Symantec Access Management

  • 1.  Doesn't redirect to login page.

    Posted Jul 18, 2016 12:50 PM

    Hi,

     

    I have an angular application which uses siteminder protected web api. When user login for the first time it correctly redirects to login page and everything works fine. But when I close the tab and open the page, it doesn't redirect to login page but every web api request gets fails. (I found smsession='loggedout' using fiddler.)

    When I refresh the page, login page reappears.

    Am I missing something here?

    Also it is possible to get siteminder login url programatically?

     

    Thanks,



  • 2.  Re: Doesn't redirect to login page.

    Posted Jul 18, 2016 09:30 PM

    Hi Pradip,

     

    Have you enabled web agent trace ? If not enable it and see why it fails to show the login page.

    If you couldn't figure this out, then you can attach your fiddler and the webagent trace logs snippet then we can review.


    Regards,

    Ujwol



  • 3.  Re: Doesn't redirect to login page.

    Posted Jul 20, 2016 09:20 AM

    Hi Ujwol,

     

    Thank you for replying. From webagent trace it looks like expected cookie SMSESSION is empty but application is not prompting user to login instead it continues without authentication.

    From debugging, I found siteminder headers are there but no user information.

    Trace log: https://1drv.ms/u/s!AjrmyfDFMh7Plb0Pwkkv0Vf5kjbLBA



  • 4.  Re: Doesn't redirect to login page.

    Posted Jul 20, 2016 08:06 PM

    Hi Pradip,

     

    I don't see any problem in the agent trace logs. When it didn't find SMSESSION cookie it did redirect to credential collector

     

    [07/19/2016][08:22:03][4728][5896][CSmHttpCredCore.cpp:1971][CSmHttpCredCore::DoFormsChallenge][00000000000000000000000035828c0a-1278-578e1b6b-1708-003632e6][*10.140.130.53][][ai-seb04dev-009][/App_Client/client/index.html][][Redirecting to credential collector 'https://citdecadssoweb.cit.nih.gov/CertAuthV2/forms/NIHPivOrFormLogin.aspx?TYPE=33554433&REALMOID=06-3f7f81d1-9cfc-425c-910a-b069e0d500b2&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-UHwqPLI1%2farbeoe8Sz5qBROfjFaYbnJ5ghh85dN%2bLII0xphDEGqyVBQT2kiDtYyQ&TARGET=-SM-http%3a%2f%2fai--seb04dev--009%2eniaid%2enih%2egov%3a8080%2fApp_Client%2fclient%2findex%2ehtml'.]

     

    For all subsequent request, a valid (not logged off) SMSESSION cookie was always there so it didnt' have to redirect for login :

     

    [07/19/2016][08:22:08][4728][5896][CSmHttpPlugin.cpp:6561][CSmHttpPlugin::ProcessSessionCookie][00000000000000000000000035828c0a-1278-578e1b70-1708-02622059][*10.140.130.53][][ai-seb04dev-009][/api/MyNiaidWebApi/GetPauseUntilConfig][shresthap][Decoded SMSESSION cookie - User = 'CN=shresthap,OU=Users,OU=NIAID,OU=NIH,OU=AD,DC=nih,DC=gov', IP address = '10.140.130.53'.]

    [07/19/2016][08:22:08][4728][5896][CSmHttpPlugin.cpp:2193][CSmHttpPlugin::EstablishSession][00000000000000000000000035828c0a-1278-578e1b70-1708-02622059][*10.140.130.53][][ai-seb04dev-009][/api/MyNiaidWebApi/GetPauseUntilConfig][shresthap][Processed SMSESSION cookie.]

     

    I would suggest to do following test :

     

    1. Clear all browser cookies

    2. Access protected resource /App_Client/client/index.html

    3. Web Agent should redirect for login

    4. Provide valid login credentials and browse site for a while.

    5. Finally, log off the session by visiting "LogOffUri" url as configured in your ACO

    6. Close the browser tab

    7. Open the browser and try accessing the protected site again :  /App_Client/client/index.html

    8. Check if the agent redirects you for login or not. If it doesn't redirect, there is an issue...

     

    If you could reproduce the issue as above, collect following logs for all of the above transactions :

    - Fiddler log

    - Web agent logs and Trace



  • 5.  Re: Doesn't redirect to login page.

    Posted Jul 21, 2016 08:05 AM

    Hi Ujwol,

     

    The redirection and valid SMSESSION cookie is when it asks for credential. But if you see:

    [07/19/2016][08:22:21][4728][2732][CSmHighLevelAgent.cpp:321][ProcessRequest][00000000000000000000000035828c0a-1278-578e1b7d-0aac-03404e45][][][][][][Start new request.]

    [07/19/2016][08:22:21][4728][2732][CSmResourceManager.cpp:75][CSmResourceManager::ProcessResource][00000000000000000000000035828c0a-1278-578e1b7d-0aac-03404e45][][][][][][Calling SM_WAF_HTTP_PLUGIN->ProcessResource.]

    [07/19/2016][08:22:21][4728][2732][CSmHttpPlugin.cpp:399][CSmHttpPlugin::ProcessResource][00000000000000000000000035828c0a-1278-578e1b7d-0aac-03404e45][][][][][][Resolved HTTP_HOST: 'ai-seb04dev-009.niaid.nih.gov:8080'.]

    [07/19/2016][08:22:21][4728][2732][CSmHttpPlugin.cpp:5218][Entered CSmHttpPlugin::ResolveFQServerName sHost: ][][][][][][][ai-seb04dev-009.niaid.nih.gov:8080]

    [07/19/2016][08:22:21][4728][2732][CSmHttpPlugin.cpp:490][CSmHttpPlugin::ProcessResource][00000000000000000000000035828c0a-1278-578e1b7d-0aac-03404e45][][][][][][Resolved hostname: 'ai-seb04dev-009.niaid.nih.gov:8080'.]

    [07/19/2016][08:22:21][4728][2732][CSmHttpPlugin.cpp:509][CSmHttpPlugin::ProcessResource][00000000000000000000000035828c0a-1278-578e1b7d-0aac-03404e45][][][][][][Resolved agentname: 'ai-seb04dev-009'.]

    [07/19/2016][08:22:21][4728][2732][CSmHttpPlugin.cpp:5571][CSmHttpPlugin::ResolveClientIp][00000000000000000000000035828c0a-1278-578e1b7d-0aac-03404e45][][][ai-seb04dev-009][][][Resolved Client IP address '10.140.130.53'.]

    [07/19/2016][08:22:21][4728][2732][CSmHttpPlugin.cpp:657][CSmHttpPlugin::ProcessResource][00000000000000000000000035828c0a-1278-578e1b7d-0aac-03404e45][*10.140.130.53][][ai-seb04dev-009][][][Resolved URL: '/api/MyNiaidWebApi/GetPauseUntilConfig'.]

    [07/19/2016][08:22:21][4728][2732][CSmHttpPlugin.cpp:773][CSmHttpPlugin::ProcessResource][00000000000000000000000035828c0a-1278-578e1b7d-0aac-03404e45][*10.140.130.53][][ai-seb04dev-009][/api/MyNiaidWebApi/GetPauseUntilConfig][][Resolved METHOD: 'GET'.]

    [07/19/2016][08:22:21][4728][2732][CSmHttpPlugin.cpp:826][CSmHttpPlugin::ProcessResource][00000000000000000000000035828c0a-1278-578e1b7d-0aac-03404e45][*10.140.130.53][][ai-seb04dev-009][/api/MyNiaidWebApi/GetPauseUntilConfig][][Resolved cookie domain: '.nih.gov'.]

    [07/19/2016][08:22:21][4728][2732][CSmResourceManager.cpp:112][CSmResourceManager::ProcessResource][00000000000000000000000035828c0a-1278-578e1b7d-0aac-03404e45][*10.140.130.53][][ai-seb04dev-009][/api/MyNiaidWebApi/GetPauseUntilConfig][][SM_WAF_HTTP_PLUGIN->ProcessResource returned SmSuccess.]

    [07/19/2016][08:22:21][4728][2732][CSmSessionManager.cpp:82][CSmSessionManager::EstablishSession][00000000000000000000000035828c0a-1278-578e1b7d-0aac-03404e45][*10.140.130.53][][ai-seb04dev-009][/api/MyNiaidWebApi/GetPauseUntilConfig][][Calling SM_WAF_HTTP_PLUGIN->EstablishSession.]

    [07/19/2016][08:22:21][4728][2732][CSmSessionManager.cpp:126][CSmSessionManager::EstablishSession][00000000000000000000000035828c0a-1278-578e1b7d-0aac-03404e45][*10.140.130.53][][ai-seb04dev-009][/api/MyNiaidWebApi/GetPauseUntilConfig][][SM_WAF_HTTP_PLUGIN->EstablishSession returned SmNoAction.]

    [07/19/2016][08:22:21][4728][2732][CSmLowLevelAgent.cpp:520][IsResourceProtected][00000000000000000000000035828c0a-1278-578e1b7d-0aac-03404e45][*10.140.130.53][][ai-seb04dev-009][/api/MyNiaidWebApi/GetPauseUntilConfig][][Resource is not protected from cache.]

    [07/19/2016][08:22:21][4728][2732][CSmResponseManager.cpp:193][ProcessResponses][00000000000000000000000035828c0a-1278-578e1b7d-0aac-03404e45][*10.140.130.53][][ai-seb04dev-009][/api/MyNiaidWebApi/GetPauseUntilConfig][][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

    [07/19/2016][08:22:21][4728][2732][CSmHttpPlugin.cpp:2801][CSmHttpPlugin::ProcessResponses][00000000000000000000000035828c0a-1278-578e1b7d-0aac-03404e45][*10.140.130.53][][ai-seb04dev-009][/api/MyNiaidWebApi/GetPauseUntilConfig][][Processing IsProtected responses.]

    [07/19/2016][08:22:21][4728][2732][CSmResponseManager.cpp:231][ProcessResponses][00000000000000000000000035828c0a-1278-578e1b7d-0aac-03404e45][*10.140.130.53][][ai-seb04dev-009][/api/MyNiaidWebApi/GetPauseUntilConfig][][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

    [07/19/2016][08:22:21][4728][2732][CSmSessionManager.cpp:209][CSmSessionManager::CreateSession][00000000000000000000000035828c0a-1278-578e1b7d-0aac-03404e45][*10.140.130.53][][ai-seb04dev-009][/api/MyNiaidWebApi/GetPauseUntilConfig][][Calling SM_WAF_HTTP_PLUGIN->CreateSession.]

    [07/19/2016][08:22:21][4728][2732][CSmHttpPlugin.cpp:1380][CSmHttpPlugin::CreateSession][00000000000000000000000035828c0a-1278-578e1b7d-0aac-03404e45][*10.140.130.53][][ai-seb04dev-009][/api/MyNiaidWebApi/GetPauseUntilConfig][][No active session found, exiting with SmNoAction.]

    [07/19/2016][08:22:21][4728][2732][CSmSessionManager.cpp:254][CSmSessionManager::CreateSession][00000000000000000000000035828c0a-1278-578e1b7d-0aac-03404e45][*10.140.130.53][][ai-seb04dev-009][/api/MyNiaidWebApi/GetPauseUntilConfig][][SM_WAF_HTTP_PLUGIN->CreateSession returned SmNoAction.]

    [07/19/2016][08:22:21][4728][2732][CSmHighLevelAgent.cpp:395][ProcessRequest][00000000000000000000000035828c0a-1278-578e1b7d-0aac-03404e45][*10.140.130.53][][ai-seb04dev-009][/api/MyNiaidWebApi/GetPauseUntilConfig][][ProtectionManager returned SmNo, end new request.]

    [07/19/2016][08:22:21][4728][2732][CSmLowLevelAgent.cpp:3568][ReportHealthData][][][][][][][Accumulating HealthMonitorCtxt.]

     

    There is not any SMSESSION and it is not redirecting to login server. This is the actual issue.

    Also could you elaborate more in 'step 2 Access protected resource /App_Client/client/index.html' you suggested. As siteminder was configured by someone else, I do no know about this.

     

    Thanks,

     

    Pradip



  • 6.  Re: Doesn't redirect to login page.
    Best Answer

    Posted Jul 22, 2016 03:09 AM

    It's working as expected.

     

    See here :

    case 1)  Unprotected Resource

    Resolved URL: '/api/MyNiaidWebApi/GetPauseUntilConfig'.]

    ..

    ..

    [/api/MyNiaidWebApi/GetPauseUntilConfig][][Resource is not protected from cache.]

     

    case 2) Protected Resource

    Resolved URL: '/App_Client/client/index.html'.

    ..

    ..

    [/App_Client/client/index.html][][Resource is protected from cache.]

    ..

    ..

    [Redirecting to credential collector 'https://citdecadssoweb.cit.n

     

    Conclusion : If the resource is NOT protected, you will not be challenged i.e no redirection to the login page.



  • 7.  Re: Doesn't redirect to login page.

    Posted Jul 25, 2016 08:21 AM

    Thank you Ujwol.

     

    So, is there any way that I can make GetPauseUntilConfig and similar other resources to be protected from cache.

     

    Thanks,

     

    Pradip