Symantec Access Management

I've defined few HTTP Header responses in my siteminder environment according to the attributes predefined in application.
But while running application i'm unable to see the response headers.

I tried using Fiddler to test, but i could only get SMIDENTITY & SMSESSION data in headers.!

Furthermore i tried dumping all the HTTP headers using the code found at : Pedro's Neglected Tech Blog: Quick and Easy HTTP Header Dump ASP.Net Page - No Compilation Needed! .

But i could only get the default values of siteminder i.e username is in default value SM_USER and other fields respectively.

Any suggestions where flow maybe wrong.?

Hello,

You should be able to see HTTP headers in the ASP page only, you will not see them in Fiddler.

For your response, make sure that you create a Response Attribute : WebAgent-HTTP-Header-Variable type.

Make sure that your response is bound to a policy that will be triggered during Authorization.

You can check them by looking at the PS traces or in the Webagent traces during the authorization process.

Hope it helps,

Julien.

Thanks for the tip but yes i'm sure that

• I've created a Response Attribute : WebAgent-HTTP-Header-Variable type.
• Response is bound to a policy that will be triggered during Authorization and is for the same domain.

Looking at the PS traces i have the logs as:-

[Connection CA SiteMinder DSN: Checking connection is successful.][][][][11:18:06][Inactivate connection.][][][]
{Connection CA SiteMinder DSN: Changing object state 'Active' to state 'Available'.][][][]
[Successful check status of server or connection][][][]
[Cleanup the object cache.][][][]

• The Webagent trace logs shows:-

[7132][2428][000080fe00000000cf2a59043300bd95-1bdc-585032db-097c-00e35af1][ProcessRequest][Challenge Manager returned SmExit, end new request.]
[7132][4772][][CSmIIS70Module::Shutdown][IIS 7.0 Native Module shutting down.]
[7132][4772][][Shutdown][High Level Agent shutting down.]
[7132][4772][][Resource Manager][Shutdown.]

[7132][4772][][Session Manager][Shutdown.]

Make sure you have ACO properly configured, e.g.

DisableAuthSrcVars=No

DisableSessionVars=No

DisableUserNameVars=No

DisableUserVars=No.

Once you meet application requirement,  then decide turn any one of them off as needed.

BTW, "SM_USER HTTP header is returned with empty value" vs. "SM_USER is not returned at all" are two different problems. Web agent trace and policy server trace log can show what is set or not, once header dump page is accessed.

Thanks,

Hongxu

Hi there,

I verified my ACO configuration

i.e. 

• DisableAuthSrcVars=No
• DisableSessionVars=No
• DisableUserNameVars=No
• DisableUserVars=No.

SM_USER is returned but it is in the default parameters not as customized by application..

Thanks,

Hridyesh

The most important point is , these are SERVER side headers not CLIENT side, so you won't able to view them using the Fidddler.

You will need to user server side script such as ASP/JSP to be able to dump these headers :

Scott Forsyth's Blog - Viewing all Server Variables for a Site 

Print out HTTP Request Headers : HTTP Header « JSP « Java Tutorial 

Hey Ujwol,

I've tried out the code given for C#  :- 

<% @ Page Language="C#" %>
<%
foreach (string var in Request.ServerVariables)
{
  Response.Write(var + " " + Request[var] + "<br>");
}
%>

But it is same as the last one i tried. I'm getting the username in default HTTP header SM_USER not in the custom given by application.

Thanks,

Hridyesh

What rule have you associated the response with?

Try linking it with OnAuthAccept or OnAccessAccept  action.

Also the enable all data/component in PS trace profiler. You should see the Policy being triggered, Response being set.

Thanks Ujwol but it didn't work as expected.

I had to re-create rules and responses altogether. Now it is passing the appropriate response to the application.

Thanks,

Hridyesh

So what changes did you do while creating rule/response second time?

Nothing special but i stopped policy server after creating the rules and responses then restarted it after few minutes.(around 10 minutes ).
Also restarted the IIS

This worked for me.

so it must be the caching issue.

Idk for what reason the custom user variable stops publishing the response for the attribute value randomly then automatically starts publishing it after sometime.
Any idea how to remove this persistent issue.?

Hi Ujwol,

Even I am facing same issue. I am able to see the header in webagent logs but application team says they are not receiving at their end.

I can see all default headers are enabled in ACO and response is mapped to allow access policy.

DisableAuthSrcVars=No

DisableSessionVars=No

DisableUserNameVars=No

WebAgent Logs:

[12/06/2016][18:09:13][2304][3508487936][CSmHttpPlugin.cpp:2643][CSmHttpPlugin::ProcessResponses][0000000000000000000000000c0cca0a-0900-5846fec9-d11f4700-45101bb2a6c0][*10.145.67.224][][TestApp_webagent][/App/][test123][Processing Authorization responses.]
[12/06/2016][18:09:13][2304][3508487936][CSmHttpPlugin.cpp:2650][CSmHttpPlugin::ProcessResponses][0000000000000000000000000c0cca0a-0900-5846fec9-d11f4700-45101bb2a6c0][*10.145.67.224][][TestApp_webagent][/App/][test123][Removing HTTP cache request headers.]
[12/06/2016][18:09:13][2304][3508487936][CSmHttpPlugin.cpp:2731][CSmHttpPlugin::ProcessResponses][0000000000000000000000000c0cca0a-0900-5846fec9-d11f4700-45101bb2a6c0][*10.145.67.224][][TestApp_webagent][/App/][test123][Setting custom HTTP header variable: 'HTTP_SSOID=test123' from Policy Server]

Application Logs:

headerName : accept headerValue=image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
headerName : cookie headerValue=JSESSIONID=C9F80508F57E24A374B49C10A7C35F3F.node1; s_pers=%20gpv_p8%3DEP%253ANwsEv%7C1480698273392%3B%20s_prevPage%3DEP%253ANwsEv%7C1480700013294%3B; ADSMSESSION=zq60H9akK/Z6iGaGg/Eran05/j2ffxhIhZBW+E2DBbd8UNUGkoqcb2ebljJd+jdF/cpsYkqOsC5/MwtytOBPR7NvZtB1CwA6GtnnY0vK8tXU4llMTQoDjODKVq47Q3myywshnRJm/KsYS7H9mVxqJzn7dutMDVmMxI1rzSKDsRq3IwdOqAkAP0KTqhEm6qONVtPTfJVKSg5e8cazzD1fX80gI+MH2W2o0W3hNdz0o4CSolR0A2t7/jr2+nbAGmteHkklS1FiG7PElJ5nDnNbs71D81ZPHYJ/APcfugw/4kuc7j+Db6hSNkg5XQYJpCaebr3tjaZTA+YamMZeDTBxpAf76MXetkU0CZPMhYnCWWr1lulnrKBLq0ci7G4CJoVPH7SnEjL9q5F704fACrSwnRuDQTcBLoZDotVxod19UWjfsOD0wijy67ZE+pLTEIlOdUpg0te+KeK5dVDkU3psyZYOM5pRSUr5PonD/XOE9a65jCYt71oWDB2qsvaZDtBosH+TFsYaPumuFW2rErJPS3pogXusljuPx9Lih7IjGbbf+K3Tuiey8hzPMFU0iUu651xpfzw3eVdV3PvRJRs8+igZNbjV3AmpPAOCilj4D4dHf/O/Cr5aeifx3V8kd7I2FxqTRoJAgcihBw1wqF7qGKBn648TXDy+iopBJJ/g9Sy2UxrqEcjiL09lXGId9bA0sooOCYK+MNKKfWzHI6qg90+qrTCC1OzDW7MYkGNAySAaayloU1x8SSpR6DgCu+9clHN0YcUvtjcOCYvbgbYAfji9koxNaNNPbyJeRKTzoJjioC75VxH2544AOmZgv69dbIJyyCv/LaUXksDWOAoz95484mOLf3HrawCg/7sObPHqS3d3SckTCR5Siy7B3Eu+V0yZ3snNVJMFIr+c4WW8TKWFyLgyV8gp8hPgZwoWGsw8V8FrKxuVDPPABrSz01bWy9Col1+cFo2F6Gcpcs1It/x+lmt6fr7C3nshUEwo3BO8OV5LiCUSxIONswixieYOYEkfdIVzE/vb9vTfGox3l/hd+AekSloa1iIcbqlG/IwHD+VrjpEOJ3y0yiRkjFo2gM5182RUZoks6fsmYmRAIuwqTFi2iQe1MUwgzPCT/GWmY286IOD+g51wDLcDE3at1c8TAIAjMUrWvbLedHNIQgCToGtIZ7y7; s_sess=%20s_cc%3Dtrue%3B%20s_sq%3D%3B; SMSESSION=QPO4I61zwdjv7pveBhCtNxTfEDK/TUj/Md9MVP0WSdAR1BioFb48jiBOZ2eZ+qd5/UlArucVbDRUTfFGvgQwnILE80GcjeXveJa5p0gkVsErqShhtZmFQ2IXB2TBp1KbhWJUik5WHetKSU+RpM7n7Tcl7kES8n4b492lzXnOVfMKob+O1yjmFrircXznAQP/A+m8/HWr06A3qcxVUToq5Nya3qCJZerSGzuYdEeXaMWulKubyaAcAnjrg/cE7LtWahErTdYQivsUe6mYD34uagNZf6FIsnfgHL+uQ+Gz0nIMSDNcJ1QcOL3vG2l83FrqQ6hXfmaa9ZVZY8DQlLKUjEY5noakfhii4MGBJ6H5HBnk0z1KQHYxB6+4vrnF5JL1EKUUVHJSgKLGSi8je7o/wsrdmTaRZviw21fa+c8RcCfBsMKOObRIQ9Z3jb+/RYVgwjS2bgZdJiDfCSijHofV/1KIXqwgqlkVBN0Yl4PRH/Ll67IYh8EZgbKymkUapEJlYSgZgNrFiJ4c/BbQGJBaHwjFvZqTzztq2VHR7hfPsX0kcNtF3NNZSZFHCIRUveRnQElDyoXHidK+qV71qDlheaIX3KDYKp5kV58xUfCD3RH5mYtZ4L5m3kw7iTSXQ9LW7TItyVKmnaMOXErX9fMhCJ1Qv+xJu2EQVhm60G+MExs2YK9lifiOxyv8nrpJ0Gd4+A8Qg3BaspIfaScf99YsSgyImhKwkDIRAiKNNjAmcOggytif1Pg0WBJdfKTzrKxuBL196BXAVq+zl/jszWHBngy7qH3QLHm1C/4jViS71vLBkjYhHrAoGvUK5EaU1FEjCFNgP0PuoHNqzClj6c2shZ8ecCckvRC7ECkITxsxiRi62y4XgikybL0atlZ3wAQ2KOAHydV8Y9Kik/RcmaB/Hwk0dLxkXvnjXbvoNkrIXQYk+mRwMLj2yTo7WaWKn8pA0MRAFUrlfCOyR/5jVlmE4sD7Wb/Gzi41Kw+Zb35ehv+LsBJHfpZj/jP9XQsK8m35CuW3eVZlaiYuy1UEy5BUm50dVQDp3kLEWyXX4TQZs+bLyGknZo9xxGHeVfXUF7RGrBlOBDkiUEEiUIWzdynSR8Nw96ZHZRby5bL0h76oUD3jjLwGGNsRfDew3UmOzshea2oY0hGWrBTrIeykP8niM223lXW1xVXSgIWF3poa6qOCPHz4xmUuqcR7/Odxvc/pgN+K252zEIvTmq28FL+zwRei/qgStgtgZxwJitsftZdMfv54NqlBKuzJ1sbgvaKH
headerName : Accept-Language headerValue=en-US
headerName : user-agent headerValue=Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)
headerName : host headerValue=app.dev.abc.com
headerName : Accept-Encoding headerValue=gzip, deflate
headerName : DNT headerValue=1
headerName : connection headerValue=Keep-Alive
headerName : Cache-Control headerValue=no-cache
headerName : SM_TRANSACTIONID headerValue=0000000000000000000000000c0cca0a-7055-5841a97f-a9a700-58343850c42
headerName : SM_AUTHTYPE headerValue=Auto
headerName : SM_SDOMAIN headerValue=.abc.com
headerName : content-length headerValue=0
Updated SecurityContextHolder to contain null Authentication
Authentication request failed: org.acegisecurity.BadCredentialsException: The expected username was not recieved in the header.
Failed to login: The expected username was not recieved in the header.

Is the application not receiving headers consistently?

What is your web/app server?

The application is hosted in IIS Server with Siteminder agent for IIS .

It receives the HTTP headers and header dump code shows the attribute with the values.But it randomly stops displaying the value of the attribute and keeps on publishing the header attribute name 

I tried to print the value of user login from session and the application has the value of user logged in.