Symantec Access Management

Tech Tip - CA Single Sign-On: Request through SPS is not advancing as backend IIS returns status code of 301

By wonsa03 posted 07-07-2016 02:27 AM

CA Single Sign-On Tech Tip by Sau Lai Wong, Principal Support Engineer for 7th July 2016



Federation login is failing at IdP -- Secure Proxy Server as Identity Provider and third-party Federation Gateway as Service Provider. No error from the internet browser.



Secure Proxy Server: R12.52 SP1 CR4



The default page under IIS virtual directory is used to invoke IdP-initiated federation. However, the request failed at the point of where SPS is forwarding the request to the backend IIS.


== SPS agent trace ==

[07/05/2016][21:56:54][5936][5760][15a90c68-43f0a390-04e49fda-24d4e3bb-b3ea128e-3f56][ProxyValve::invoke][ProxyValve.invoke() Setting HTTP status to 200 allowing this request to proceeed. Return Code from HLA = 4]
[07/05/2016][21:56:54][5936][5760][15a90c68-43f0a390-04e49fda-24d4e3bb-b3ea128e-3f56][Tomcat5serializedAgentData.setStatus][Setting response status = 200]
[07/05/2016][21:56:54][5936][5760][15a90c68-43f0a390-04e49fda-24d4e3bb-b3ea128e-3f56][ProxyValve::invoke][The agent finished processing the request.]
[07/05/2016][21:56:54][5936][5760][15a90c68-43f0a390-04e49fda-24d4e3bb-b3ea128e-3f56][Noodle::service][Method is: GET Content length is: 0]
[07/05/2016][21:56:54][5936][5760][15a90c68-43f0a390-04e49fda-24d4e3bb-b3ea128e-3f56][addRequestHeaders][Need to preseve Proxy HOST Header.Sending Proxy Host to the backend web server]
[07/05/2016][21:56:54][5936][5760][15a90c68-43f0a390-04e49fda-24d4e3bb-b3ea128e-3f56][execute][Sending request to backend = url =]
[07/05/2016][21:56:54][5936][5760][15a90c68-43f0a390-04e49fda-24d4e3bb-b3ea128e-3f56][requestConnection(): ][Get connection: HttpRoute[{}->], timeout = 180000]
[07/05/2016][21:56:54][5936][5760][15a90c68-43f0a390-04e49fda-24d4e3bb-b3ea128e-3f56][openConnection()][Connecting to]
[07/05/2016][21:56:54][5936][5760][15a90c68-43f0a390-04e49fda-24d4e3bb-b3ea128e-3f56][execute][Response status code from backend webserver is 301]
[07/05/2016][21:56:54][5936][5760][15a90c68-43f0a390-04e49fda-24d4e3bb-b3ea128e-3f56][Noodle::doGet][Received redirect status code = 301]


== HTTP Client log ==

Jul 05, 2016 9:56:54 PM org.apache.http.impl.conn.Wire wire
FINE: << "<head><title>Document Moved</title></head>[\n]"
Jul 05, 2016 9:56:54 PM org.apache.http.impl.conn.Wire wire
FINE: << "<body><h1>Object Moved</h1>This document may be found <a HREF=>here</a></body>"


The status code of 301 is returned because IIS is expecting trailing slash since the URI is referencing a directory:


The user request ended at the redirection to the backend, with no further advancement.



Add trailing slash to the URL or specify the default page e.g: index.asp in the URL.

1 comment