Symantec Access Management

Expand all | Collapse all

CA Single Sign On Web Intercept Error 403

  • 1.  CA Single Sign On Web Intercept Error 403

    Posted Oct 30, 2014 04:34 AM

    Hello,

     

    I have configured a Web Server on IIS 7.0. The backend database used by the Web Site is MySQL from where it brings the user credentials.

     

    I have added the MySQL database as the User Store in SiteMinder.

     

    The Web Agent is also working fine and is intercepting the requests to the WebSite.

     

    I have configured Policies -> Application --> Created New Application for the WebSite interception. The WebSite is being intercepted for credentials. The problem is that when I provide the correct credentials, I get an error "403: Access Forbidden".

     

    Can you please help in this regard.

     

    Thanking You

    Zia



  • 2.  Re: CA Single Sign On Web Intercept Error 403

    Posted Oct 30, 2014 09:55 AM

    Zia

     

    • What does the WebAgent Trace log state for this particular authentication transaction?
    • 403 Access Forbidden, you are using Basic Auth scheme, have you flipped it to a Form Based Auth scheme and checked with login.fcc?
    • When you get the basic auth challenge, do you see the realm name in basic auth prompt, which would suggest that it is indeed siteminder challenging.

     

     

    Regards

     

    Hubert



  • 3.  Re: CA Single Sign On Web Intercept Error 403

    Posted Oct 30, 2014 06:44 PM

    Hi Zia,

     

    Based on your description it doesn't look like that you have NOT created user policy to authorize an user. That should be the reason why you are getting a 403 - unauthroized error while accessing the resource.

    Refer to the following document to understand what policy are and how to create them to authorize an user :

     

    https://wiki.ca.com/display/sm1252sp1/How+to+Configure+a+Policy

     

    Hope this helps.

     

    Cheers,

    Ujwol



  • 4.  Re: CA Single Sign On Web Intercept Error 403

    Posted Oct 31, 2014 06:08 AM

    Hello,

     

    Yeap I found a few points in the web agent trace logs:

     

    [10/31/2014][12:10:11][4056][3568][CSmCredentialManager.cpp:130][CSmCredentialManager::GatherCredentials][000080fe0000000049eb40e941f0056b-0fd8-545335d3-0df0-01736784][*10.10.1.230][][iiswebagent][/][][Calling SM_WAF_HTTP_PLUGIN->ProcessCredentials.]

     

    [10/31/2014][12:10:11][4056][3568][CSmCredentialManager.cpp:174][CSmCredentialManager::GatherCredentials][000080fe0000000049eb40e941f0056b-0fd8-545335d3-0df0-01736784][*10.10.1.230][][iiswebagent][/][][SM_WAF_HTTP_PLUGIN->ProcessCredentials returned SmNoAction.]

     

    [10/31/2014][12:10:11][4056][3568][CSmHighLevelAgent.cpp:572][ProcessRequest][000080fe0000000049eb40e941f0056b-0fd8-545335d3-0df0-01736784][*10.10.1.230][][iiswebagent][/][][CredentialManager returned SmNo or SmNoAction, calling ChallengeManager.]

     

    [10/31/2014][12:10:11][4056][3568][CSmChallengeManager.cpp:105][CSmChallengeManager::DoChallenge][000080fe0000000049eb40e941f0056b-0fd8-545335d3-0df0-01736784][*10.10.1.230][][iiswebagent][/][][Calling SM_WAF_HTTP_PLUGIN->ProcessChallenge.]

     

    [10/31/2014][12:10:11][4056][3568][CSmChallengeManager.cpp:124][CSmChallengeManager::DoChallenge][000080fe0000000049eb40e941f0056b-0fd8-545335d3-0df0-01736784][*10.10.1.230][][iiswebagent][/][][SM_WAF_HTTP_PLUGIN->ProcessChallenge returned SmExit.]

     

    [10/31/2014][12:10:11][4056][3568][CSmHighLevelAgent.cpp:596][ProcessRequest][000080fe0000000049eb40e941f0056b-0fd8-545335d3-0df0-01736784][*10.10.1.230][][iiswebagent][/][][Challenge Manager returned SmExit, end new request.]

     

    [10/31/2014][12:10:11][4056][3568][CSmLowLevelAgent.cpp:3079][ReportHealthData][][][][][][][Accumulating HealthMonitorCtxt.]

     

    Secondly Yes the webpage while requesting for credentials is having the Realm name.

     

    Ujwol,

     

    I had first tried with the Application method, however as per your recommendation I used the domain, policy method, but still am getting the same error.

     

    Thanking you both

    Zia



  • 5.  Re: CA Single Sign On Web Intercept Error 403

    Posted Oct 31, 2014 11:20 AM

    Thank You Zia

     

    It looks like the Credential Manager returned no action needed. Hmmm May be it thinks that the TARGET is unprotected. Hence not authentication you.

     

    Would have loved to see an entire thread of the log, as this log snippet is inconclusive for me.

     

    Meanwhile, Could we visit these points and see if anything shows up

     

    • Do you use a Cookie Editor tool? Can you run that on the browser and tell us if you see an SMSession Cookie getting created. Need to be sure if your request is failing Authentication OR Authorization.
    • What URL are you accessing on the Browser?
    • What Realm URI is configured within the Policy Domain?
    • What Rule URI is configured within the Realm?
    • What methods are selected for the Rule?

     

    The other things that I would do is...

    • Check the Policy Server trace log to see what Decisions the Policy Server making.
    • I would alternatively use the SMTestTool to test my Policy setup, this would ensure that everything is all good on the Policy Server end. So that is half the worry outside the door and just focus on WA side.

     

    Regards

     

    Hubert



  • 6.  Re: CA Single Sign On Web Intercept Error 403

    Posted Nov 05, 2014 12:44 AM
      |   view attached

    Hello Hubert,

     

    First of all sorry for the delayed reply, as there were holidays over here and I didn't had access to my servers.

     

    I have attached the Trace logs file. If you see in the logs it shows that the resource is protected.

     

    I don't think the SMSession Cookie is starting as if we look at the logs it has a statement "EstablishSession returned SmNoAction"

     

    I am simply using the IP to access the webpage, like currently I have http://10.10.1.227

     

    It is a PHP based Web Site using MySQL as a backend database and IIS is used for publishing the website.

     

    The Realm URI is configured for "/" as the resource filter.

     

    Put, Post & Get are used as the Rules.

     

    Regards

    Zia

    Attachment(s)

    zip
    Test_file.txt.zip   2 KB 1 version


  • 7.  Re: CA Single Sign On Web Intercept Error 403
    Best Answer

    Posted Nov 05, 2014 12:50 AM

    Hi Zia,

     

    You can't use IP ... SiteMinder requires  fully qualified domain name e.g facebook.com

    Please try using FQDN and let us know if it works.

     

    Cheers,

    Ujwol



  • 8.  Re: CA Single Sign On Web Intercept Error 403

    Posted Nov 05, 2014 01:13 AM
      |   view attached

    Hello Ujwol,

     

    Thanks for this. I think I have moved a little step forward by your help. As soon as I tried the FQDN, it is now giving the username in the logs. However now I am getting Error 401 Access Denied .

     

    Now it states that the user "admin" is not authenticated by the policy server.

     

    I have also attached the trace log file for your reference.

     

    Thanking You

    Zia

    Attachment(s)

    zip
    Test_file2.txt.zip   2 KB 1 version


  • 9.  Re: CA Single Sign On Web Intercept Error 403

    Posted Nov 05, 2014 04:49 AM

    Hello Ujwol,

     

    The problem is partially resolved.

     

    For explanation let us use the username "admin" and the password "test@123". If we look at the table using the MySQL Command line utility it shows us the password "ceb6c970658f31504a901b89dcd3e461". It is encrypted using some MySQL encryption algorithm.

     

    If we look at the MySQL Query Scheme in our siteminder for "Authenticate User" it has a SQL query of

     

    SELECT username from odm_user(Our Users Table) WHERE username = '%s' AND password = '%s'

     

    The problem is that if I am using the password "ceb6c970658f31504a901b89dcd3e461" it is letting me in, instead of test@123. I think I will have to change the MySQL Query for this over here.

     

    Please correct me if I am wrong and what exactly the query should be, so that the SiteMinder sends it in a similar manner as the Webpage sends it.

     

    Regards

    Zia



  • 10.  Re: CA Single Sign On Web Intercept Error 403

    Posted Nov 05, 2014 07:48 AM

    Zia

     

    SiteMinder would never send it in a similar manner as the encryption. SiteMinder only uses Queries and passes information in queries to backend. It is the job of the backend to convert the data by using the correct algorithm before doing a match.

     

    Since it is suggested that MySQL encryption algorithm was used, our suggestion would be to use a FUNCTION call for the authenticate query.

     

    Authenticate Query : Call Procedure_Name %s , %s

     

    SiteMinder would only invoke the Function by passing 2 input values i.e. Password and Username. In the backend when the FUNCTION is executed, the function would call the encryption algorithm which encrypts the password. Thus before the Username and Password match is done, the Function would have encrypted the Password.

     

    https://wiki.ca.com/display/sm1252sp1/SQL+Query+Schemes#SQLQuerySchemes-ConfigureSQLQuerySchemesforAuthenticationUsingStoredProcedures

     

     

    Regards

     

    Hubert



  • 11.  Re: CA Single Sign On Web Intercept Error 403

    Posted Nov 05, 2014 04:48 PM

    Hi Zia,

     

    Additionally, as you have got past your original issue , and now have a different issue with regards to using encrypted password, do mind to close this thread here and open a new one for your new query ?

     

    Thanks,

    Ujwol



  • 12.  Re: CA Single Sign On Web Intercept Error 403

    Posted Nov 06, 2014 01:10 AM

    Thanks a lot. Yes the issue for which the thread was created is resolved.

     

    Regards

    Zia