Symantec Access Management

  • Private Community
 View Only

  • 1.  smpwservices.fcc doesn't put username in query string

    Posted Aug 23, 2016 04:34 PM

    Hi,

     

    I'm using basic password services. In other scenarios like change password, max retries etc, the smpwservices.fcc does put &USERNAME=username in the query string when it's redirecting to the smpwservices.fcc

     

    However on SMAUTHREASON=20 (ImmedPasswordChange), it doesn't put the username parameter in the query string. The username parameter however is present in the SMTOKEN parameter in a encoded format.

     

    This causes the fcc to ask for the username instead of just the old and new passwords. In the older smpwservicescgi.exe the username was available as a query string. This extra step is undesirable. Is this a known issue?

     

    Regards,

    Anand.



  • 2.  Re: smpwservices.fcc doesn't put username in query string

    Broadcom Employee
    Posted Aug 23, 2016 05:20 PM

    Hi Anand,

    smpwservices.fcc is designed differently from smpwservicescgi.exe, but the function should be the same.

    As an example, you can see USERNAME is not part of SMTOKEN, rather as parameter being passed by itself.

     

    Location: /siteminderagent/forms/smpwservices.fcc?SMENC=UTF-8&SMTOKEN={RC2}aYviUhQX+TsCfn0zwVtH703N7TdjBlrY/PpCNf/P8kY8AcHmQxKv6wq6xN+yYWkZDbkjZ5tJpANLuPGtbkoyck251CvLTMfW&USERNAME=aduser&SMAUTHREASON=20&SMAGENTNAME=-SM-eMaalRWKPTzIEFgiaU0JBSdYY97z%2bP5pEWc5sMkoq2X6Py0jxvBjzYfKRywN5KRf&TARGET=-SM-http%3a%2f%2fliuho03--755%2eca%2ecom%2fadtest%2f

     

    smpwservices.fcc file has at least 10 sections that fits use case "$$smauthreason$$ == 20", if this is customized page, make sure you modify the section that matched with your use case. Or try the default smpwservices.fcc file first.

     

    If default smpwservices.fcc file still asks for entering USERNAME, chances are the variable was lost before it hits smpwservices.fcc during redirect.

     

    Hongxu



  • 3.  Re: smpwservices.fcc doesn't put username in query string
    Best Answer

    Posted Aug 23, 2016 05:55 PM

    I think the user name will be appended to URL by default. I remember having a registry when set the user name is not appended in redirects.

    HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\PolicyServer=(#number)\DisallowUsernameInURL

     

    Thanks,

    Krishna.



  • 4.  Re: smpwservices.fcc doesn't put username in query string

    Posted Aug 31, 2016 12:01 PM

    Even though it's supposed to be default, I had to manually add this with value 0 in the sm.registry to get it to work.


    many thanks!


    Regards,

    Anand.



  • 5.  Re: smpwservices.fcc doesn't put username in query string

    Posted May 09, 2017 10:49 AM

    Hello,

     

    this is a known bug in version 12.52 SP1 described in TEC1867466: username in smtoken being encoded  .

     

    Issue:

    User upgrade web agent from version 6 to R12.52 and notice user name in smtoken being incorrect encoded during password change process

    &SMTOKEN=...%26USERNAME%3dchoka02%26&SMAUTHREASON=20&...

    It should be

    &SMTOKEN=...&USERNAME=choka02&SMAUTHREASON=20&...

     

    Environment: 

    Policy server: R12.52SP1

     

    Cause:

    -Known issue in R12.52SP1 that causing '&' being URL encoded to %26 and '=' being encoded to %3d which break the flow.

     

    Resolution

    Fix available in R12.52SP1CR1 and later.

     

    Cheers,

    David