Symantec Access Management

Expand all | Collapse all

Policy Server 12.6 SP2 Crash When Using Kerberos Authentication

  • 1.  Policy Server 12.6 SP2 Crash When Using Kerberos Authentication

     
    Posted 05-22-2017 01:34 AM

    Hi,

    I have configured my realm to authentication using Kerberos authentication. 

    every time the web-agent (which is installed on a Secure Proxy Server) send the kerberos token to the policy server, the policy server crashes and restart.

    even when I use the Siteminder test tool, isAuthenticated request cause the policy server to crash. 

    I used to step-by-step guide from the community for this setup.

     

    general infomration: 

    CA SSO 12.6 SP2 

    JDK 1.8

     

    when in-memory tracing is enabled I get the following data in the crash file: 

     

    05/21/2017|19:06:20.074|19:06:20|3160|5064|CServer.cpp:1497|ThreadPool::Run|||||||||||||||192.168.20.10|51911|||||Dequeuing a Normal Priority message, from IP 192.168.20.10 with Port No 51911. Current count is 0|

    05/21/2017|19:06:20.074|19:06:20|3160|1556|CServer.cpp:1936|CAgentMessageHandler::HandleInput|||||||||||||||192.168.20.10|51911|||||Enqueuing a Normal Priority Message, from IP 192.168.20.10 with Port No 51911. Current count is 0|

    05/21/2017|19:06:20.074|19:06:20|3160|5064|CServer.cpp:6108|CServer::ProcessRequest|||||||||||||||||||||Enter function CServer::ProcessRequest|

    05/21/2017|19:06:20.074|19:06:20|3160|5064|CServer.cpp:6294|CServer::ProcessRequest|||||||||||||104||||||||Leave function CServer::ProcessRequest|||||||||||||||||||||||||||||||||||||00:00:00.000000|

    05/21/2017|19:06:20.325|19:06:20|3160|4236|SmObjCache.cpp:524|CSmObjCache::Cleanup|||||||||||||||||||||Cleanup the object cache.|

    05/21/2017|19:06:20.356|19:06:20|3160|364|SmDsLdapProvider.cpp:1244|CSmDsLdapProvider::InitDir|||||||||||||||||||||Binding 'dir' connection to LDAP server bank #1: dc.bnhptest.local:389|

    05/21/2017|19:06:20.356|19:06:20|3160|364|SmLdapPs.cpp:146|SmLdapPs::set_prldap_opt_io_max_timeout|||||||||||||||||||||PRLDAP_OPT_IO_MAX_TIMEOUT set to 10000 milliseconds|

    05/21/2017|19:06:20.356|19:06:20|3160|364|SmLdapPs.cpp:146|SmLdapPs::set_prldap_opt_io_max_timeout|||||||||||||||||||||PRLDAP_OPT_IO_MAX_TIMEOUT set to 22000 milliseconds|

    05/21/2017|19:06:20.356|19:06:20|3160|364|SmLdapPs.cpp:146|SmLdapPs::set_prldap_opt_io_max_timeout|||||||||||||||||||||PRLDAP_OPT_IO_MAX_TIMEOUT set to 10000 milliseconds|

    05/21/2017|19:06:20.356|19:06:20|3160|364|SmObjCache.cpp:830|CSmObjCache::Fetch|||||||||||||||||||||Retrieve an object from the object cache.||||1c-67b3c2b0-9e28-11d3-95e7-00c04f7468ef|

    05/21/2017|19:06:20.356|19:06:20|3160|364|SmObjStore.cpp:3538|IsADEnhanced|||||||||||||||||||||Global Preferences:|||||

    05/21/2017|19:06:20.356|19:06:20|3160|364|SmDsLdapProvider.cpp:1371|CSmDsLdapProvider::InitDir|||||||||||||||||||||Binding 'user' connection to LDAP server bank #1: dc.bnhptest.local:389|

    05/21/2017|19:06:20.356|19:06:20|3160|364|SmLdapPs.cpp:146|SmLdapPs::set_prldap_opt_io_max_timeout|||||||||||||||||||||PRLDAP_OPT_IO_MAX_TIMEOUT set to 10000 milliseconds|

    05/21/2017|19:06:20.356|19:06:20|3160|364|SmLdapPs.cpp:146|SmLdapPs::set_prldap_opt_io_max_timeout|||||||||||||||||||||PRLDAP_OPT_IO_MAX_TIMEOUT set to 10000 milliseconds|

    05/21/2017|19:06:20.356|19:06:20|3160|364|SmDsLdapProvider.cpp:1438|CSmDsLdapProvider::InitDir|||||||||||||||dc.bnhptest.local|389|||||Using LDAP server bank #1|

    05/21/2017|19:06:20.356|19:06:20|3160|364|SmDsDir.cpp:81|CSmDsDir::CSmDsDir|||||||||||||||||||||Return from call InitDir.|

    05/21/2017|19:06:20.356|19:06:20|3160|364|SmDsObj.cpp:94|CSmDsObj::IsValid|||||||||||||||||||||Start of call IsValid.|

    05/21/2017|19:06:20.356|19:06:20|3160|364|SmDsObj.cpp:96|CSmDsObj::IsValid|||||||||||||1||||||||Return from call IsValid.|

    05/21/2017|19:06:20.356|19:06:20|3160|364|SmDsDir.cpp:1080|CSmDsDir::GetDirectoryVersionInfo|||||||||||||||||||||Enter function CSmDsDir::GetDirectoryVersionInfo|

    05/21/2017|19:06:20.356|19:06:20|3160|364|SmDsDir.cpp:1082|CSmDsDir::GetDirectoryVersionInfo|||||||||||||3||||||||Leave function CSmDsDir::GetDirectoryVersionInfo|||||||||||||||||||||||||||||||||||||00:00:00.000000|

    05/21/2017|19:06:20.356|19:06:20|3160|364|SmObjCache.cpp:830|CSmObjCache::Fetch|||||||||||||||||||||Retrieve an object from the object cache.||||1c-67b3c2b0-9e28-11d3-95e7-00c04f7468ef|

    05/21/2017|19:06:20.356|19:06:20|3160|364|SmObjStore.cpp:3538|IsADEnhanced|||||||||||||||||||||Global Preferences:|||||

    05/21/2017|19:06:20.356|19:06:20|3160|364|smauthkerberos.cpp:140|SmAuthQuery|||||||||||||||||||||Enter function SmAuthQuery|

    05/21/2017|19:06:20.356|19:06:20|3160|364|SmAuthServer.cpp:335||||||||||||||||||||||LogMessage:INFO:[sm-Server-02750] Loaded authentication scheme internal desktops sso. Version 768 . SiteMinder (TM) Kerberos Authentication Scheme|

    05/21/2017|19:06:20.356|19:06:20|3160|364|smauthkerberos.cpp:183|SmAuthInit|||||||||||||||||||||Enter function SmAuthInit|

    Stack Trace:

    Ordinal9()-[0x73A40000] - C:\Program Files\CA\siteminder\bin\krb5_64.dll

    krb5_cc_resolve()-[0x73A47630] - C:\Program Files\CA\siteminder\bin\krb5_64.dll

    SmAuthenticate()-[0x7FF9CFA82130] - C:\Program Files\CA\siteminder\bin\smauthkerberos.dll

    SmAuthInit()-[0x7FF9CFA806F0] - C:\Program Files\CA\siteminder\bin\smauthkerberos.dll

    SmSamlDataProvider::operator=()-[0x7FF9D369DA90] - C:\Program Files\CA\siteminder\bin\SmAuth.dll

    CSmAuthUser::AuthenticateUserDir()-[0x7FF9D36BDE30] - C:\Program Files\CA\siteminder\bin\SmAuth.dll

    CSmSessionAssuranceCache::~CSmSessionAssuranceCache()-[0x7FF6F1830AF0] - C:\Program Files\CA\siteminder\bin\smpolicysrv.exe

    CSmAz::SetContextContainer()-[0x7FF6F17F8B10] - C:\Program Files\CA\siteminder\bin\smpolicysrv.exe

    CSmSessionAssuranceCache::~CSmSessionAssuranceCache()-[0x7FF6F1830AF0] - C:\Program Files\CA\siteminder\bin\smpolicysrv.exe

    CSmPolicyExtensionCache::~CSmPolicyExtensionCache()-[0x7FF6F186E700] - C:\Program Files\CA\siteminder\bin\smpolicysrv.exe

    CServer::ProcessRequest()-[0x7FF9D996FE60] - C:\Program Files\CA\siteminder\bin\SMUTILITIES.dll

    ThreadPool::Run()-[0x7FF9D995B4E0] - C:\Program Files\CA\siteminder\bin\SMUTILITIES.dll

    ThreadPool::Run()-[0x7FF9D995B4E0] - C:\Program Files\CA\siteminder\bin\SMUTILITIES.dll

    ThreadPoolBase::ThreadProc()-[0x7FF9D99AD5A0] - C:\Program Files\CA\siteminder\bin\SMUTILITIES.dll

    beginthreadex()-[0x7FF9D9144E78] - C:\Windows\SYSTEM32\MSVCR120.dll

    endthreadex()-[0x7FF9D9144F94] - C:\Windows\SYSTEM32\MSVCR120.dll

    BaseThreadInitThunk()-[0x7FF9E11B15C0] - C:\Windows\system32\KERNEL32.DLL

    RtlUserThreadStart()-[0x7FF9E15043B4] - C:\Windows\SYSTEM32\ntdll.dll

     

    did anyone face this issue before? is this a 12.6 issue? 

    BTW: It does not matter where I locate the krb5.ini file, it crashes everytime. 

     

     

    Regards, 

    Oren



  • 2.  Re: Policy Server 12.6 SP2 Crash When Using Kerberos Authentication

    Posted 05-22-2017 03:38 AM

    Hi Oren,

     

    This will need support to replicate the issue in house.

    Could you please open a support ticket if you haven't already ?

     

    PS: I had a quick look at our defect tracking system and I couldn't find any matching issue.

     

    Regards,

    Ujwol 



  • 3.  Re: Policy Server 12.6 SP2 Crash When Using Kerberos Authentication

     
    Posted 05-22-2017 08:42 AM

    Hi Ujwol and thank you for your quick reply, 

    This issue is straightforward to replicate, just set Kerberos Authentication Schema on 12.6 SP2 or SP1 and fire isAuthenticated request from the Siteminder Test Tool. 

    BTW, I have open a case (with severity 2) on it. 

     

    Regards,

    Oren



  • 4.  Re: Policy Server 12.6 SP2 Crash When Using Kerberos Authentication

    Posted 06-29-2017 06:05 AM

    Hi

    I'm experiencing the exact same issue. 

    Is there anything new about this??

    I'm using ca policy server and ca access gateway both 12.6 sp1 version.

     

    Thanks



  • 5.  Re: Policy Server 12.6 SP2 Crash When Using Kerberos Authentication

     
    Posted 07-03-2017 03:53 AM

    Hi, 

    Open a case.

    There is a file missing or a config change that you can do to fix this.