Layer7 Access Management

Expand all | Collapse all

What are the possible scnerios Siteminder returns 401 response?

Jump to Best Answer
  • 1.  What are the possible scnerios Siteminder returns 401 response?

    Posted 08-18-2016 03:23 AM

    Hi All,

     

    I would like to understand the possible scnerios when Siteminder returns 401 response.

     

    From my understanding 401 is associated with Basic Authentication scheme and it returns when the Authentication is failed.Is it right? Kindly provide your valuable comments.



  • 2.  Re: What are the possible scnerios Siteminder returns 401 response?

    Posted 08-18-2016 05:11 AM

    From the doco, it looks like access denied error:

     

    • Access Denied errors—the Agent uses the file specified in the following parameter:
      • Custom401ErrorFileSpecifies the customized HTML page to display when users receive a 401 (insufficient privileges) browser error. These errors occur when a user does not have the appropriate privileges to access a resource.Note: Some web servers append text of their own to the custom text that you choose. So the response pages for these servers are not customizable. Default: No default (blank).


  • 3.  Re: What are the possible scnerios Siteminder returns 401 response?

    Posted 08-18-2016 06:59 AM

    Thanks Ujwal. To be more specific, what is the behavior of Basic AuthScheme when the authentication is failed. Lets assume that the user login is failed due to AuthReject event. How will the Webserver understands the failed login when it says

     

     

     

     

     

      401 Authorization Required message. Does it mean that Http header returned from SM to Webserver when the authfailed?



  • 4.  Re: What are the possible scnerios Siteminder returns 401 response?

    Posted 08-18-2016 07:01 AM

    Hi Saravanan,

     

    Tested with basic authentication scheme -- webserver logs error 401 against both authentication and authorization failures.

     

    == Authrization failure ==

    2016-08-18 10:53:13 10.0.2.16 GET /test/index.asp - 80 - 10.0.2.16 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:43.0)+Gecko/20100101+Firefox/43.0 401 0 0 500

     

    [08/18/2016][20:53:13][3084][3016][CSmLowLevelAgent.cpp:2796][AuthorizeUser][000080fe00000000df9747406b754f83-0c0c-57b59398-0bc8-02e65af1][*10.0.2.16][][agent][/test/index.asp][guest][User 'CN=Guest,CN=Users,DC=kelly,DC=lab' is not authorized by Policy Server.]

     

    == Authentication failure ==

    2016-08-18 10:53:04 10.0.2.16 GET /test/index.asp - 80 - 10.0.2.16 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:43.0)+Gecko/20100101+Firefox/43.0 401 0 0 343

     

    [08/18/2016][20:53:04][3084][3016][CSmLowLevelAgent.cpp:1332][AuthenticateUser][000080fe00000000df9747406b754f83-0c0c-57b5938f-0bc8-03066df1][*10.0.2.16][][agent][/test/index.asp][][User 'wonsa03' is not authenticated by Policy Server.]



  • 5.  Re: What are the possible scnerios Siteminder returns 401 response?

    Posted 08-18-2016 07:24 AM

    Thanks for the quick help. Any idea on How does the Webserver understand the failure login and triggered the 401 response?



  • 6.  Re: What are the possible scnerios Siteminder returns 401 response?

    Posted 08-18-2016 07:42 AM

    Hi Saravnan,

     

    To webserver, error 401 is generally returned against access denied events.

    For what it's worth, If user is authenticated but failed to be authorized by Siteminder, the error 401 response is associated with SMSESSION cookie.

     

     

    == Quote from https://support.microsoft.com/en-au/kb/943891  ==

    • 401 - Access denied.

      IIS 7.0, IIS 7.5, and IIS 8.0 define several HTTP status codes that indicate a more specific cause of a 401 error. The following specific HTTP status codes are displayed in the client browser but are not displayed in the IIS log:
      • 401.1 - Logon failed.
      • 401.2 - Logon failed due to server configuration.
      • 401.3 - Unauthorized due to ACL on resource.
      • 401.4 - Authorization failed by filter.
      • 401.5 - Authorization failed by ISAPI/CGI application.


  • 7.  Re: What are the possible scnerios Siteminder returns 401 response?

    Posted 08-18-2016 08:45 AM

    Thanks Again for the help... I am interested how is it happens internally.. Does SM http basic auth returns http header to denote 401 and web server understands based on what it received from SM?



  • 8.  Re: What are the possible scnerios Siteminder returns 401 response?
    Best Answer

    Posted 08-19-2016 06:17 AM

    Webagent intercept the request and return it's authentication result to webserver:



  • 9.  Re: What are the possible scnerios Siteminder returns 401 response?

    Posted 08-22-2016 02:19 AM

    Thanks. May I know the above screenshot, from where it is taken



  • 10.  Re: What are the possible scnerios Siteminder returns 401 response?

    Posted 08-22-2016 02:43 AM

    It's from IIS failed request trace logs



  • 11.  Re: What are the possible scnerios Siteminder returns 401 response?

    Posted 08-21-2017 10:30 AM

    I just want to share this information that I've gotten for this site: 403 Forbidden vs 401 Unauthorized HTTP responses - Stack Overflow. Hopefully, it helps!

     

    There's a problem with 401 Unauthorized, the HTTP status code for authentication errors. And that’s just it: it’s for authentication, not authorization. Receiving a 401 response is the server telling you, “you aren’t authenticated–either not authenticated at all or authenticated incorrectly–but please reauthenticate and try again.” To help you out, it will always include a WWW-Authenticateheader that describes how to authenticate.

    This is a response generally returned by your web server, not your web application.

    It’s also something very temporary; the server is asking you to try again.

    So, for authorization I use the 403 Forbidden response. It’s permanent, it’s tied to my application logic, and it’s a more concrete response than a 401.

    Receiving a 403 response is the server telling you, “I’m sorry. I know who you are–I believe who you say you are–but you just don’t have permission to access this resource. Maybe if you ask the system administrator nicely, you’ll get permission. But please don’t bother me again until your predicament changes.”

    In summary, a 401 Unauthorized response should be used for missing or bad authentication, and a 403 Forbidden response should be used afterwards, when the user is authenticated but isn’t authorized to perform the requested operation on the given resource.