Symantec Access Management

  • Private Community
 View Only

  • 1.  question about configuring CA Limit Concurrent Login

    Posted Nov 21, 2014 10:32 AM

    The system will limit the number of concurrent logins but when the customer selects continue box and submit - the oldest session is not invalidated and the browser displays "This page should never be displayed......." any ideas??




  • 2.  Re: question about configuring CA Limit Concurrent Login

    Posted Dec 02, 2014 11:35 AM

    Anyone able to help Russell?

     

    Russell Watson wrote:

     

    The system will limit the number of concurrent logins but when the customer selects continue box and submit - the oldest session is not invalidated and the browser displays "This page should never be displayed......." any ideas??

     



  • 3.  Re: question about configuring CA Limit Concurrent Login

    Posted Dec 02, 2014 12:25 PM

    Check the following:

    1.  Verify you have a license installed or No trial expiration. Check in %NETE_PS_ROOT%/license for a NPSLicense.txt  in which contains the SmLimitAuth entry.

    2. Read the user’s directory entry to see if there is a session identifier stored in the specified attribute.

     

    If not:
    • If your site uses “Method One”, ensure that the OnAuthAccept event is being processed by examining the SiteMinder Policy Server Profile/Trace Log.
    Also ensure that Authentication events are being processed for that Realm (see the “Advanced” tab in the Realm Properties). Check for errors reported in the
    SiteMinder Policy Server Profile/Trace Log by the Active Expression.

    • If your site uses “Method Two”, ensure that the authentication scheme is defined properly. You should see mention of the “Limit Concurrent Login Wedge”where the copyright and version number of the
    authentication scheme are displayed in the SiteMinder Policy Server Profile/Trace Log. Check for errors reported by the Authentication Scheme.
    • Check to ensure that the directory instance is writable and that the specified attribute actually exists. Ensure that the attribute can be updated by SiteMinder(SiteMinder will use the credentials specified in the
    User Directory properties).


    3. If the user’s directory entry contains a Session Id (a seemingly random series of characters), then the “Check”Active Expression is probably not being called. Examine
    the SiteMinder Policy Server Authorization Log to see the results of the Active Expression evaluation of “Check”. If the Active Expression is not being invoked, check to make sure that it is defined and that the “Process Authorization Events” checkbox is checked on the Realm’s Advanced Properties tab. Also check to make sure that you have two rules with Authorization Events turned on, one with OnAccessAccept selected and one with OnAccessReject selected. These are the rules that must be associated with the “Check” OnAccept-Redirect responses.

    It is normal for the Check function to return NULL. This means that no redirection is to take place.


    4. There may be a delay between when the subsequent authentication occurs and when the prior authentication is recognized as invalid. This occurs because SiteMinder must notify the Web Agents to flush the caches associated with the user. This may take a minute or so.