Symantec Access Management

  • 1.  Not Authorized error in SM logs

    Posted Feb 20, 2015 03:11 AM

    Hi All,

     

    I have configured Siteminder 12.51 and configured few resources to test the functionality. User is able to login with the configured policies, however I can see below error message as "Not Authorized" in smtracedefault logs.

    For the First time in a day, when I access the resource it says "Authorized", but for the rest all it says "Not Authorized".

    [02/20/2015][13:35:04.777][13:35:04][2140][3380][Sm_Az_Message.cpp:563][CSm_Az_Message::ProcessMessage][s34/r3][idp_agent][][user1][][test_realm][][][][][][][][][][][][][][][** Status: Authorized. ]

    [02/20/2015][13:36:21.401][13:36:21][2140][3120][Sm_Az_Message.cpp:563][CSm_Az_Message::ProcessMessage][s38/r4][idp_agent][][user1][][test_realm][][][][][][][][][][][][][][][** Status: Not Authorized. ]

     

    These are logs from smps.log, however I can connect to LDAP server from policy server.
    [2140/3120][Fri Feb 20 2015 13:35:04][SmDsLdapConnMgr.cpp:1194][ERROR] Error# '81' during search: 'error: Can't contact LDAP server'

    [2140/3120][Fri Feb 20 2015 13:35:04][SmDsLdapFunctionImpl.cpp:1956][INFO] Failing over to LDAP server '192.168.*.*:389' in LDAP server bank #1

     

    No Impact on User login.

     

    Can anyone share their thoughts here?



  • 2.  Re: Not Authorized error in SM logs

    Posted Feb 20, 2015 05:12 AM

    Hi Sandeep,

     

    Can you please provide the outlines of policies configured ?

     

    Regards,

    Vishal



  • 3.  Re: Not Authorized error in SM logs

    Posted Feb 23, 2015 01:54 PM

    Sandeep sandeep.boorugu

    I can see that at [02/20/2015][13:35:04.777][13:35:04] "user1" was Authorized. However at [02/20/2015][13:36:21.401][13:36:21] "user1" was declared UnAuthorized for the same realm.

     

    I see that around that same time the policy server lost connection to a LDAP backend (assuming your UserStore is LDAP). Hence this looks to be the visible culprit. However I would ideally prefer to see the entire log line from "Request Received" to "Finished Processing" for the UnAuthorized Request; to confirm anything.

     

     

     

    Regards

     

    Hubert



  • 4.  Re: Not Authorized error in SM logs

    Posted Feb 24, 2015 03:35 AM
      |   view attached

    Thanks Hubert,

     

    Small correction, this is the issue with SM Test tool. When I access the resource with Test tool, it is giving error as "Not Authorized', otherwise its functioning as expected.

     

    Please find the logs attached.

     

    Regards,

    Sandeep.

    Attachment(s)

    zip
    smtraceerror.txt.zip   38 KB 1 version


  • 5.  Re: Not Authorized error in SM logs

    Posted Feb 24, 2015 10:10 AM

    Thank You Sandeep sandeep.boorugu

    The first odd thing,,,,

     

    From the Test Tool Request

    [02/24/2015][13:18:48.455][13:18:48][2140][3540][SmMessage.cpp:514][CSmMessage::ParseAgentMessage][][idp_agent][][][][][][][][][][][][][][][][][][/sample.html][Receive request attribute 201, data size is 12]

    [02/24/2015][13:18:48.455][13:18:48][2140][3540][SmMessage.cpp:514][CSmMessage::ParseAgentMessage][][idp_agent][][][][][][][][][][][][][][][][][][GET,POST,PUT][Receive request attribute 202, data size is 12]

     

    From a User Browser Request

    [02/24/2015][13:14:56.410][13:14:56][2140][5112][SmMessage.cpp:514][CSmMessage::ParseAgentMessage][][idp_agent][][][][][][][][][][][][][][][][][][/sample.html][Receive request attribute 201, data size is 12]

    [02/24/2015][13:14:56.410][13:14:56][2140][5112][SmMessage.cpp:514][CSmMessage::ParseAgentMessage][][idp_agent][][][][][][][][][][][][][][][][][][GET][Receive request attribute 202, data size is 3]

     

     

    Are you using all 3 method in the Test Tool at one go. i.e. [GET,POST,PUT].

    Please define only one Method and Test.

     

    Reading rest of the log......

     

     

    Regards

     

    Hubert



  • 6.  Re: Not Authorized error in SM logs
    Best Answer

    Posted Feb 24, 2015 10:20 AM

    I think the problem is the usage of all HTTP METHODS together in the Test Tool. As we see below, from the Test Tool request; the Policy Server is unable to find the correct Policy. Kindly use only one HTTP METHOD e.g. [GET] and test; then let know.

     

     

    From Test Tool Request

    [02/24/2015][13:18:50.530][13:18:50][2140][3540][SmAuthorization.cpp:1264][CSmAz::IsOk][][][][user1][][test_realm][][][][][][][][][][][][][][][Start of user policy analysis for realm.]
    [02/24/2015][13:18:50.530][13:18:50][2140][3540][SmAuthorization.cpp:1542][CSmAz::IsOk][][][][][][][][][][][][][][No applicable Policy found. ][][][][][][][IsOk? No.]

    [02/24/2015][13:18:50.530][13:18:50][2140][3540][SmAuthorization.cpp:1544][CSmAz::IsOk][][][][][][][][][][][][][false][][][][][][][][Leave function CSmAz::IsOk]

     

    From User Browser Request

    [02/24/2015][13:14:56.530][13:14:56][2140][5112][SmAuthorization.cpp:1264][CSmAz::IsOk][][][][user1][][test_realm][][][][][][][][][][][][][][][Start of user policy analysis for realm.]

    [02/24/2015][13:14:56.530][13:14:56][2140][5112][SmAuthorization.cpp:1338][CSmAz::IsOk][][][][][][][][][test_policy][][][][][][][][][][][][Check the Policy.]

    [02/24/2015][13:14:56.530][13:14:56][2140][5112][SmAuthorization.cpp:1367][CSmAz::IsOk][][][][][][][][][][][test_rule][][][][][][][][][][Check the Rule]

    [02/24/2015][13:14:56.530][13:14:56][2140][5112][SmAuthorization.cpp:625][CSmAz::TestRule][][][][][][][][][][][][][][][][][][][][][Enter function CSmAz::TestRule]

    [02/24/2015][13:14:56.530][13:14:56][2140][5112][SmAuthorization.cpp:708][CSmAz::TestRule][][][][][][][][][][][][][true][][][][][][][][Leave function CSmAz::TestRule]

    [02/24/2015][13:14:56.530][13:14:56][2140][5112][SmAuthorization.cpp:715][CSmAz::TestPolicy][][][][][][][][][][][][][][][][][][][][][Enter function CSmAz::TestPolicy]

    [02/24/2015][13:14:56.530][13:14:56][2140][5112][SmAuthorization.cpp:727][CSmAz::TestPolicy][][][][][][][][][test_policy][][][][][][][][][][][][Evaluating policy...]

    [02/24/2015][13:14:56.530][13:14:56][2140][5112][SmAuthorization.cpp:1097][CSmAz::TestPolicy][][][][][][][][][][][][][true][][][][][][][][Leave function CSmAz::TestPolicy]

    [02/24/2015][13:14:56.530][13:14:56][2140][5112][SmAuthorization.cpp:1453][CSmAz::IsOk][][][][][][][][][test_policy][][test_rule][][][][][][][][][][Policy is applicable. Rule is applicable. Get Responses.]

    [02/24/2015][13:14:56.530][13:14:56][2140][5112][SmAuthorization.cpp:1600][CSmAz::IsOk][][][][][][][][][][][][][][][][][][][][][IsOk? Yes, Return 0 responses with 0 attributes added.]

    [02/24/2015][13:14:56.530][13:14:56][2140][5112][SmAuthorization.cpp:1602][CSmAz::IsOk][][][][][][][][][][][][][true][][][][][][][][Leave function CSmAz::IsOk]

     

     

     

    Regards

     

    Hubert



  • 7.  Re: Not Authorized error in SM logs

    Posted Mar 02, 2015 04:20 AM

    Thanks Hubert.

     

    I missed to verify that, thanks for your help.