Symantec Access Management

Webagent is redirecting to login page after successful authentication. Trace log says

AuthorizationManager returned SmNo or SmNoAction,

calling ChallengeManager,

Executing forms challenge, redirecting to credential Collector,

is not authorized by the policy server.

Any help would be greatly appreciated.

Thanks

Venkat

Default SiteMinder behavior is to send the user back to the login if an AzReject (Not Authorized) event is triggered.

You need to find out what resource being accessed is generating the not authorized event.  If it is the target application, make sure you have Rules and Policy in place.

I hope the auth scheme itself is not protected, because it shouldn't be.

BTW, the SiteMinder test tool is great for things like this.  I recommend using it.

Thanks for your reply.

I checked up the auth scheme and it is not protected. Does adding virtual directory to the sites folder in IIS after webagent installation effect?

Regards

Venkat

Have you tried log correlation to track this to a policy server and find the corresponding  actions there?

This KB doc would probably help:

http://www.ca.com/us/support/ca-support-online/product-content/knowledgebase-articles/tec589903.aspx

This Thread can assist in getting you the logging configuration that  will suit you best:

(i know CA made an updated workbook, but i  dont think they posted it yet)

CA SiteMinder Logging

FYI...
One thing that frequently causes confusion while troubleshooting this type of issue:
Authentication is handled at the Domain level (based on the User Directory)
Authorization is handled at the Policy level.  It could be the user (or anything else that is included in the Policy) or the web agent that is causing the AzReject.

In the case of the web agent being the cause of the AzReject, the smaccess.log will not help much, as it will always look like the user is the cause of the rejection.  The AzReject message in smaccess.log won't indicate that the web agent is the source of the rejection.  The Policy Server Profiler (smtracedefault.log),  with the correct set of Components and Data objects should help to narrow down whether it is the user or the web agent that is causing the AzReject.

Check the WebAgent that is configured in the Realm.  If that is WebAgent that is referenced in the AzReject message, then the WebAgent is not the issue.

Thank You Very Much for the valuable input. I was able to resolve the issue

Solution:

Incorrect policy rules, changed the policy rules and worked.

Regards

Venkat

Hi Venkat,

can i Know what policy rules you have configured to resolve this issue ,because i am facing  same kind of issue in IIS webserver " user is redirecting to same login page "  trace logs shows user is not Authorized.

i have configured  only one rule  [Get,post,Put] and assigned to policy.

I have used OnAuthAccept and OnAccessAccept rules. My situation was the user is authenticated, but not authorized to access the resource though the user has right to access. probably this could help.

Thanks

Venkat

Hello Venkat,

do we need to add responses to that OnAuthAccept and OnAccessAccept rules if so can i know what response we should configure .

If you want to redirect the user when they are Not Authorized (AzReject) to access the protected resource, you need to:

On the protected realm, add a Rule with the action OnAccessReject.

Create a Response of type WebAgent-OnReject-Redirect.  In the static variable field, add the URL you want users to redirect to when they are not authorized.  This URL should be unprotected.

Create a Policy to "catch" the rejected users.  This policy should allow "everyone" so make sure on the Users tab you add "all" or whatever you normally use to allow all users.  On the Policy Rules tab, add the Rule you created above for the OnAccessReject event.  Then add the Response to the Rule.