Symantec Access Management

we have implemented the impersonation authentication scheme by following the below document.
and its working as expected if we use the application to impersonate with impersonatee which is hosted on the same server where I have create /startimpersonation virtual.

but if I use the application to impersonate with impersonatee which is hosted on different server keep getting the login page when I try to access the impersonatee application where I hardcoded the url on success.asp.

please assist me on this.

Referred URL:
https://communities.ca.com/docs/DOC-231164831-tech-tip-ca-single-sign-onpolicy-server-how-to-configure-impersonation

First, when we moved to a different server, is that server in the same cookie domain ? Last I remember was Impersonation is not supported using different cookie domain and with a cookie provider. It only works on a single domain.

Secondly the impersonate rules should be set for all realms (all application policy domains) where impersonation is allowed, not just the impersonation initial login flow.

yes, server are in same cookie domain.

yes, created impersonation rules for all realms and mapped with relevant policy.

Thank You

Next on the check list,

• Since there is two servers, there'd be two WebAgents. Do both WebAgent share the same ACO OR different ACOs. If Different ACO's have we compared both ACO's parameters/values and checked are there any potential differences which could cause a breakage in the impersonation flow. List down the differences.
• What does the WebAgentTrace log state (where the impersonation flow breaks) when you are being challenged by the login page?

Please confirm if you have created both the following rules for Impersonatee realm and attached it to relevant policy :

                       Rule 2 : ImpersonateStart

                                          Resource = *

                                          Action = ImpersonateStart

                              Rule 3 : ImpersonateStartUser

                                          Resource = *

                                          Action = ImpersonateStartUser

Can you share screenshot of your impersonatee relam configuration and the relevant agent trace logs when the impersonation flow breaks ? Are you using same security zone in both the ACO ?

NVanka, If you've followed the technote perfectly and there's still urgency to resolve, this may be best served by opening a case with CA Spt. Along with the webagent and log and trace, please provide PS log/trace and fiddler trace as well for the use case.

- Thanks, Vijay

Thank you all for the support.

this has been resolved. and the issue was some sync issue.

conclusion: impersonation will work with different server and different ACO's with in the network/cookie domain.