Symantec Access Management

Hello,

I am new to CA Single Sign On and have just installed the Policy Server on a testing machine.

I have a Web page on IIS 7 which accesses the user credentials from MySQL database.

I followed the steps to configure the web agent on IIS, but still the website is using its own window to enter the credentials. I think the Agent is not getting activated to intercept the user request. Can you please let me know of any missing steps. I followed the steps as mentioned on the knowledge base article "

I feel that I am missing out some steps, can you please help me in this regard.

Secondly I am also a bit confused that my website uses MySQL for user credentials, and I haven't provided any details of MySQL in the user directory. Do I need to configure something for that as well?

Thanking You

Zia

In IIS, click on the website (e.g., default web site) to bring up its home page. Double-click the Authentication icon in the IIS section. Enable Anonymous, but disable all others.

In IIS, make sure the Siteminder web agent configuration wizard properly added the Siteminder DLL to both ISAPI Filters and Handler Mappings.  Use View Ordered List to ensure the DLL is at the top of both lists.

In Siteminder's WebAgent.conf, (in <siteminderhome>\bin\iis) make sure EnableWebAgent is set to "YES".  Make sure WebAgent.conf references a valid AgentConfigObject (ACO) on your policy server.

in Siteminder SmHost.conf (in <siteminderhome>\config), make sure if references a valid HostConfigObject (HCO) on your policy server.

In Windows Event Viewer, make sure Siteminder starts and did not throw any error messages.

On your policy server, you definitely need to configure a directory object that points to your MySQL user store.

On the policy serer, you will also need a policy domain for the application. The properties of the policy domain need to point to the directory object.  The realm(s) of the policy domain need to reference the DefaulAgentName and/or AgentName(s) in the ACO.

Hello,

First of all thanks for the detailed steps. I had checked every step you mentioned and they were already in the correct order. There were only informational messages for SiteMinder in the Event Viewer. There is one more thing to note that the log folder is not creating any logs for siteminder. The CA Agent is not intercepting the credentials request.

As far as the directory object for MySQL is considered, I haven't yet performed that step. But I think that at least the web request should be intercepted and the CA window should appear. Please correct me if I am wrong.

Infact I tried to create a User Directory for the MySQL database in the SiteMinder. I selected the Infrastructure -> Directory -> User Directories -> Create User Directory.

In the Namespace I selected the ODBC and the datasource was the ip of my MySQL Server. Provided the credentials, but there is a window of "SQL Query Scheme". I am confused for the MySQL's query scheme. How should that be configured?

Thanking You

Zia

Zia

Firstly lets keep this thread focused only on WA part. For the directory part please open a new thread and we'll be more than happy to comment / suggest.

SiteMinder logs are created by LLAWP i.e. the Low Level Worker Process for WA. If the LLAWP is not spawned OR has initialization issues then SiteMinder logs are not generated. All initialization failures are logged in WebServer Error / Startup logs OR in event viewer.

In this case it is being suggested that there is only INFO message in eventviewer about SiteMinder.

Could you confirm the following for us...

• Are you using the "Default WebSite" or any other WebSite? Is there mulitple WebSites on this IIS?
• What is the application pool which is configured with the WebSite? Is it in Integrated Mode or Classic Mode? Is it set to enable 32bit Application support or default 64bit?
• What is the value for DefaultAgentName and AgentName in ACO?
• Do you see a LLAWP process being spawned in Task Manager when you access the URL?

Also make sure you have enabled the pre-requisites correctly before configuring the IIS7 WA.

http://www.ca.com/us/support/ca-support-online/product-content/knowledgebase-articles/TEC496649.aspx

Let us know

Regards

Hubert

Hubert,

Sure we can discuss the directory issue in another thread. I just wanted to confirm that it was not the cause for not intercepting the requests.

Please find the response below:

• Are you using the "Default WebSite" or any other WebSite? Is there mulitple WebSites on this IIS?

          The website is under the default website tab and it is the only website on the IIS.

• What is the application pool which is configured with the WebSite? Is it in Integrated Mode or Classic Mode? Is it set to enable 32bit Application support or default 64bit?

          The Application Pool configured with the website is the integrated mode ASP.Net v4.0. However it had four application pools two for integrated and two for classic. I have tried all the application pools but the web page is not being intercepted.

• What is the value for DefaultAgentName and AgentName in ACO?

          The Agent Name configured on SiteMinder Administrative UI is "iiswebagent" and ACO is "IISAgentConfigWebServer". The value for defaultagentname in ACO is "iiswebagent".

        On the WebServer the WebAgent.Conf file also has the ACO name IISAgentConfigWebServer

• Do you see a LLAWP process being spawned in Task Manager when you access the URL?

     Yes when I access the URL the LLAWP32.exe process is spawned in the Task Manager

I had also enabled all the prerequisites as mentioned in the provided link.

Thanking You

Zia

Zia

Sorry about the delay in response.

You mention that you are able to see LLAWP32.exe in Task Manager. This suggests to me that you are running a 32bit ISAPI WebAgent filter.

Could you confirm for me the following.

• What OS is being used i.e. W2K8 SP2 32 bit or W2K8 R2 64bit?
• What version of IIS would depend on OS i.e. IIS7.0 or IIS7.5?
• Could you also confirm the name of the WebAgent Installer that was used, I need the exact name.

Thank You

Regards

Hubert

Dear Hubert,

Thanks for your reply. I was testing the machines. I reinstalled the Web Server as a default site and installed the agent again. Now the problem is solved.

Thanking You

Zia