CA Single Sign-On Tech Tip by Sau Lai Wong, Senior Support Engineer for 25th Nov 2015

ISSUE:

Resources are protected with Integrated Windows Authentication (IWA) scheme.

User login via level 5 IWA. When users access resources that require higher authentication level (level 10) than the existing user session, Policy Server rejects the step-up user access with following error:

[9592][8908][Sm_Az_Message.cpp:595][CSm_Az_Message::ProcessMessage][s2393/r8][winagent][][][][highwinrealm][highwindomain][][][][][][][][][][][][][][** Status: Not Authorized. Session is not authorized for this security level][][][][][][][][][kMwBI49TESlO…4dFFGSC][][][cn=administrator,CN=Users,dc=test,dc=com]

CAUSE:

With IWA, Webagent redirects user to creds.ntc for authentication with CHALLENGE header value append to the query string, e.g:

http://support.ca.com/siteminderagent/ntlm/creds.ntc?CHALLENGE=-SM-Ju%2bV9mlAGDRNm27iWCZe4EJJ1NmhDutvLoOAA4KCOrnDElxgY72TsvjUWhAFZB5g&SMAGENTNAME=VVxwPoXpuA1x2lBT4BYdLQ6WS61uAfktANTcakLxikLmGzGPR0xvSBWYpNXp86tT&TARGET=-SM-http%3a%2f%2fkumna13--u139913%2enawal%2ecom%2fhighwin%2fpage1%2ehtml

The CHALLENGE header consists of the encrypted user name from the existing user session. Webagent compares the user authenticated by IIS with the user name passed from the CHALLENGE query string. If they matched, NTLM will challenge user again and if user login with same user credentials, Webagent validates the user against the existing authentication level. Policy Server then rejects user access again. Hence, the request is going in loop.

RESOLUTION:

Additional logic is added in Webagent to identify step-up authentication. It removes the CHALLENGE header from the query string when the logged-in user is accessing higher level protection realm..

Tentatively, fix will be incorporated with following releases:

• R12.51 CR8
• R12.52 SP1 CR4
• R12.52 SP2

WORKAROUND:

Use same protection level across the authentication schemes to avoid getting into the deadlock.