Symantec Access Management

Hi All,

I would like to understand the possible scnerios when Siteminder returns 401 response.

From my understanding 401 is associated with Basic Authentication scheme and it returns when the Authentication is failed.Is it right? Kindly provide your valuable comments.

From the doco, it looks like access denied error:

• Access Denied errors—the Agent uses the file specified in the following parameter:
  • Custom401ErrorFileSpecifies the customized HTML page to display when users receive a 401 (insufficient privileges) browser error. These errors occur when a user does not have the appropriate privileges to access a resource.Note: Some web servers append text of their own to the custom text that you choose. So the response pages for these servers are not customizable. Default: No default (blank).

Thanks Ujwal. To be more specific, what is the behavior of Basic AuthScheme when the authentication is failed. Lets assume that the user login is failed due to AuthReject event. How will the Webserver understands the failed login when it says

  401 Authorization Required message. Does it mean that Http header returned from SM to Webserver when the authfailed?

Hi Saravanan,

Tested with basic authentication scheme -- webserver logs error 401 against both authentication and authorization failures.

== Authrization failure ==

2016-08-18 10:53:13 10.0.2.16 GET /test/index.asp - 80 - 10.0.2.16 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:43.0)+Gecko/20100101+Firefox/43.0 401 0 0 500

[08/18/2016][20:53:13][3084][3016][CSmLowLevelAgent.cpp:2796][AuthorizeUser][000080fe00000000df9747406b754f83-0c0c-57b59398-0bc8-02e65af1][*10.0.2.16][][agent][/test/index.asp][guest][User 'CN=Guest,CN=Users,DC=kelly,DC=lab' is not authorized by Policy Server.]

== Authentication failure ==

2016-08-18 10:53:04 10.0.2.16 GET /test/index.asp - 80 - 10.0.2.16 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:43.0)+Gecko/20100101+Firefox/43.0 401 0 0 343

[08/18/2016][20:53:04][3084][3016][CSmLowLevelAgent.cpp:1332][AuthenticateUser][000080fe00000000df9747406b754f83-0c0c-57b5938f-0bc8-03066df1][*10.0.2.16][][agent][/test/index.asp][][User 'wonsa03' is not authenticated by Policy Server.]

Thanks for the quick help. Any idea on How does the Webserver understand the failure login and triggered the 401 response?

Hi Saravnan,

To webserver, error 401 is generally returned against access denied events.

For what it's worth, If user is authenticated but failed to be authorized by Siteminder, the error 401 response is associated with SMSESSION cookie.

== Quote from https://support.microsoft.com/en-au/kb/943891  ==

• 401 - Access denied.
  
  IIS 7.0, IIS 7.5, and IIS 8.0 define several HTTP status codes that indicate a more specific cause of a 401 error. The following specific HTTP status codes are displayed in the client browser but are not displayed in the IIS log:
  • 401.1 - Logon failed.
  • 401.2 - Logon failed due to server configuration.
  • 401.3 - Unauthorized due to ACL on resource.
  • 401.4 - Authorization failed by filter.
  • 401.5 - Authorization failed by ISAPI/CGI application.

Thanks Again for the help... I am interested how is it happens internally.. Does SM http basic auth returns http header to denote 401 and web server understands based on what it received from SM?

Webagent intercept the request and return it's authentication result to webserver:

Thanks. May I know the above screenshot, from where it is taken

It's from IIS failed request trace logs

I just want to share this information that I've gotten for this site: 403 Forbidden vs 401 Unauthorized HTTP responses - Stack Overflow. Hopefully, it helps!

There's a problem with 401 Unauthorized, the HTTP status code for authentication errors. And that’s just it: it’s for authentication, not authorization. Receiving a 401 response is the server telling you, “you aren’t authenticated–either not authenticated at all or authenticated incorrectly–but please reauthenticate and try again.” To help you out, it will always include a WWW-Authenticateheader that describes how to authenticate.

This is a response generally returned by your web server, not your web application.

It’s also something very temporary; the server is asking you to try again.

So, for authorization I use the 403 Forbidden response. It’s permanent, it’s tied to my application logic, and it’s a more concrete response than a 401.

Receiving a 403 response is the server telling you, “I’m sorry. I know who you are–I believe who you say you are–but you just don’t have permission to access this resource. Maybe if you ask the system administrator nicely, you’ll get permission. But please don’t bother me again until your predicament changes.”

In summary, a 401 Unauthorized response should be used for missing or bad authentication, and a 403 Forbidden response should be used afterwards, when the user is authenticated but isn’t authorized to perform the requested operation on the given resource.