest][000080fe0000000097e114e8f8b90736-1b1c-56bd877e-19ac-00ed440d][*192.168.201.101][][agent.iis][/certandbasic/][user1][AuthorizationManager returned SmYes, end new request.]

[02/12/2016][18:19:26][6940][6572][CSmHighLevelAgent.cpp:921][ProcessRequest][000080fe0000000097e114e8f8b90736-1b1c-56bd877e-19ac-00ed440d][*192.168.201.101][][agent.iis][/certandbasic/][user1][End new request.]

 

 

You are seeing the user being authenticated then redirected to the target resource and get validated/authorized.

It is always good to follow through to see the SMCHALLENGE cookie being deleted at the first authorization although the Authentication was successful at the "/siteminderagent/cert/xxxxx/smgetcred.scc".

 

Note: the Certificate CN value and the userID value must match or the user will not be authenticated.

You cannot use "user1" certificate and login with "user2" basic credentials.

As the Authentication Template Name suggests, both certificate and basic authentication must succeed as same user.

For example, if you submit "user1" certificate and then enter smuser credentials, you will not be prompted for certificate but only the Basic popup.

 

 

webagenttrace.log - user1 certificate and smuser basic credentials.

[02/12/2016][18:40:26][6940][5940][CSmHighLevelAgent.cpp:970][ProcessAdvancedAuthentication][000080fe0000000097e114e8f8b90736-1b1c-56bd8c6a-1734-036b3d6c][][][][][][Start new request.]

[02/12/2016][18:40:26][6940][5940][CSmResourceManager.cpp:187][CSmResourceManager::ProcessAdvancedAuthResource][000080fe0000000097e114e8f8b90736-1b1c-56bd8c6a-1734-036b3d6c][][][][][][Calling SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthResource.]

[02/12/2016][18:40:26][6940][5940][CSmHttpPlugin.cpp:8683][CSmHttpPlugin::ProcessAdvancedAuthResource][000080fe0000000097e114e8f8b90736-1b1c-56bd8c6a-1734-036b3d6c][][][][][][Resolved HTTP_HOST: 'www.sso.lab'.]

[02/12/2016][18:40:26][6940][5940][CSmHttpPlugin.cpp:5249][Entered CSmHttpPlugin::ResolveFQServerName sHost: ][][][][][][][www.sso.lab]

[02/12/2016][18:40:26][6940][5940][CSmHttpPlugin.cpp:5602][CSmHttpPlugin::ResolveClientIp][000080fe0000000097e114e8f8b90736-1b1c-56bd8c6a-1734-036b3d6c][][][][][][Resolved Client IP address '192.168.201.101'.]

[02/12/2016][18:40:26][6940][5940][SmAdvancedAuthCore.cpp:632][SmAdvancedAuthCore::parseTargetUrl][000080fe0000000097e114e8f8b90736-1b1c-56bd8c6a-1734-036b3d6c][*192.168.201.101][][][/certandbasic/][][Resolved cookie domain '.sso.lab'.]

[02/12/2016][18:40:26][6940][5940][CSmResourceManager.cpp:225][CSmResourceManager::ProcessAdvancedAuthResource][000080fe0000000097e114e8f8b90736-1b1c-56bd8c6a-1734-036b3d6c][*192.168.201.101][][agent.iis][/certandbasic/][][SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthResource returned SmSuccess.]

[02/12/2016][18:40:26][6940][5940][CSmLowLevelAgent.cpp:499][IsResourceProtected][000080fe0000000097e114e8f8b90736-1b1c-56bd8c6a-1734-036b3d6c][*192.168.201.101][][agent.iis][/certandbasic/][][Resource is protected from cache.]

[02/12/2016][18:40:26][6940][5940][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-1b1c-56bd8c6a-1734-036b3d6c][*192.168.201.101][][agent.iis][/certandbasic/][][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[02/12/2016][18:40:26][6940][5940][CSmHttpPlugin.cpp:2824][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-1b1c-56bd8c6a-1734-036b3d6c][*192.168.201.101][][agent.iis][/certandbasic/][][Processing IsProtected responses.]

[02/12/2016][18:40:26][6940][5940][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-1b1c-56bd8c6a-1734-036b3d6c][*192.168.201.101][][agent.iis][/certandbasic/][][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[02/12/2016][18:40:26][6940][5940][CSmCredentialManager.cpp:222][CSmCredentialManager::GatherAdvancedAuthCredentials][000080fe0000000097e114e8f8b90736-1b1c-56bd8c6a-1734-036b3d6c][*192.168.201.101][][agent.iis][/certandbasic/][][Calling SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthCredentials.]

[02/12/2016][18:40:26][6940][5940][SmSCC.cpp:247][SmScc::getCredentials][000080fe0000000097e114e8f8b90736-1b1c-56bd8c6a-1734-036b3d6c][*192.168.201.101][][agent.iis][/certandbasic/][][Certificate present]

[02/12/2016][18:40:26][6940][5940][SmPluginUtilities.cpp:166][DeleteCookie][000080fe0000000097e114e8f8b90736-1b1c-56bd8c6a-1734-036b3d6c][*192.168.201.101][][agent.iis][/certandbasic/][][Deleted cookie 'SMSESSION'.]

[02/12/2016][18:40:26][6940][5940][SmPluginUtilities.cpp:166][DeleteCookie][000080fe0000000097e114e8f8b90736-1b1c-56bd8c6a-1734-036b3d6c][*192.168.201.101][][agent.iis][/certandbasic/][][Deleted cookie 'SMCHALLENGE'.]

[02/12/2016][18:40:26][6940][5940][SmSCC.cpp:309][SmScc::getCredentials][000080fe0000000097e114e8f8b90736-1b1c-56bd8c6a-1734-036b3d6c][*192.168.201.101][][agent.iis][/certandbasic/][][Decoded BASIC Context - User 'smuser']

[02/12/2016][18:40:26][6940][5940][SmSCC.cpp:418][SmScc::getCredentials][000080fe0000000097e114e8f8b90736-1b1c-56bd8c6a-1734-036b3d6c][*192.168.201.101][][agent.iis][/certandbasic/][][Success in collecting credentials.]

[02/12/2016][18:40:26][6940][5940][SmPluginUtilities.cpp:481][HandleCredCollectorReturn][000080fe0000000097e114e8f8b90736-1b1c-56bd8c6a-1734-036b3d6c][*192.168.201.101][][agent.iis][/certandbasic/][][POST preservation, handling return from credential collector.]

[02/12/2016][18:40:26][6940][5940][SmPluginUtilities.cpp:618][HandleCredCollectorReturn][000080fe0000000097e114e8f8b90736-1b1c-56bd8c6a-1734-036b3d6c][*192.168.201.101][][agent.iis][/certandbasic/][][http response https://www.sso.lab/certandbasic/]

[02/12/2016][18:40:26][6940][5940][CSmCredentialManager.cpp:260][CSmCredentialManager::GatherAdvancedAuthCredentials][000080fe0000000097e114e8f8b90736-1b1c-56bd8c6a-1734-036b3d6c][*192.168.201.101][][agent.iis][/certandbasic/][][SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthCredentials returned SmSuccess.]

[02/12/2016][18:40:26][6940][5940][CSmLowLevelAgent.cpp:1332][AuthenticateUser][000080fe0000000097e114e8f8b90736-1b1c-56bd8c6a-1734-036b3d6c][*192.168.201.101][][agent.iis][/certandbasic/][][User 'smuser' is not authenticated by Policy Server.]

[02/12/2016][18:40:26][6940][5940][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-1b1c-56bd8c6a-1734-036b3d6c][*192.168.201.101][][agent.iis][/certandbasic/][][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[02/12/2016][18:40:26][6940][5940][CSmHttpPlugin.cpp:2992][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-1b1c-56bd8c6a-1734-036b3d6c][*192.168.201.101][][agent.iis][/certandbasic/][][Processing Authentication responses.]

[02/12/2016][18:40:26][6940][5940][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-1b1c-56bd8c6a-1734-036b3d6c][*192.168.201.101][][agent.iis][/certandbasic/][][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[02/12/2016][18:40:26][6940][5940][CSmHighLevelAgent.cpp:1203][ProcessAdvancedAuthentication][000080fe0000000097e114e8f8b90736-1b1c-56bd8c6a-1734-036b3d6c][*192.168.201.101][][agent.iis][/certandbasic/][][AuthenticationManager returned SmNo or SmNoAction, calling ChallengeManager.]

[02/12/2016][18:40:26][6940][5940][CSmChallengeManager.cpp:194][CSmChallengeManager::DoAdvancedAuthChallenge][000080fe0000000097e114e8f8b90736-1b1c-56bd8c6a-1734-036b3d6c][*192.168.201.101][][agent.iis][/certandbasic/][][Calling SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthChallenge.]

[02/12/2016][18:40:26][6940][5940][CSmChallengeManager.cpp:214][CSmChallengeManager::DoAdvancedAuthChallenge][000080fe0000000097e114e8f8b90736-1b1c-56bd8c6a-1734-036b3d6c][*192.168.201.101][][agent.iis][/certandbasic/][][SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthChallenge returned SmExit.]

[02/12/2016][18:40:26][6940][5940][CSmHighLevelAgent.cpp:1230][ProcessAdvancedAuthentication][000080fe0000000097e114e8f8b90736-1b1c-56bd8c6a-1734-036b3d6c][*192.168.201.101][][agent.iis][/certandbasic/][][Challenge Manager returned SmExit, Time to challenge.]

 

 

If you look at smtracedefault.log it will give some more information why it made that decision.

 

smtracedefault.log

[02/12/2016][18:40:26][4372][][SmDsLdapConnMgr.cpp:1201][CSmDsLdapConn::SearchExts][][][][][][][][][][][][][][LDAP search of (&(samaccountname=smuser)(objectclass=*)) took 0 seconds and 1000 microseconds][620][18:40:26.897][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmDsLdapProvider.cpp:2244][CSmDsLdapProvider::Search][][][][][][][][][][][][][][Ldap Search callout succeeds.][620][18:40:26.897][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][(Search) Base: 'DC=SSO,DC=LAB', Filter: '(samaccountname=smuser)'. Status: 1 entries][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmDsDir.cpp:446][CSmDsDir::Search][][][][][][][][][][][][][][Return from call Search.][620][18:40:26.897][true][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmDsObj.cpp:75][CSmDsObj::CSmDsObj][][][][][][][][][][][][][][Start of call LookupProvider.][620][18:40:26.897][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][LDAP:][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmDsProviderMap.cpp:109][CSmDsProviderMap::LookupProvider][][][][][][][][][][][][][][Enter function CSmDsProviderMap::LookupProvider][620][18:40:26.897][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmDsProviderMap.cpp:204][CSmDsProviderMap::LookupProvider][][][][][][][][][][][][][][Leave function CSmDsProviderMap::LookupProvider][620][18:40:26.897][Ok][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][00:00:00.000000][]

[02/12/2016][18:40:26][4372][][SmDsObj.cpp:77][CSmDsObj::CSmDsObj][][][][][][][][][][][][][][Return from call LookupProvider.][620][18:40:26.897][Ok][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmDsUser.cpp:95][CSmDsUser::CSmDsUser][][][][][][][][][][][][][][Start of call InitUser.][620][18:40:26.897][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][About to initialize User 'CN=smuser,CN=Users,DC=sso,DC=lab' in dir 'SSO LAB Domain Users'][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmDsUser.cpp:106][CSmDsUser::CSmDsUser][][][][][][][][][][][][][][Return from call InitUser.][620][18:40:26.897][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmDsObj.cpp:94][CSmDsObj::IsValid][][][][][][][][][][][][][][Start of call IsValid.][620][18:40:26.897][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmDsObj.cpp:96][CSmDsObj::IsValid][][][][][][][][][][][][][][Return from call IsValid.][620][18:40:26.897][true][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmPasswordCheck.cpp:2730][CSmPasswordCheck::PreProcessPassword][][][][][][][][][][][][][][Enter function CSmPasswordCheck::PreProcessPassword][620][18:40:26.897][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmPasswordCheck.cpp:2737][CSmPasswordCheck::PreProcessPassword][][][][][][][][][][][][][][Pre processing the new password...][620][18:40:26.897][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmPasswordCheck.cpp:397][CSmPasswordCheck::FindApplicablePasswordPolicies][][][][][][][][][][][][][][Enter function CSmPasswordCheck::FindApplicablePasswordPolicies][620][18:40:26.897][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmObjCache.cpp:824][CSmObjCache::Fetch][][][][][][][][][][][][][][Retrieve an object from the object cache.][620][18:40:26.897][][][][][][][][0a-00000000-0000-0000-0000-000000000000][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmPasswordCheck.cpp:448][CSmPasswordCheck::FindApplicablePasswordPolicies][][][][][][][][][][][][][][Leave function CSmPasswordCheck::FindApplicablePasswordPolicies][620][18:40:26.897][true][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][00:00:00.000000][]

[02/12/2016][18:40:26][4372][][SmPasswordCheck.cpp:2768][CSmPasswordCheck::PreProcessPassword][][][][][][][][][][][][][][Leave function CSmPasswordCheck::PreProcessPassword][620][18:40:26.897][true][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][00:00:00.000000][]

[02/12/2016][18:40:26][4372][][SmAuthUser.cpp:5108][CSmAuthUser::Authenticate][][][][][][][][][][][][][][Enter function CSmAuthUser::Authenticate][620][18:40:26.897][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthUser.cpp:5259][CSmAuthUser::Authenticate][smuser][CN=smuser,CN=Users,DC=sso,DC=lab][SSO LAB Domain Users][MhzVSejYJWIEOSqX42numCra1ZY=][][][][][][][][][][Authenticating user by the auth scheme][620][18:40:26.897][][][][][][][][][][][][][][Certificate and Basic][][][][][][][][][][][][][][][][][LDAP://192.168.201.101 192.168.201.102/CN=smuser,CN=Users,DC=sso,DC=lab][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmObjCache.cpp:773][CSmObjCache::Lookup][][][][][][][][][][][][][][Look up a cached object.][620][18:40:26.897][][][][][][][][06-c4ebbaaa-cf13-4337-bded-0734edc5b369][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:5497][SmAuthenticate][][][][][][][][][][][][][][Enter function SmAuthenticate][620][18:40:26.897][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3893][getSpecificScheme][][][][][][][][][][][][][][Enter function getSpecificScheme][620][18:40:26.897][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3918][getSpecificScheme][][][][][][][][][][][][][][Auth Scheme used: Cert+Basic][620][18:40:26.897][][][][][][][][][][][][][][Cert+Basic][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3962][getSpecificScheme][][][][][][][][][][][][][][Leave function getSpecificScheme][620][18:40:26.897][2][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][00:00:00.000000][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:5748][SmAuthenticate][CN=smuser,CN=Users,DC=sso,DC=lab][][][][][][][][][][][][][Verifying user's basic credentials][620][18:40:26.897][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:4157][parseCert][][][][][][][][][][][][][][Enter function parseCert][620][18:40:26.897][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:2692][dump_hex][][][][][][][][][][][][][][length of serial is: 10][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:2709][dump_hex][][][][][][][][][][][][][][Printing serial: 61][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:2717][dump_hex][][][][][][][][][][][][][][Printing serial:  35][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:2717][dump_hex][][][][][][][][][][][][][][Printing serial:  DB][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:2717][dump_hex][][][][][][][][][][][][][][Printing serial:  32][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:2717][dump_hex][][][][][][][][][][][][][][Printing serial:  00][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:2717][dump_hex][][][][][][][][][][][][][][Printing serial:  00][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:2717][dump_hex][][][][][][][][][][][][][][Printing serial:  00][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:2717][dump_hex][][][][][][][][][][][][][][Printing serial:  00][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:2717][dump_hex][][][][][][][][][][][][][][Printing serial:  00][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:2717][dump_hex][][][][][][][][][][][][][][Printing serial:  07][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][certcHelper.cpp:795][RSA_GetCRLDistributionPoint][][][][][][][][][][][][][][Enter function RSA_GetCRLDistributionPoint][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][certcHelper.cpp:905][RSA_GetCRLDistributionPoint][][][][][][][][][][][][][][CRL DPName = ldap:///CN=TESTLABCA,CN=TESTMC1,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=sso,DC=lab?certificateRevocationList?base?objectClass=cRLDistributionPoint][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][certcHelper.cpp:918][RSA_GetCRLDistributionPoint][][][][][][][][][][][][][][Leave function RSA_GetCRLDistributionPoint][620][18:40:26.898][CDP's found in Cert][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][00:00:00.000000][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:4364][parseCert][][][][][][][][][][][][][][Parsed certificate for SubjectDN DC=lab,DC=sso,OU=People,CN=user1,E=user1@sso.lab][620][18:40:26.898][][][][][][][][][][][][][][][61 35 DB 32 00 00 00 00 00 07][DC=lab,DC=sso,OU=People,CN=user1,E=user1@sso.lab][DC=lab,DC=sso,CN=TESTLABCA][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:4367][parseCert][][][][][][][][][][][][][][Leave function parseCert][620][18:40:26.898][0][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][00:00:00.001000][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:5969][SmAuthenticate][][][][][][][][][][][][][][Print currentCert.certBinLen: 1348][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:5977][SmAuthenticate][][][][][][][][][][][][][][Print currentCert's subjectDN, issuerDN, CertSerial and CertDistPt][620][18:40:26.898][][][][][][][][][][][][][][][61 35 DB 32 00 00 00 00 00 07][DC=lab,DC=sso,OU=People,CN=user1,E=user1@sso.lab][DC=lab,DC=sso,CN=TESTLABCA][ldap:///CN=TESTLABCA,CN=TESTMC1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=sso,DC=lab?certificateRevocationList?base?objectClass=cRLDistributionPoint][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmObjCache.cpp:824][CSmObjCache::Fetch][][][][][][][][][][][][][][Retrieve an object from the object cache.][620][18:40:26.898][][][][][][][][0a-00000000-0000-0000-0000-000000000000][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmObjCache.cpp:824][CSmObjCache::Fetch][][][][][][][][][][][][][][Retrieve an object from the object cache.][620][18:40:26.898][][][][][][][][16-8fd4a1a4-6eea-414e-9952-e3d8a301e9fc][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:539][GetCertMapObject][][][][][][][][][][][][][][Comparing to IssuerDN.][620][18:40:26.898][][][][][][][][][][][][][][][][][DC=lab,DC=sso,CN=TESTLABCA][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:5999][SmAuthenticate][][][][][][][][][][][][][][Certificate's Issuer DN found in mapping rules][620][18:40:26.898][][][][][][][][][][][][][][][][][DC=lab,DC=sso,CN=TESTLABCA][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:2906][ApplyMapToLDAPRules][][][][][][][][][][][][][][Enter function ApplyMapToLDAPRules][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:2920][ApplyMapToLDAPRules][][][][][][][][][][][][][][map subjectDN (DC=lab,DC=sso,OU=People,CN=user1,E=user1@sso.lab)  using string: '(%{CN})'][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3179][ApplyMapToLDAPRules][][][][][][][][][][][][][][aname is (certSerialNumber)][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3185][ApplyMapToLDAPRules][][][][][][][][][][][][][][category.aname is (certSerialNumber).(certSerialNumber)][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3249][ApplyMapToLDAPRules][][][][][][][][][][][][][][Name is (certSerialNumber.certSerialNumber) Value is (61 35 DB 32 00 00 00 00 00 07)][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3179][ApplyMapToLDAPRules][][][][][][][][][][][][][][aname is (IssuerDN)][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3185][ApplyMapToLDAPRules][][][][][][][][][][][][][][category.aname is (IssuerDN).(IssuerDN)][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3249][ApplyMapToLDAPRules][][][][][][][][][][][][][][Name is (IssuerDN.IssuerDN) Value is (DC=lab,DC=sso,CN=TESTLABCA)][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3179][ApplyMapToLDAPRules][][][][][][][][][][][][][][aname is (DC)][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3185][ApplyMapToLDAPRules][][][][][][][][][][][][][][category.aname is (DC).(DC)][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3249][ApplyMapToLDAPRules][][][][][][][][][][][][][][Name is (DC.DC) Value is (lab)][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3179][ApplyMapToLDAPRules][][][][][][][][][][][][][][aname is (DC)][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3185][ApplyMapToLDAPRules][][][][][][][][][][][][][][category.aname is (DC2).(DC)][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3249][ApplyMapToLDAPRules][][][][][][][][][][][][][][Name is (DC2.DC) Value is (sso)][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3179][ApplyMapToLDAPRules][][][][][][][][][][][][][][aname is (OU)][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3185][ApplyMapToLDAPRules][][][][][][][][][][][][][][category.aname is (OU).(OU)][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3249][ApplyMapToLDAPRules][][][][][][][][][][][][][][Name is (OU.OU) Value is (People)][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3179][ApplyMapToLDAPRules][][][][][][][][][][][][][][aname is (CN)][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3185][ApplyMapToLDAPRules][][][][][][][][][][][][][][category.aname is (CN).(CN)][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3249][ApplyMapToLDAPRules][][][][][][][][][][][][][][Name is (CN.CN) Value is (user1)][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3179][ApplyMapToLDAPRules][][][][][][][][][][][][][][aname is (E)][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3185][ApplyMapToLDAPRules][][][][][][][][][][][][][][category.aname is (E).(E)][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3249][ApplyMapToLDAPRules][][][][][][][][][][][][][][Name is (E.E) Value is (user1@sso.lab)][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3529][MapOneRuleString][][][][][][][][][][][][][][Enter function MapOneRuleString][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3590][ApplyMapToLDAPRules][][][][][][][][][][][][][][Final option 0 is 'CN'][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3615][ApplyMapToLDAPRules][][][][][][][][][][][][][][Parameter is CN][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3691][ApplyMapToLDAPRules][][][][][][][][][][][][][][Compared 'certSerialNumber' to 'CN' : No Match][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3691][ApplyMapToLDAPRules][][][][][][][][][][][][][][Compared 'certSerialNumber.certSerialNumber' to 'CN' : No Match][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3691][ApplyMapToLDAPRules][][][][][][][][][][][][][][Compared 'IssuerDN' to 'CN' : No Match][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3691][ApplyMapToLDAPRules][][][][][][][][][][][][][][Compared 'IssuerDN.IssuerDN' to 'CN' : No Match][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3691][ApplyMapToLDAPRules][][][][][][][][][][][][][][Compared 'DC' to 'CN' : No Match][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3691][ApplyMapToLDAPRules][][][][][][][][][][][][][][Compared 'DC.DC' to 'CN' : No Match][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3691][ApplyMapToLDAPRules][][][][][][][][][][][][][][Compared 'DC2' to 'CN' : No Match][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3691][ApplyMapToLDAPRules][][][][][][][][][][][][][][Compared 'DC2.DC' to 'CN' : No Match][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3691][ApplyMapToLDAPRules][][][][][][][][][][][][][][Compared 'OU' to 'CN' : No Match][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3691][ApplyMapToLDAPRules][][][][][][][][][][][][][][Compared 'OU.OU' to 'CN' : No Match][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3699][ApplyMapToLDAPRules][][][][][][][][][][][][][][Compared 'CN' to 'CN' : Match][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3833][MapOneRuleString][][][][][][][][][][][][][][returning success.][620][18:40:26.899][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3836][MapOneRuleString][][][][][][][][][][][][][][Leave function MapOneRuleString][620][18:40:26.899][user1][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][00:00:00.001000][]

[02/12/2016][18:40:26][4372][][SmAuthUser.cpp:841][AuthenticateDsUser][][][][][][][][][][][][][][Enter function AuthenticateDsUser][620][18:40:26.899][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmDsObj.cpp:94][CSmDsObj::IsValid][][][][][][][][][][][][][][Start of call IsValid.][620][18:40:26.899][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmDsObj.cpp:96][CSmDsObj::IsValid][][][][][][][][][][][][][][Return from call IsValid.][620][18:40:26.899][true][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmDsUser.cpp:229][CSmDsUser::Authenticate][][][][][][][][][][][][][][Start of call AuthenticateUser.][620][18:40:26.899][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][User ='CN=smuser,CN=Users,DC=sso,DC=lab'][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmObjCache.cpp:824][CSmObjCache::Fetch][][][][][][][][][][][][][][Retrieve an object from the object cache.][620][18:40:26.899][][][][][][][][1c-67b3c2b0-9e28-11d3-95e7-00c04f7468ef][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmObjStore.cpp:3339][IsADEnhanced][][][][][][][][][][][][][][Global Preferences:][620][18:40:26.899][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmDsUser.cpp:238][CSmDsUser::Authenticate][][][][][][][][][][][][][][Return from call AuthenticateUser.][620][18:40:26.899][true][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthUser.cpp:875][AuthenticateDsUser][][][][][][][][][][][][][][Leave function AuthenticateDsUser][620][18:40:26.899][0][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][00:00:00.000000][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:6182][SmAuthenticate][smuser][][][][][][][][][][][][][Cert+Basic/Cert+Form credentials does not match certificate credentials][620][18:40:26.933][][][][][][][][][][][][][][][][user1][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

 

 

You can see from above snippet the certificate extracted username is "user1" but the user searched was "smuser".

So, when they do not match, the user is not authenticated.

Interesting to see the Basic credential was processed first although it was provided after the certificate.

 

 

X.509 Certificate or Form

 

This is similar to "Certificate or Basic", only difference is that it will display Login Form if you do not submit certificate.

 

* Make sure you have the content on your web server for /certorform/ virtual directory.

* Create "X.509 Certificate or Form Authentication" Scheme.

* Create Component and Resource from AdminUI to protect this resource.

* Create Certificate Mapping (skip this step as it is already configured)

* Configure "SSL Setting" for "/siteminderagent/certoptional" (skip this step as it is already configured)

 

Create "X.509 Certificate or Form Authentication" Scheme.

 

As usual, previously demonstrated steps will be skipped.

Create "Certificate or Form" Authentication Scheme as below.

Fill in the following and submit

Name: Certificate or Form

Authentication Scheme Type: X509 Client Cert or Form Template

Protection Level: 5

     Note: As this is a single factor authentication, its default security protection level is again 5.

Password Policies enabled for this Authentication Scheme: true

     Note: The Form authentication part involves password so the password policy can be applied here.

Server Name: www.sso.lab

Target: /siteminderagent/certoptional/forms/login.sfcc

     Note: This would be your first time seeing ".sfcc" extension. When you login via regular Form Authentication Scheme, you still use ".fcc" extension even when you specify https secure connection. ".sfcc" is used for Certificate involved Form Authentication Scheme.

Library: smauthcertorform

     Note: The Parameter will show "login.sfcc?certorform" to recognize it is a cert or form authentication scheme.

 

 

 

 

Create Component and Resource from AdminUI to protect this resource.

 

Create Component as below and click "OK".

Component Name: Certificate or Form

Agent Type: Web Agent

Agent: agent.iis

Resource Filter: /certorform/

Default Resource Protection: Protected

Authentication Scheme: Certificate or Form

 

Click on "Resources" tab and select "/certorform/" context root and click "Create".

Fill in the below and click "OK".

Name: Access Cert and Form

Resource: *

Allow/Deny: Allow Access, Enabled

Action: GET, POST

 

Click on "Policies" tab and select "/certorform/" from context root.

Assign "Basic Role" to "Access Cert or Form" resource. Click on "SUBMIT".

 

 

Test use case #1 (Submit Certificate)

 

Now visit http://www.sso.lab/certorform/ to test.

Submit user1 client certificate.

 

webagenttrace.log

[02/15/2016][10:05:03][6460][6504][CSmHighLevelAgent.cpp:970][ProcessAdvancedAuthentication][000080fe0000000097e114e8f8b90736-193c-56c1081f-1968-02e64823][][][][][][Start new request.]

[02/15/2016][10:05:03][6460][6504][CSmResourceManager.cpp:187][CSmResourceManager::ProcessAdvancedAuthResource][000080fe0000000097e114e8f8b90736-193c-56c1081f-1968-02e64823][][][][][][Calling SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthResource.]

[02/15/2016][10:05:03][6460][6504][CSmHttpPlugin.cpp:8683][CSmHttpPlugin::ProcessAdvancedAuthResource][000080fe0000000097e114e8f8b90736-193c-56c1081f-1968-02e64823][][][][][][Resolved HTTP_HOST: 'www.sso.lab'.]

[02/15/2016][10:05:03][6460][6504][CSmHttpPlugin.cpp:5249][Entered CSmHttpPlugin::ResolveFQServerName sHost: ][][][][][][][www.sso.lab]

[02/15/2016][10:05:03][6460][6504][CSmHttpPlugin.cpp:5602][CSmHttpPlugin::ResolveClientIp][000080fe0000000097e114e8f8b90736-193c-56c1081f-1968-02e64823][][][][][][Resolved Client IP address '192.168.201.101'.]

[02/15/2016][10:05:03][6460][6504][SmFCC.cpp:2917][SmFcc::getLocalePath][000080fe0000000097e114e8f8b90736-193c-56c1081f-1968-02e64823][*192.168.201.101][][][][][Localized Path = C:\Program Files\CA\webagent\win64\samples/forms_en-US/login_en-US.fcc, working locale = en-US]

[02/15/2016][10:05:03][6460][6504][CSmFormTemplateCache.cpp:209][CSmFormTemplateCache::GetForm][][][][][][][Form template 'C:\Program Files\CA\webagent\win64\samples/forms_en-US/login_en-US.fcc' not found in cache.]

[02/15/2016][10:05:04][6460][6504][CSmFormTemplateCache.cpp:226][CSmFormTemplateCache::GetForm][][][][][][][Serving form template 'C:\Program Files\CA\webagent\win64\samples/forms_en-US/login_en-US.fcc' from disk.]

[02/15/2016][10:05:04][6460][6504][CSmFormTemplateCache.cpp:269][CSmFormTemplateCache::GetForm][][][][][][][Form template 'C:\Program Files\CA\webagent\win64\samples/forms_en-US/login_en-US.fcc' stored in cache.]

[02/15/2016][10:05:04][6460][6504][SmAdvancedAuthCore.cpp:632][SmAdvancedAuthCore::parseTargetUrl][000080fe0000000097e114e8f8b90736-193c-56c1081f-1968-02e64823][*192.168.201.101][][][/certorform/][][Resolved cookie domain '.sso.lab'.]

[02/15/2016][10:05:04][6460][6504][CSmResourceManager.cpp:225][CSmResourceManager::ProcessAdvancedAuthResource][000080fe0000000097e114e8f8b90736-193c-56c1081f-1968-02e64823][*192.168.201.101][][agent.iis][/certorform/][][SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthResource returned SmSuccess.]

[02/15/2016][10:05:04][6460][6504][CSmLowLevelAgent.cpp:503][IsResourceProtected][000080fe0000000097e114e8f8b90736-193c-56c1081f-1968-02e64823][*192.168.201.101][][agent.iis][/certorform/][][Resource is protected from Policy Server.]

[02/15/2016][10:05:04][6460][6504][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-193c-56c1081f-1968-02e64823][*192.168.201.101][][agent.iis][/certorform/][][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[02/15/2016][10:05:04][6460][6504][CSmHttpPlugin.cpp:2824][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-193c-56c1081f-1968-02e64823][*192.168.201.101][][agent.iis][/certorform/][][Processing IsProtected responses.]

[02/15/2016][10:05:04][6460][6504][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-193c-56c1081f-1968-02e64823][*192.168.201.101][][agent.iis][/certorform/][][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[02/15/2016][10:05:04][6460][6504][CSmCredentialManager.cpp:222][CSmCredentialManager::GatherAdvancedAuthCredentials][000080fe0000000097e114e8f8b90736-193c-56c1081f-1968-02e64823][*192.168.201.101][][agent.iis][/certorform/][][Calling SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthCredentials.]

[02/15/2016][10:05:04][6460][6504][SmFCC.cpp:703][SmFcc::getCredentials][000080fe0000000097e114e8f8b90736-193c-56c1081f-1968-02e64823][*192.168.201.101][][agent.iis][/certorform/][][Success in collecting credentials.]

[02/15/2016][10:05:04][6460][6504][SmPluginUtilities.cpp:481][HandleCredCollectorReturn][000080fe0000000097e114e8f8b90736-193c-56c1081f-1968-02e64823][*192.168.201.101][][agent.iis][/certorform/][][POST preservation, handling return from credential collector.]

[02/15/2016][10:05:04][6460][6504][SmPluginUtilities.cpp:618][HandleCredCollectorReturn][000080fe0000000097e114e8f8b90736-193c-56c1081f-1968-02e64823][*192.168.201.101][][agent.iis][/certorform/][][http response https://www.sso.lab/certorform/]

[02/15/2016][10:05:04][6460][6504][CSmCredentialManager.cpp:260][CSmCredentialManager::GatherAdvancedAuthCredentials][000080fe0000000097e114e8f8b90736-193c-56c1081f-1968-02e64823][*192.168.201.101][][agent.iis][/certorform/][][SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthCredentials returned SmSuccess.]

[02/15/2016][10:05:04][6460][6504][CSmLowLevelAgent.cpp:1200][AuthenticateUser][000080fe0000000097e114e8f8b90736-193c-56c1081f-1968-02e64823][*192.168.201.101][][agent.iis][/certorform/][][User 'unknown' is authenticated by Policy Server.]

[02/15/2016][10:05:04][6460][6504][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-193c-56c1081f-1968-02e64823][*192.168.201.101][][agent.iis][/certorform/][][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[02/15/2016][10:05:04][6460][6504][CSmHttpPlugin.cpp:2992][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-193c-56c1081f-1968-02e64823][*192.168.201.101][][agent.iis][/certorform/][][Processing Authentication responses.]

[02/15/2016][10:05:04][6460][6504][SmPluginUtilities.cpp:166][DeleteCookie][000080fe0000000097e114e8f8b90736-193c-56c1081f-1968-02e64823][*192.168.201.101][][agent.iis][/certorform/][][Deleted cookie 'SMTRYNO'.]

[02/15/2016][10:05:04][6460][6504][CSmHttpPlugin.cpp:8040][CSmHttpPlugin::GenerateSSLChallengeDoneCookie][000080fe0000000097e114e8f8b90736-193c-56c1081f-1968-02e64823][*192.168.201.101][][agent.iis][/certorform/][][Generating SMCHALLENGE=SSL_CHALLENGE_DONE set-cookie response header.]

[02/15/2016][10:05:04][6460][6504][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-193c-56c1081f-1968-02e64823][*192.168.201.101][][agent.iis][/certorform/][][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[02/15/2016][10:05:04][6460][6504][CSmSessionManager.cpp:209][CSmSessionManager::CreateSession][000080fe0000000097e114e8f8b90736-193c-56c1081f-1968-02e64823][*192.168.201.101][][agent.iis][/certorform/][][Calling SM_WAF_HTTP_PLUGIN->CreateSession.]

[02/15/2016][10:05:04][6460][6504][CSmHttpPlugin.cpp:1605][CSmHttpPlugin::CreateSession][000080fe0000000097e114e8f8b90736-193c-56c1081f-1968-02e64823][*192.168.201.101][][agent.iis][/certorform/][][Generated SMSESSION cookie.]

[02/15/2016][10:05:04][6460][6504][CSmSessionManager.cpp:247][CSmSessionManager::CreateSession][000080fe0000000097e114e8f8b90736-193c-56c1081f-1968-02e64823][*192.168.201.101][][agent.iis][/certorform/][][SM_WAF_HTTP_PLUGIN->CreateSession returned SmSuccess.]

[02/15/2016][10:05:04][6460][6504][CSmHighLevelAgent.cpp:1282][ProcessAdvancedAuthentication][000080fe0000000097e114e8f8b90736-193c-56c1081f-1968-02e64823][*192.168.201.101][][agent.iis][/certorform/][][End new request.]

 

As you can see from above, with Certificate authentication you will not find "User 'user1' is authenticated by Policy Server." message.

It is "unknown" user.

 

webagenttrace.log

[02/15/2016][10:05:04][6460][6504][CSmHighLevelAgent.cpp:321][ProcessRequest][000080fe0000000097e114e8f8b90736-193c-56c10820-1968-02c30099][][][][][][Start new request.]

[02/15/2016][10:05:04][6460][6504][CSmResourceManager.cpp:75][CSmResourceManager::ProcessResource][000080fe0000000097e114e8f8b90736-193c-56c10820-1968-02c30099][][][][][][Calling SM_WAF_HTTP_PLUGIN->ProcessResource.]

[02/15/2016][10:05:04][6460][6504][CSmHttpPlugin.cpp:399][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-193c-56c10820-1968-02c30099][][][][][][Resolved HTTP_HOST: 'www.sso.lab'.]

[02/15/2016][10:05:04][6460][6504][CSmHttpPlugin.cpp:5249][Entered CSmHttpPlugin::ResolveFQServerName sHost: ][][][][][][][www.sso.lab]

[02/15/2016][10:05:04][6460][6504][CSmHttpPlugin.cpp:490][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-193c-56c10820-1968-02c30099][][][][][][Resolved hostname: 'www.sso.lab'.]

[02/15/2016][10:05:04][6460][6504][CSmHttpPlugin.cpp:509][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-193c-56c10820-1968-02c30099][][][][][][Resolved agentname: 'agent.iis'.]

[02/15/2016][10:05:04][6460][6504][CSmHttpPlugin.cpp:5602][CSmHttpPlugin::ResolveClientIp][000080fe0000000097e114e8f8b90736-193c-56c10820-1968-02c30099][][][agent.iis][][][Resolved Client IP address '192.168.201.101'.]

[02/15/2016][10:05:04][6460][6504][CSmHttpPlugin.cpp:657][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-193c-56c10820-1968-02c30099][*192.168.201.101][][agent.iis][][][Resolved URL: '/certorform/'.]

[02/15/2016][10:05:04][6460][6504][CSmHttpPlugin.cpp:781][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-193c-56c10820-1968-02c30099][*192.168.201.101][][agent.iis][/certorform/][][Resolved METHOD: 'GET'.]

[02/15/2016][10:05:04][6460][6504][CSmHttpPlugin.cpp:834][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-193c-56c10820-1968-02c30099][*192.168.201.101][][agent.iis][/certorform/][][Resolved cookie domain: '.sso.lab'.]

[02/15/2016][10:05:04][6460][6504][CSmResourceManager.cpp:112][CSmResourceManager::ProcessResource][000080fe0000000097e114e8f8b90736-193c-56c10820-1968-02c30099][*192.168.201.101][][agent.iis][/certorform/][][SM_WAF_HTTP_PLUGIN->ProcessResource returned SmSuccess.]

[02/15/2016][10:05:04][6460][6504][CSmSessionManager.cpp:82][CSmSessionManager::EstablishSession][000080fe0000000097e114e8f8b90736-193c-56c10820-1968-02c30099][*192.168.201.101][][agent.iis][/certorform/][][Calling SM_WAF_HTTP_PLUGIN->EstablishSession.]

[02/15/2016][10:05:04][6460][6504][CSmHttpPlugin.cpp:6609][CSmHttpPlugin::ProcessSessionCookie][000080fe0000000097e114e8f8b90736-193c-56c10820-1968-02c30099][*192.168.201.101][][agent.iis][/certorform/][][Decoded SMSESSION cookie - User = 'CN=user1,OU=People,DC=sso,DC=lab', IP address = '192.168.201.101'.]

[02/15/2016][10:05:04][6460][6504][CSmHttpPlugin.cpp:2216][CSmHttpPlugin::EstablishSession][000080fe0000000097e114e8f8b90736-193c-56c10820-1968-02c30099][*192.168.201.101][][agent.iis][/certorform/][][Processed SMSESSION cookie.]

[02/15/2016][10:05:04][6460][6504][CSmSessionManager.cpp:119][CSmSessionManager::EstablishSession][000080fe0000000097e114e8f8b90736-193c-56c10820-1968-02c30099][*192.168.201.101][][agent.iis][/certorform/][][SM_WAF_HTTP_PLUGIN->EstablishSession returned SmSuccess.]

[02/15/2016][10:05:04][6460][6504][CSmLowLevelAgent.cpp:499][IsResourceProtected][000080fe0000000097e114e8f8b90736-193c-56c10820-1968-02c30099][*192.168.201.101][][agent.iis][/certorform/][][Resource is protected from cache.]

[02/15/2016][10:05:04][6460][6504][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-193c-56c10820-1968-02c30099][*192.168.201.101][][agent.iis][/certorform/][][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[02/15/2016][10:05:04][6460][6504][CSmHttpPlugin.cpp:2824][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-193c-56c10820-1968-02c30099][*192.168.201.101][][agent.iis][/certorform/][][Processing IsProtected responses.]

[02/15/2016][10:05:04][6460][6504][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-193c-56c10820-1968-02c30099][*192.168.201.101][][agent.iis][/certorform/][][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[02/15/2016][10:05:04][6460][6504][CSmCredentialManager.cpp:103][CSmCredentialManager::GatherCredentials][000080fe0000000097e114e8f8b90736-193c-56c10820-1968-02c30099][*192.168.201.101][][agent.iis][/certorform/][][Found session, no credentials required.]

[02/15/2016][10:05:04][6460][6504][CSmLowLevelAgent.cpp:999][AuthenticateUser][000080fe0000000097e114e8f8b90736-193c-56c10820-1968-02c30099][*192.168.201.101][][agent.iis][/certorform/][][Validating session 's+PHowZSx8rCMp7i8K9dYhw4YaI=' for user 'CN=user1,OU=People,DC=sso,DC=lab' in zone 'SM'.]

[02/15/2016][10:05:04][6460][6504][CSmLowLevelAgent.cpp:1195][AuthenticateUser][000080fe0000000097e114e8f8b90736-193c-56c10820-1968-02c30099][*192.168.201.101][][agent.iis][/certorform/][][User 'CN=user1,OU=People,DC=sso,DC=lab' is authenticated from cache.]

[02/15/2016][10:05:04][6460][6504][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-193c-56c10820-1968-02c30099][*192.168.201.101][][agent.iis][/certorform/][][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[02/15/2016][10:05:04][6460][6504][CSmHttpPlugin.cpp:2992][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-193c-56c10820-1968-02c30099][*192.168.201.101][][agent.iis][/certorform/][][Processing Authentication responses.]

[02/15/2016][10:05:04][6460][6504][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-193c-56c10820-1968-02c30099][*192.168.201.101][][agent.iis][/certorform/][][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[02/15/2016][10:05:04][6460][6504][CSmSessionManager.cpp:209][CSmSessionManager::CreateSession][000080fe0000000097e114e8f8b90736-193c-56c10820-1968-02c30099][*192.168.201.101][][agent.iis][/certorform/][][Calling SM_WAF_HTTP_PLUGIN->CreateSession.]

[02/15/2016][10:05:04][6460][6504][CSmHttpPlugin.cpp:1605][CSmHttpPlugin::CreateSession][000080fe0000000097e114e8f8b90736-193c-56c10820-1968-02c30099][*192.168.201.101][][agent.iis][/certorform/][][Generated SMSESSION cookie.]

[02/15/2016][10:05:04][6460][6504][CSmSessionManager.cpp:247][CSmSessionManager::CreateSession][000080fe0000000097e114e8f8b90736-193c-56c10820-1968-02c30099][*192.168.201.101][][agent.iis][/certorform/][][SM_WAF_HTTP_PLUGIN->CreateSession returned SmSuccess.]

[02/15/2016][10:05:04][6460][6504][CSmLowLevelAgent.cpp:2768][AuthorizeUser][000080fe0000000097e114e8f8b90736-193c-56c10820-1968-02c30099][*192.168.201.101][][agent.iis][/certorform/][][User 'CN=user1,OU=People,DC=sso,DC=lab' is authorized by Policy Server.]

[02/15/2016][10:05:04][6460][6504][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-193c-56c10820-1968-02c30099][*192.168.201.101][][agent.iis][/certorform/][][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[02/15/2016][10:05:04][6460][6504][CSmHttpPlugin.cpp:3270][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-193c-56c10820-1968-02c30099][*192.168.201.101][][agent.iis][/certorform/][][Processing Authorization responses.]

[02/15/2016][10:05:04][6460][6504][CSmHttpPlugin.cpp:3277][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-193c-56c10820-1968-02c30099][*192.168.201.101][][agent.iis][/certorform/][][Removing HTTP cache request headers.]

[02/15/2016][10:05:04][6460][6504][SmPluginUtilities.cpp:166][DeleteCookie][000080fe0000000097e114e8f8b90736-193c-56c10820-1968-02c30099][*192.168.201.101][][agent.iis][/certorform/][][Deleted cookie 'SMCHALLENGE'.]

[02/15/2016][10:05:04][6460][6504][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-193c-56c10820-1968-02c30099][*192.168.201.101][][agent.iis][/certorform/][][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[02/15/2016][10:05:04][6460][6504][CSmHighLevelAgent.cpp:801][ProcessRequest][000080fe0000000097e114e8f8b90736-193c-56c10820-1968-02c30099][*192.168.201.101][][agent.iis][/certorform/][][AuthorizationManager returned SmYes, end new request.]

[02/15/2016][10:05:04][6460][6504][CSmHighLevelAgent.cpp:921][ProcessRequest][000080fe0000000097e114e8f8b90736-193c-56c10820-1968-02c30099][*192.168.201.101][][agent.iis][/certorform/][][End new request.]

 

 

Test use case #2 (Do not submit Certificate)

 

Now visit http://www.sso.lab/certorform/ to test.

Cancel user1 client certificate and submit form credentials.

 

 

Again, you will notice the SMUSER value is not the userDN but the userID.

webagenttrace.log

[02/15/2016][10:24:24][6460][6504][CSmHighLevelAgent.cpp:970][ProcessAdvancedAuthentication][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-01576bfc][][][][][][Start new request.]

[02/15/2016][10:24:24][6460][6504][CSmResourceManager.cpp:187][CSmResourceManager::ProcessAdvancedAuthResource][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-01576bfc][][][][][][Calling SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthResource.]

[02/15/2016][10:24:24][6460][6504][CSmHttpPlugin.cpp:8683][CSmHttpPlugin::ProcessAdvancedAuthResource][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-01576bfc][][][][][][Resolved HTTP_HOST: 'www.sso.lab'.]

[02/15/2016][10:24:24][6460][6504][CSmHttpPlugin.cpp:5249][Entered CSmHttpPlugin::ResolveFQServerName sHost: ][][][][][][][www.sso.lab]

[02/15/2016][10:24:24][6460][6504][CSmHttpPlugin.cpp:5602][CSmHttpPlugin::ResolveClientIp][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-01576bfc][][][][][][Resolved Client IP address '192.168.201.101'.]

[02/15/2016][10:24:24][6460][6504][SmFCC.cpp:2917][SmFcc::getLocalePath][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-01576bfc][*192.168.201.101][][][][][Localized Path = C:\Program Files\CA\webagent\win64\samples/forms_en-US/login_en-US.fcc, working locale = en-US]

[02/15/2016][10:24:24][6460][6504][CSmFormTemplateCache.cpp:196][CSmFormTemplateCache::GetForm][][][][][][][Serving form template 'C:\Program Files\CA\webagent\win64\samples/forms_en-US/login_en-US.fcc' from cache.]

[02/15/2016][10:24:24][6460][6504][SmAdvancedAuthCore.cpp:632][SmAdvancedAuthCore::parseTargetUrl][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-01576bfc][*192.168.201.101][][][/certorform/][][Resolved cookie domain '.sso.lab'.]

[02/15/2016][10:24:24][6460][6504][CSmResourceManager.cpp:225][CSmResourceManager::ProcessAdvancedAuthResource][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-01576bfc][*192.168.201.101][][agent.iis][/certorform/][][SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthResource returned SmSuccess.]

[02/15/2016][10:24:24][6460][6504][CSmLowLevelAgent.cpp:499][IsResourceProtected][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-01576bfc][*192.168.201.101][][agent.iis][/certorform/][][Resource is protected from cache.]

[02/15/2016][10:24:24][6460][6504][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-01576bfc][*192.168.201.101][][agent.iis][/certorform/][][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[02/15/2016][10:24:24][6460][6504][CSmHttpPlugin.cpp:2824][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-01576bfc][*192.168.201.101][][agent.iis][/certorform/][][Processing IsProtected responses.]

[02/15/2016][10:24:24][6460][6504][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-01576bfc][*192.168.201.101][][agent.iis][/certorform/][][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[02/15/2016][10:24:24][6460][6504][CSmCredentialManager.cpp:222][CSmCredentialManager::GatherAdvancedAuthCredentials][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-01576bfc][*192.168.201.101][][agent.iis][/certorform/][][Calling SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthCredentials.]

[02/15/2016][10:24:24][6460][6504][SmFCC.cpp:703][SmFcc::getCredentials][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-01576bfc][*192.168.201.101][][agent.iis][/certorform/][][Success in collecting credentials.]

[02/15/2016][10:24:24][6460][6504][SmPluginUtilities.cpp:481][HandleCredCollectorReturn][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-01576bfc][*192.168.201.101][][agent.iis][/certorform/][][POST preservation, handling return from credential collector.]

[02/15/2016][10:24:24][6460][6504][SmPluginUtilities.cpp:618][HandleCredCollectorReturn][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-01576bfc][*192.168.201.101][][agent.iis][/certorform/][][http response https://www.sso.lab/certorform/]

[02/15/2016][10:24:24][6460][6504][CSmCredentialManager.cpp:260][CSmCredentialManager::GatherAdvancedAuthCredentials][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-01576bfc][*192.168.201.101][][agent.iis][/certorform/][][SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthCredentials returned SmSuccess.]

[02/15/2016][10:24:24][6460][6504][CSmLowLevelAgent.cpp:1200][AuthenticateUser][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-01576bfc][*192.168.201.101][][agent.iis][/certorform/][][User 'user1' is authenticated by Policy Server.]

[02/15/2016][10:24:24][6460][6504][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-01576bfc][*192.168.201.101][][agent.iis][/certorform/][user1][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[02/15/2016][10:24:24][6460][6504][CSmHttpPlugin.cpp:2992][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-01576bfc][*192.168.201.101][][agent.iis][/certorform/][user1][Processing Authentication responses.]

[02/15/2016][10:24:24][6460][6504][SmPluginUtilities.cpp:166][DeleteCookie][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-01576bfc][*192.168.201.101][][agent.iis][/certorform/][user1][Deleted cookie 'SMTRYNO'.]

[02/15/2016][10:24:24][6460][6504][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-01576bfc][*192.168.201.101][][agent.iis][/certorform/][user1][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[02/15/2016][10:24:24][6460][6504][CSmSessionManager.cpp:209][CSmSessionManager::CreateSession][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-01576bfc][*192.168.201.101][][agent.iis][/certorform/][user1][Calling SM_WAF_HTTP_PLUGIN->CreateSession.]

[02/15/2016][10:24:24][6460][6504][CSmHttpPlugin.cpp:1605][CSmHttpPlugin::CreateSession][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-01576bfc][*192.168.201.101][][agent.iis][/certorform/][user1][Generated SMSESSION cookie.]

[02/15/2016][10:24:24][6460][6504][CSmSessionManager.cpp:247][CSmSessionManager::CreateSession][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-01576bfc][*192.168.201.101][][agent.iis][/certorform/][user1][SM_WAF_HTTP_PLUGIN->CreateSession returned SmSuccess.]

[02/15/2016][10:24:24][6460][6504][CSmHighLevelAgent.cpp:1282][ProcessAdvancedAuthentication][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-01576bfc][*192.168.201.101][][agent.iis][/certorform/][user1][End new request.]

 

webagenttrace.log

[02/15/2016][10:24:24][6460][6504][CSmHighLevelAgent.cpp:321][ProcessRequest][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-016f1a49][][][][][][Start new request.]

[02/15/2016][10:24:24][6460][6504][CSmResourceManager.cpp:75][CSmResourceManager::ProcessResource][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-016f1a49][][][][][][Calling SM_WAF_HTTP_PLUGIN->ProcessResource.]

[02/15/2016][10:24:24][6460][6504][CSmHttpPlugin.cpp:399][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-016f1a49][][][][][][Resolved HTTP_HOST: 'www.sso.lab'.]

[02/15/2016][10:24:24][6460][6504][CSmHttpPlugin.cpp:5249][Entered CSmHttpPlugin::ResolveFQServerName sHost: ][][][][][][][www.sso.lab]

[02/15/2016][10:24:24][6460][6504][CSmHttpPlugin.cpp:490][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-016f1a49][][][][][][Resolved hostname: 'www.sso.lab'.]

[02/15/2016][10:24:24][6460][6504][CSmHttpPlugin.cpp:509][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-016f1a49][][][][][][Resolved agentname: 'agent.iis'.]

[02/15/2016][10:24:24][6460][6504][CSmHttpPlugin.cpp:5602][CSmHttpPlugin::ResolveClientIp][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-016f1a49][][][agent.iis][][][Resolved Client IP address '192.168.201.101'.]

[02/15/2016][10:24:24][6460][6504][CSmHttpPlugin.cpp:657][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-016f1a49][*192.168.201.101][][agent.iis][][][Resolved URL: '/certorform/'.]

[02/15/2016][10:24:24][6460][6504][CSmHttpPlugin.cpp:781][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-016f1a49][*192.168.201.101][][agent.iis][/certorform/][][Resolved METHOD: 'GET'.]

[02/15/2016][10:24:24][6460][6504][CSmHttpPlugin.cpp:834][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-016f1a49][*192.168.201.101][][agent.iis][/certorform/][][Resolved cookie domain: '.sso.lab'.]

[02/15/2016][10:24:24][6460][6504][CSmResourceManager.cpp:112][CSmResourceManager::ProcessResource][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-016f1a49][*192.168.201.101][][agent.iis][/certorform/][][SM_WAF_HTTP_PLUGIN->ProcessResource returned SmSuccess.]

[02/15/2016][10:24:24][6460][6504][CSmSessionManager.cpp:82][CSmSessionManager::EstablishSession][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-016f1a49][*192.168.201.101][][agent.iis][/certorform/][][Calling SM_WAF_HTTP_PLUGIN->EstablishSession.]

[02/15/2016][10:24:24][6460][6504][CSmHttpPlugin.cpp:6609][CSmHttpPlugin::ProcessSessionCookie][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-016f1a49][*192.168.201.101][][agent.iis][/certorform/][user1][Decoded SMSESSION cookie - User = 'CN=user1,OU=People,DC=sso,DC=lab', IP address = '192.168.201.101'.]

[02/15/2016][10:24:24][6460][6504][CSmHttpPlugin.cpp:2216][CSmHttpPlugin::EstablishSession][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-016f1a49][*192.168.201.101][][agent.iis][/certorform/][user1][Processed SMSESSION cookie.]

[02/15/2016][10:24:24][6460][6504][CSmSessionManager.cpp:119][CSmSessionManager::EstablishSession][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-016f1a49][*192.168.201.101][][agent.iis][/certorform/][user1][SM_WAF_HTTP_PLUGIN->EstablishSession returned SmSuccess.]

[02/15/2016][10:24:24][6460][6504][CSmLowLevelAgent.cpp:499][IsResourceProtected][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-016f1a49][*192.168.201.101][][agent.iis][/certorform/][user1][Resource is protected from cache.]

[02/15/2016][10:24:24][6460][6504][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-016f1a49][*192.168.201.101][][agent.iis][/certorform/][user1][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[02/15/2016][10:24:24][6460][6504][CSmHttpPlugin.cpp:2824][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-016f1a49][*192.168.201.101][][agent.iis][/certorform/][user1][Processing IsProtected responses.]

[02/15/2016][10:24:24][6460][6504][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-016f1a49][*192.168.201.101][][agent.iis][/certorform/][user1][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[02/15/2016][10:24:24][6460][6504][CSmCredentialManager.cpp:103][CSmCredentialManager::GatherCredentials][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-016f1a49][*192.168.201.101][][agent.iis][/certorform/][user1][Found session, no credentials required.]

[02/15/2016][10:24:24][6460][6504][CSmLowLevelAgent.cpp:999][AuthenticateUser][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-016f1a49][*192.168.201.101][][agent.iis][/certorform/][user1][Validating session 'aQAinAqI0X39jGj3FxaTvv8uc+k=' for user 'CN=user1,OU=People,DC=sso,DC=lab' in zone 'SM'.]

[02/15/2016][10:24:24][6460][6504][CSmLowLevelAgent.cpp:1195][AuthenticateUser][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-016f1a49][*192.168.201.101][][agent.iis][/certorform/][user1][User 'CN=user1,OU=People,DC=sso,DC=lab' is authenticated from cache.]

[02/15/2016][10:24:24][6460][6504][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-016f1a49][*192.168.201.101][][agent.iis][/certorform/][user1][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[02/15/2016][10:24:24][6460][6504][CSmHttpPlugin.cpp:2992][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-016f1a49][*192.168.201.101][][agent.iis][/certorform/][user1][Processing Authentication responses.]

[02/15/2016][10:24:24][6460][6504][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-016f1a49][*192.168.201.101][][agent.iis][/certorform/][user1][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[02/15/2016][10:24:24][6460][6504][CSmSessionManager.cpp:209][CSmSessionManager::CreateSession][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-016f1a49][*192.168.201.101][][agent.iis][/certorform/][user1][Calling SM_WAF_HTTP_PLUGIN->CreateSession.]

[02/15/2016][10:24:24][6460][6504][CSmHttpPlugin.cpp:1605][CSmHttpPlugin::CreateSession][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-016f1a49][*192.168.201.101][][agent.iis][/certorform/][user1][Generated SMSESSION cookie.]

[02/15/2016][10:24:24][6460][6504][CSmSessionManager.cpp:247][CSmSessionManager::CreateSession][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-016f1a49][*192.168.201.101][][agent.iis][/certorform/][user1][SM_WAF_HTTP_PLUGIN->CreateSession returned SmSuccess.]

[02/15/2016][10:24:24][6460][6504][CSmLowLevelAgent.cpp:2768][AuthorizeUser][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-016f1a49][*192.168.201.101][][agent.iis][/certorform/][user1][User 'CN=user1,OU=People,DC=sso,DC=lab' is authorized by Policy Server.]

[02/15/2016][10:24:24][6460][6504][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-016f1a49][*192.168.201.101][][agent.iis][/certorform/][user1][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[02/15/2016][10:24:24][6460][6504][CSmHttpPlugin.cpp:3270][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-016f1a49][*192.168.201.101][][agent.iis][/certorform/][user1][Processing Authorization responses.]

[02/15/2016][10:24:24][6460][6504][CSmHttpPlugin.cpp:3277][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-016f1a49][*192.168.201.101][][agent.iis][/certorform/][user1][Removing HTTP cache request headers.]

[02/15/2016][10:24:24][6460][6504][SmPluginUtilities.cpp:166][DeleteCookie][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-016f1a49][*192.168.201.101][][agent.iis][/certorform/][user1][Deleted cookie 'SMCHALLENGE'.]

[02/15/2016][10:24:24][6460][6504][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-016f1a49][*192.168.201.101][][agent.iis][/certorform/][user1][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[02/15/2016][10:24:24][6460][6504][CSmHighLevelAgent.cpp:801][ProcessRequest][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-016f1a49][*192.168.201.101][][agent.iis][/certorform/][user1][AuthorizationManager returned SmYes, end new request.]

[02/15/2016][10:24:24][6460][6504][CSmHighLevelAgent.cpp:921][ProcessRequest][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-016f1a49][*192.168.201.101][][agent.iis][/certorform/][user1][End new request.]

 

Another interesting thing to note is that, when the user is authenticated by certificate, the "User" field is empty.

Certificate or Form Authentication

[Date][Time][Pid][Tid][SrcFile][Function][TransactionID][IPAddr][IPPort][AgentName][Resource][User][Message]

Authenticated by Certificate[02/15/2016][10:05:04][6460][6504][CSmHttpPlugin.cpp:6609][CSmHttpPlugin::ProcessSessionCookie][000080fe0000000097e114e8f8b90736-193c-56c10820-1968-02c30099][*192.168.201.101][][agent.iis][/certorform/][][Decoded SMSESSION cookie - User = 'CN=user1,OU=People,DC=sso,DC=lab', IP address = '192.168.201.101'.]
Authenticated by Form[02/15/2016][10:24:24][6460][6504][CSmHttpPlugin.cpp:6609][CSmHttpPlugin::ProcessSessionCookie][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-016f1a49][*192.168.201.101][][agent.iis][/certorform/][user1][Decoded SMSESSION cookie - User = 'CN=user1,OU=People,DC=sso,DC=lab', IP address = '192.168.201.101'.]

 

 

Create "X.509 Certificate and Form Authentication" Scheme.

 

As usual, previously demonstrated steps will be skipped.

Create "Certificate and Form" Authentication Scheme as below.

Fill in the following and submit

Name: Certificate and Form

Authentication Scheme Type: X509 Client Cert or Form Template

Protection Level: 15

     Note: As this is another 2FA, its default security protection level is again 15.

Password Policies enabled for this Authentication Scheme: true

     Note: The Form authentication part involves password so the password policy can be applied here.

Server Name: www.sso.lab

Target: /siteminderagent/certoptional/forms/login.sfcc

     Note: Although this authentication scheme require client certificate, both the "Certificate or Form" and "Certificate and Form" redirects to this "certoptional" directory.

Library: smauthcert

     Note: The library is different from the "Certificate or Form" and the Parameter will show "login.sfcc?cert+forms" to recognize it requires both certificate and form credential.

 

 

Create Component and Resource from AdminUI to protect this resource.

 

Create Component as below and click "OK".

Component Name: Certificate and Form

Agent Type: Web Agent

Agent: agent.iis

Resource Filter: /certandform/

Default Resource Protection: Protected

Authentication Scheme: Certificate and Form

 

Click on "Resources" tab and select "/certandform/" context root and click "Create".

Fill in the below and click "OK".

Name: Access Cert and Form

Resource: *

Allow/Deny: Allow Access, Enabled

Action: GET, POST

 

Click on "Policies" tab and select "/certandform/" from context root.

Assign "Basic Role" to "Access Cert or Form" resource. Click on "SUBMIT".

 

 

Test use case #1 (Submit Certificate and correct Form credential)

 

Now visit http://www.sso.lab/certandform/ to test.

Submit user1 client certificate and user1 form credentials.

 

 

webagenttrace.log

[02/15/2016][11:50:00][6576][2116][CSmHighLevelAgent.cpp:970][ProcessAdvancedAuthentication][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-00276784][][][][][][Start new request.]

[02/15/2016][11:50:00][6576][2116][CSmResourceManager.cpp:187][CSmResourceManager::ProcessAdvancedAuthResource][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-00276784][][][][][][Calling SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthResource.]

[02/15/2016][11:50:00][6576][2116][CSmHttpPlugin.cpp:8683][CSmHttpPlugin::ProcessAdvancedAuthResource][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-00276784][][][][][][Resolved HTTP_HOST: 'www.sso.lab'.]

[02/15/2016][11:50:00][6576][2116][CSmHttpPlugin.cpp:5249][Entered CSmHttpPlugin::ResolveFQServerName sHost: ][][][][][][][www.sso.lab]

[02/15/2016][11:50:00][6576][2116][CSmHttpPlugin.cpp:5602][CSmHttpPlugin::ResolveClientIp][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-00276784][][][][][][Resolved Client IP address '192.168.201.101'.]

[02/15/2016][11:50:00][6576][2116][SmFCC.cpp:2917][SmFcc::getLocalePath][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-00276784][*192.168.201.101][][][][][Localized Path = C:\Program Files\CA\webagent\win64\samples/forms_en-US/login_en-US.fcc, working locale = en-US]

[02/15/2016][11:50:00][6576][2116][CSmFormTemplateCache.cpp:196][CSmFormTemplateCache::GetForm][][][][][][][Serving form template 'C:\Program Files\CA\webagent\win64\samples/forms_en-US/login_en-US.fcc' from cache.]

[02/15/2016][11:50:00][6576][2116][SmAdvancedAuthCore.cpp:632][SmAdvancedAuthCore::parseTargetUrl][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-00276784][*192.168.201.101][][][/certandform/][][Resolved cookie domain '.sso.lab'.]

[02/15/2016][11:50:00][6576][2116][CSmResourceManager.cpp:225][CSmResourceManager::ProcessAdvancedAuthResource][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-00276784][*192.168.201.101][][agent.iis][/certandform/][][SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthResource returned SmSuccess.]

[02/15/2016][11:50:00][6576][2116][CSmLowLevelAgent.cpp:499][IsResourceProtected][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-00276784][*192.168.201.101][][agent.iis][/certandform/][][Resource is protected from cache.]

[02/15/2016][11:50:00][6576][2116][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-00276784][*192.168.201.101][][agent.iis][/certandform/][][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[02/15/2016][11:50:00][6576][2116][CSmHttpPlugin.cpp:2824][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-00276784][*192.168.201.101][][agent.iis][/certandform/][][Processing IsProtected responses.]

[02/15/2016][11:50:00][6576][2116][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-00276784][*192.168.201.101][][agent.iis][/certandform/][][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[02/15/2016][11:50:00][6576][2116][CSmCredentialManager.cpp:222][CSmCredentialManager::GatherAdvancedAuthCredentials][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-00276784][*192.168.201.101][][agent.iis][/certandform/][][Calling SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthCredentials.]

[02/15/2016][11:50:00][6576][2116][SmFCC.cpp:703][SmFcc::getCredentials][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-00276784][*192.168.201.101][][agent.iis][/certandform/][][Success in collecting credentials.]

[02/15/2016][11:50:00][6576][2116][SmPluginUtilities.cpp:481][HandleCredCollectorReturn][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-00276784][*192.168.201.101][][agent.iis][/certandform/][][POST preservation, handling return from credential collector.]

[02/15/2016][11:50:00][6576][2116][SmPluginUtilities.cpp:618][HandleCredCollectorReturn][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-00276784][*192.168.201.101][][agent.iis][/certandform/][][http response https://www.sso.lab/certandform/]

[02/15/2016][11:50:00][6576][2116][CSmCredentialManager.cpp:260][CSmCredentialManager::GatherAdvancedAuthCredentials][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-00276784][*192.168.201.101][][agent.iis][/certandform/][][SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthCredentials returned SmSuccess.]

[02/15/2016][11:50:00][6576][2116][CSmLowLevelAgent.cpp:1200][AuthenticateUser][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-00276784][*192.168.201.101][][agent.iis][/certandform/][][User 'user1' is authenticated by Policy Server.]

[02/15/2016][11:50:00][6576][2116][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-00276784][*192.168.201.101][][agent.iis][/certandform/][user1][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[02/15/2016][11:50:00][6576][2116][CSmHttpPlugin.cpp:2992][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-00276784][*192.168.201.101][][agent.iis][/certandform/][user1][Processing Authentication responses.]

[02/15/2016][11:50:00][6576][2116][SmPluginUtilities.cpp:166][DeleteCookie][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-00276784][*192.168.201.101][][agent.iis][/certandform/][user1][Deleted cookie 'SMTRYNO'.]

[02/15/2016][11:50:00][6576][2116][CSmHttpPlugin.cpp:8040][CSmHttpPlugin::GenerateSSLChallengeDoneCookie][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-00276784][*192.168.201.101][][agent.iis][/certandform/][user1][Generating SMCHALLENGE=SSL_CHALLENGE_DONE set-cookie response header.]

[02/15/2016][11:50:00][6576][2116][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-00276784][*192.168.201.101][][agent.iis][/certandform/][user1][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[02/15/2016][11:50:00][6576][2116][CSmSessionManager.cpp:209][CSmSessionManager::CreateSession][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-00276784][*192.168.201.101][][agent.iis][/certandform/][user1][Calling SM_WAF_HTTP_PLUGIN->CreateSession.]

[02/15/2016][11:50:00][6576][2116][CSmHttpPlugin.cpp:1415][CSmHttpPlugin::CreateSession][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-00276784][*192.168.201.101][][agent.iis][/certandform/][user1][SAVEDSESSION Cookie Created.]

[02/15/2016][11:50:00][6576][2116][CSmHttpPlugin.cpp:1605][CSmHttpPlugin::CreateSession][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-00276784][*192.168.201.101][][agent.iis][/certandform/][user1][Generated SMSESSION cookie.]

[02/15/2016][11:50:00][6576][2116][CSmSessionManager.cpp:247][CSmSessionManager::CreateSession][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-00276784][*192.168.201.101][][agent.iis][/certandform/][user1][SM_WAF_HTTP_PLUGIN->CreateSession returned SmSuccess.]

[02/15/2016][11:50:00][6576][2116][CSmHighLevelAgent.cpp:1282][ProcessAdvancedAuthentication][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-00276784][*192.168.201.101][][agent.iis][/certandform/][user1][End new request.]

I find that there is "SAVEDSESSION" cookie after the user1 was authenticated.

This cookie did not get generated for "Certificate and Basic" authentication scheme so this appears to be unique to "Certificate and Form" authentication.

webagenttrace.log

[02/15/2016][11:50:00][6576][2116][CSmHighLevelAgent.cpp:321][ProcessRequest][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-005e305e][][][][][][Start new request.]

[02/15/2016][11:50:00][6576][2116][CSmResourceManager.cpp:75][CSmResourceManager::ProcessResource][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-005e305e][][][][][][Calling SM_WAF_HTTP_PLUGIN->ProcessResource.]

[02/15/2016][11:50:00][6576][2116][CSmHttpPlugin.cpp:399][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-005e305e][][][][][][Resolved HTTP_HOST: 'www.sso.lab'.]

[02/15/2016][11:50:00][6576][2116][CSmHttpPlugin.cpp:5249][Entered CSmHttpPlugin::ResolveFQServerName sHost: ][][][][][][][www.sso.lab]

[02/15/2016][11:50:00][6576][2116][CSmHttpPlugin.cpp:490][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-005e305e][][][][][][Resolved hostname: 'www.sso.lab'.]

[02/15/2016][11:50:00][6576][2116][CSmHttpPlugin.cpp:509][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-005e305e][][][][][][Resolved agentname: 'agent.iis'.]

[02/15/2016][11:50:00][6576][2116][CSmHttpPlugin.cpp:5602][CSmHttpPlugin::ResolveClientIp][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-005e305e][][][agent.iis][][][Resolved Client IP address '192.168.201.101'.]

[02/15/2016][11:50:00][6576][2116][CSmHttpPlugin.cpp:657][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-005e305e][*192.168.201.101][][agent.iis][][][Resolved URL: '/certandform/'.]

[02/15/2016][11:50:00][6576][2116][CSmHttpPlugin.cpp:781][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-005e305e][*192.168.201.101][][agent.iis][/certandform/][][Resolved METHOD: 'GET'.]

[02/15/2016][11:50:00][6576][2116][CSmHttpPlugin.cpp:834][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-005e305e][*192.168.201.101][][agent.iis][/certandform/][][Resolved cookie domain: '.sso.lab'.]

[02/15/2016][11:50:00][6576][2116][CSmResourceManager.cpp:112][CSmResourceManager::ProcessResource][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-005e305e][*192.168.201.101][][agent.iis][/certandform/][][SM_WAF_HTTP_PLUGIN->ProcessResource returned SmSuccess.]

[02/15/2016][11:50:00][6576][2116][CSmSessionManager.cpp:82][CSmSessionManager::EstablishSession][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-005e305e][*192.168.201.101][][agent.iis][/certandform/][][Calling SM_WAF_HTTP_PLUGIN->EstablishSession.]

[02/15/2016][11:50:00][6576][2116][CSmHttpPlugin.cpp:6609][CSmHttpPlugin::ProcessSessionCookie][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-005e305e][*192.168.201.101][][agent.iis][/certandform/][user1][Decoded SMSESSION cookie - User = 'CN=user1,OU=People,DC=sso,DC=lab', IP address = '192.168.201.101'.]

[02/15/2016][11:50:00][6576][2116][CSmHttpPlugin.cpp:2216][CSmHttpPlugin::EstablishSession][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-005e305e][*192.168.201.101][][agent.iis][/certandform/][user1][Processed SMSESSION cookie.]

[02/15/2016][11:50:00][6576][2116][CSmSessionManager.cpp:119][CSmSessionManager::EstablishSession][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-005e305e][*192.168.201.101][][agent.iis][/certandform/][user1][SM_WAF_HTTP_PLUGIN->EstablishSession returned SmSuccess.]

[02/15/2016][11:50:00][6576][2116][CSmLowLevelAgent.cpp:499][IsResourceProtected][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-005e305e][*192.168.201.101][][agent.iis][/certandform/][user1][Resource is protected from cache.]

[02/15/2016][11:50:00][6576][2116][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-005e305e][*192.168.201.101][][agent.iis][/certandform/][user1][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[02/15/2016][11:50:00][6576][2116][CSmHttpPlugin.cpp:2824][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-005e305e][*192.168.201.101][][agent.iis][/certandform/][user1][Processing IsProtected responses.]

[02/15/2016][11:50:00][6576][2116][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-005e305e][*192.168.201.101][][agent.iis][/certandform/][user1][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[02/15/2016][11:50:00][6576][2116][CSmCredentialManager.cpp:103][CSmCredentialManager::GatherCredentials][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-005e305e][*192.168.201.101][][agent.iis][/certandform/][user1][Found session, no credentials required.]

[02/15/2016][11:50:00][6576][2116][CSmLowLevelAgent.cpp:999][AuthenticateUser][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-005e305e][*192.168.201.101][][agent.iis][/certandform/][user1][Validating session 'I0n2BM4qml4/uGHk2AzGJbZlRzk=' for user 'CN=user1,OU=People,DC=sso,DC=lab' in zone 'SM'.]

[02/15/2016][11:50:00][6576][2116][CSmLowLevelAgent.cpp:1195][AuthenticateUser][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-005e305e][*192.168.201.101][][agent.iis][/certandform/][user1][User 'CN=user1,OU=People,DC=sso,DC=lab' is authenticated from cache.]

[02/15/2016][11:50:00][6576][2116][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-005e305e][*192.168.201.101][][agent.iis][/certandform/][user1][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[02/15/2016][11:50:00][6576][2116][CSmHttpPlugin.cpp:2992][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-005e305e][*192.168.201.101][][agent.iis][/certandform/][user1][Processing Authentication responses.]

[02/15/2016][11:50:00][6576][2116][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-005e305e][*192.168.201.101][][agent.iis][/certandform/][user1][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[02/15/2016][11:50:00][6576][2116][CSmSessionManager.cpp:209][CSmSessionManager::CreateSession][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-005e305e][*192.168.201.101][][agent.iis][/certandform/][user1][Calling SM_WAF_HTTP_PLUGIN->CreateSession.]

[02/15/2016][11:50:00][6576][2116][CSmHttpPlugin.cpp:1605][CSmHttpPlugin::CreateSession][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-005e305e][*192.168.201.101][][agent.iis][/certandform/][user1][Generated SMSESSION cookie.]

[02/15/2016][11:50:00][6576][2116][CSmSessionManager.cpp:247][CSmSessionManager::CreateSession][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-005e305e][*192.168.201.101][][agent.iis][/certandform/][user1][SM_WAF_HTTP_PLUGIN->CreateSession returned SmSuccess.]

[02/15/2016][11:50:00][6576][2116][CSmLowLevelAgent.cpp:2768][AuthorizeUser][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-005e305e][*192.168.201.101][][agent.iis][/certandform/][user1][User 'CN=user1,OU=People,DC=sso,DC=lab' is authorized by Policy Server.]

[02/15/2016][11:50:00][6576][2116][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-005e305e][*192.168.201.101][][agent.iis][/certandform/][user1][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[02/15/2016][11:50:00][6576][2116][CSmHttpPlugin.cpp:3270][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-005e305e][*192.168.201.101][][agent.iis][/certandform/][user1][Processing Authorization responses.]

[02/15/2016][11:50:00][6576][2116][CSmHttpPlugin.cpp:3277][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-005e305e][*192.168.201.101][][agent.iis][/certandform/][user1][Removing HTTP cache request headers.]

[02/15/2016][11:50:00][6576][2116][SmPluginUtilities.cpp:166][DeleteCookie][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-005e305e][*192.168.201.101][][agent.iis][/certandform/][user1][Deleted cookie 'SMCHALLENGE'.]

[02/15/2016][11:50:00][6576][2116][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-005e305e][*192.168.201.101][][agent.iis][/certandform/][user1][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[02/15/2016][11:50:00][6576][2116][CSmHighLevelAgent.cpp:801][ProcessRequest][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-005e305e][*192.168.201.101][][agent.iis][/certandform/][user1][AuthorizationManager returned SmYes, end new request.]

[02/15/2016][11:50:00][6576][2116][CSmHighLevelAgent.cpp:921][ProcessRequest][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-005e305e][*192.168.201.101][][agent.iis][/certandform/][user1][End new request.]

There is no sign of deleting SAVEDSESSION cookie but the header dump page shows no sign of this cookie, so it is deleted.

 

Due to the above "SAVEDSESSION" cookie, I wrote instructions on how to install/configure fiddler to capture https traffic below.

 

How to install fiddler and capture https traffic

 

 

 

As you can see from above captured traffic, there is no "set-cookie: SAVEDSESSION=xxxx" in the response.

So, it never was actually set. It only appears in the webagenttrace.log and nowhere else.

This SAVEDSESSION cookie is for impersonation and what I setup is Certificate and Form.

 

From looking back at the "Certificate and Forms" authentication scheme, the TARGET should have been login.sfcc but it actually sets login.fcc. (note the extension difference).

So, once I changed the target to point to login.sfcc, this SAVEDSESSION is not logged anymore.

It is a defect in the code(why it logs SAVEDSESSION when login.fcc is used) and is cosmetic issue.

It is another defect that the base objects for "Certificate and Forms" template is pointing to login.fcc.

Please ensure that you specify the target to login.sfcc for "Certificate or Form" and "Certificate and Form" authentication.

 

This concludes all the certificate authentication schemes.

 

In the next article, we will explore the Windows Authentication.

Outcomes