Layer7 Access Management

Expand all | Collapse all

CA Single Sign On : ISAPI Filter preCondition

Jump to Best Answer
  • 1.  CA Single Sign On : ISAPI Filter preCondition

    Posted 04-16-2015 06:32 PM

    Hello Friends

     

    Could I seek your thoughts on why the WA Installer adds the ISAPI Filters preCondition as Classic Mode when the Application Pool / WebSite is running in Integrated Pipeline Mode???

     

    I checked this in "R12.52 SP1 CR01 64 bit WA" and "R12.0 SP3 CR02 WA for IIS" too. Both had the same thing configured in Web.Config.


    Shouldn’t the ISAPI Filter preCondition match the Application Pool Mode??? The Modules had the preCondition listed correctly.

     

     

     

    <?xml version="1.0" encoding="UTF-8"?>

    <configuration>

    <system.webServer>

    <modules>

    <add name="CASiteMinderWebagentModule" preCondition="integratedMode,bitness64" />

    <add name="CASiteMinderWebagentModule-32" preCondition="integratedMode,bitness32" />

    </modules>

    <handlers>

    <add name="handler-wa-32" path="*" verb="*" modules="IsapiModule" scriptProcessor="C:\Program Files\CA\webagent\win32\bin\ISAPI6WebAgent.dll" resourceType="Unspecified" requireAccess="None" preCondition="classicMode,bitness32" />

    <add name="CASiteMinderWebAgentHandler-fcc-32" path="*.fcc" verb="*" modules="CASiteMinderWebagentModule-32" resourceType="Unspecified" preCondition="integratedMode,bitness32" />

    <add name="CASiteMinderWebAgentHandler-ntc-32" path="*.ntc" verb="*" modules="CASiteMinderWebagentModule-32" resourceType="Unspecified" preCondition="integratedMode,bitness32" />

    <add name="CASiteMinderWebAgentHandler-ccc-32" path="*.ccc" verb="*" modules="CASiteMinderWebagentModule-32" resourceType="Unspecified" preCondition="integratedMode,bitness32" />

    <add name="CASiteMinderWebAgentHandler-scc-32" path="*.scc" verb="*" modules="CASiteMinderWebagentModule-32" resourceType="Unspecified" preCondition="integratedMode,bitness32" />

    <add name="CASiteMinderWebAgentHandler-kcc-32" path="*.kcc" verb="*" modules="CASiteMinderWebagentModule-32" resourceType="Unspecified" preCondition="integratedMode,bitness32" />

    <add name="handler-wa" path="*" verb="*" modules="IsapiModule" scriptProcessor="C:\Program Files\CA\webagent\win64\bin\ISAPI6WebAgent.dll" resourceType="Unspecified" requireAccess="None" preCondition="classicMode,bitness64" />

    <add name="CASiteMinderWebAgentHandler-fcc" path="*.fcc" verb="*" modules="CASiteMinderWebagentModule" resourceType="Unspecified" preCondition="integratedMode,bitness64" />

    <add name="CASiteMinderWebAgentHandler-ntc" path="*.ntc" verb="*" modules="CASiteMinderWebagentModule" resourceType="Unspecified" preCondition="integratedMode,bitness64" />

    <add name="CASiteMinderWebAgentHandler-ccc" path="*.ccc" verb="*" modules="CASiteMinderWebagentModule" resourceType="Unspecified" preCondition="integratedMode,bitness64" />

               <add name="CASiteMinderWebAgentHandler-scc" path="*.scc" verb="*" modules="CASiteMinderWebagentModule" resourceType="Unspecified" preCondition="integratedMode,bitness64" />

    <add name="CASiteMinderWebAgentHandler-kcc" path="*.kcc" verb="*" modules="CASiteMinderWebagentModule" resourceType="Unspecified" preCondition="integratedMode,bitness64" />

    </handlers>

    <isapiFilters>

    <filter name="SiteMinder Agent" path="C:\Program Files\CA\webagent\win64\bin\ISAPI6WebAgent.dll" enabled="true" preCondition="classicMode,bitness64" />

    <filter name="SiteMinder Agent-32" path="C:\Program Files\CA\webagent\win32\bin\ISAPI6WebAgent.dll" enabled="true" preCondition="classicMode,bitness32" />

    </isapiFilters>

        </system.webServer>

        <system.web>

            <identity impersonate="false" />

    </system.web>

      </configuration>



  • 2.  Re: CA Single Sign On : ISAPI Filter preCondition
    Best Answer

    Posted 04-17-2015 01:45 AM

    Hi Hubert,

     

    You will need either of the "HTTP Module" or "ISAPI Filter" to intercept the request and do SiteMinder processing not both.

    When you use integrated pipeline mode,SiteMinder HTTP Module is  used (HTTP Module does NOT support classic pipeline mode.)

    When you use classic pipeline mode, ISAPI filter are used.

     

    The precondition are thus set accordingly.

    So, depending upon the pipeline mode of your application pool either HTTP Module or ISAPI filter are used.

     

    Regards,

    Ujwol



  • 3.  Re: CA Single Sign On : ISAPI Filter preCondition

    Posted 04-17-2015 09:38 AM

    Hubert,

     

    Precondition means that IIS only loads it if the criteria is met.

    The ISAPI  is the 6.x (classic mode) filter and the precondition MUST be as it is there.

    The Module is for integrated and thus MUST have that as a precondition..

    without those the incorrect ones would load and cause issues with IIS.

     

    One of the documents i left with Rick and Jon goes over this in detail.

     

    -Josh



  • 4.  Re: CA Single Sign On : ISAPI Filter preCondition

    Posted 04-23-2015 09:02 AM

    Bottemline is we did not want to have the headache of ascertaining which pipeline mode; hence we stick both MODULE and ISAPI filter entries into the Web.config (irrespective of the Pipeline mode the WebSite uses). We then leave it to the preCondition to ascertain and trigger the correct one.

     

     

    Regards

     

    Hubert