We are using SharePoint Agent-2010 and we have IIS as our backend server where the application is hosted. We have protected this application using form based authentication.
In this case, backed IIS is expecting the user context from SiteMinder once the Authentication/Authorization process is done.
We are using AD as our user directory and configured the "use authenticated user's security context" option as mentioned in the document but this works fine when I protect the application using Basic Auth scheme in SM and not working for form based auth scheme.
Anyone faced this issue before?
For the agent to provide a security context for specific resources, enable persistent sessions for all realms that include those resources. The session store maintains persistent sessions. Please confirm if the resources are protected with persistent realm.
As per the doucmentation, please ensure that IIS web server meets the following requirements to use the Windows security context feature:
For the product to support seamless Microsoft security context, NetBIOS names must match the DNS domain name as recommended by Microsoft.
When the DNS name of the Active Directory domain differs from its NetBIOS name, the user domain cannot be established. The web server cannot provide the security context when the product is configured to use an LDAP user directory.
Also, if you have webagent on the IIS webserver, please set the following ACO parameter:
I have followed all the steps. Do we have any way to track this user context? I can see the value in the session store but will it be available in the client browser header?
I tested with R12.52 SP1 release with HTML Form authentication scheme. I see the user session in session store.
You can create Siteminder response -- "Webagent-HTTP-Header-Variable" attribute with "Session Variable" attribute kind. PS retrieves the attribute value from the session store.
But this is limited to scontextDomain session variable.
Please verify if the AD user store is defined with LDAP namespace and explain how the authentication is not working with HTML Form authentication scheme.
Thanks for your analysis on this. Now it works fine but seems to be very slow it takes almost 26 seconds to finish the authentication process.
Slowness happens only if I choose "use authenticated user's security context". DO you have any Idea on this?
Thanks for the updates.
For performance issue, please check the Policy Server trace (with following PS profiler template) and see which part of the processing is taking time.
components: AgentFunc, Server/Policy_Object, Server/Policy_Server_General, IsProtected/Resource_Protection, Login_Logout/Authentication, Login_Logout/Policy_Evaluation, Login_Logout/Password_Service, Login_Logout/Certificates, IsAuthorized, LDAP
data: Pid, Tid, Date, PreciseTime, AgentName, TransactionID, SessionID, SessionSpec, Function, SrcFile, Action, Message, User, UserDN, Data, CallDetail, ErrorString, SearchKey, Query, ObjectOID, Resource, Domain, Realm, Policy, Rule, Directory, AuthReason, AuthScheme, AuthStatus, CertSerial, SubjectDN, IssuerDN, CertDistPt, Threshold, Throughput, ExecutionTime, Returns, Result, ErrorValue, ReturnValue