Symantec Access Management

  • Private Community

  • 1.  Cross-domain calls

    Posted Sep 23, 2016 03:39 PM

    Hi Guys,

     

    Here's the thing, I have a login.fcc page that is  being called from a fat client with a dns from the ".abc.com" domain and the fat client forces the target to be a dns from ".def.com" domain. We currently get a "500 : Server Error [00-0017]" meaning ->

     

    Reason:

    Invalid redirect target found.

    Action:

    Examine the log file of the Web Agent which is reporting this message to locate the URL being processed (usually an FCC or other advanced authentication URL) and determine if the value of the TARGET CGI parameter appears valid.

    We are pretty sure that the problem comes from the fact that we interact over two different domains but we're wondering if there's anything we can do to work around the problem? The ValidTargetDomain agent parameter doesn't seem to be enough to go over the issue.

     

    Thanks



  • 2.  Re: Cross-domain calls

    Posted Sep 26, 2016 06:52 AM

    Do you have TargetAsRelativeURI=yes?

     

    if yes, please try setting it to NO.



  • 3.  Re: Cross-domain calls

    Posted Sep 26, 2016 07:45 AM

    The TargetAsRelativeURI is currently set to no.



  • 4.  Re: Cross-domain calls

    Posted Sep 26, 2016 07:48 AM

    Can you share the snippet of web agent trace log ?



  • 5.  Re: Cross-domain calls

    Posted Sep 26, 2016 08:43 AM

    I've gathered more information this morning from one of my colleague and we'll be trying something with the client first. If this doesn't work out I'll share the snippet of the webagent trace.

     

    Thanks,

     

    Steve



  • 6.  Re: Cross-domain calls
    Best Answer

    Posted Sep 26, 2016 07:09 PM

    Hi Steve,

     

    Upon further research , the error is thrown only if one of the following validation fails :

    1. If TargetAsRelativeURI = yes, and the target is not using the relative URI.

        For this case, you should additionally see following message in the agent trace log :

        "Invalid target. Will not redirect the user to the target"

    2. If  ValidTargetDomain is configured , and the target domain is not from one of the configured domain.

         For this case, you should additionally see following message in the agent trace log :

        "Target domain not valid. Will not redirect the user to the target"

    3. If ValidTargetDomain is NOT configured, but FCCCompatmode is YES, then validate if the target domain matches the local domain.

        For this case, you should additionally see following message in the agent trace log :

        "Target domain does not match the local domain. Will not redirect the user to the target."

     

    All of these log message will appear in the trace log if "Authentication" component is selected in the web agent trace configuration.

     

    Regards,

    Ujwol

     



  • 7.  Re: Cross-domain calls

    Posted Sep 27, 2016 08:42 AM

    Thanks for the answer I'll be looking into those three validations to find where I'm failling.

     

    Thanks,

     

    Steve