Symantec Access Management

Hi,

I have configured my realm to authentication using Kerberos authentication. 

every time the web-agent (which is installed on a Secure Proxy Server) send the kerberos token to the policy server, the policy server crashes and restart.

even when I use the Siteminder test tool, isAuthenticated request cause the policy server to crash. 

I used to step-by-step guide from the community for this setup.

general infomration: 

CA SSO 12.6 SP2 

JDK 1.8

when in-memory tracing is enabled I get the following data in the crash file: 

05/21/2017|19:06:20.074|19:06:20|3160|5064|CServer.cpp:1497|ThreadPool::Run|||||||||||||||192.168.20.10|51911|||||Dequeuing a Normal Priority message, from IP 192.168.20.10 with Port No 51911. Current count is 0|

05/21/2017|19:06:20.074|19:06:20|3160|1556|CServer.cpp:1936|CAgentMessageHandler::HandleInput|||||||||||||||192.168.20.10|51911|||||Enqueuing a Normal Priority Message, from IP 192.168.20.10 with Port No 51911. Current count is 0|

05/21/2017|19:06:20.074|19:06:20|3160|5064|CServer.cpp:6108|CServer::ProcessRequest|||||||||||||||||||||Enter function CServer::ProcessRequest|

05/21/2017|19:06:20.074|19:06:20|3160|5064|CServer.cpp:6294|CServer::ProcessRequest|||||||||||||104||||||||Leave function CServer::ProcessRequest|||||||||||||||||||||||||||||||||||||00:00:00.000000|

05/21/2017|19:06:20.325|19:06:20|3160|4236|SmObjCache.cpp:524|CSmObjCache::Cleanup|||||||||||||||||||||Cleanup the object cache.|

05/21/2017|19:06:20.356|19:06:20|3160|364|SmDsLdapProvider.cpp:1244|CSmDsLdapProvider::InitDir|||||||||||||||||||||Binding 'dir' connection to LDAP server bank #1: dc.bnhptest.local:389|

05/21/2017|19:06:20.356|19:06:20|3160|364|SmLdapPs.cpp:146|SmLdapPs::set_prldap_opt_io_max_timeout|||||||||||||||||||||PRLDAP_OPT_IO_MAX_TIMEOUT set to 10000 milliseconds|

05/21/2017|19:06:20.356|19:06:20|3160|364|SmLdapPs.cpp:146|SmLdapPs::set_prldap_opt_io_max_timeout|||||||||||||||||||||PRLDAP_OPT_IO_MAX_TIMEOUT set to 22000 milliseconds|

05/21/2017|19:06:20.356|19:06:20|3160|364|SmLdapPs.cpp:146|SmLdapPs::set_prldap_opt_io_max_timeout|||||||||||||||||||||PRLDAP_OPT_IO_MAX_TIMEOUT set to 10000 milliseconds|

05/21/2017|19:06:20.356|19:06:20|3160|364|SmObjCache.cpp:830|CSmObjCache::Fetch|||||||||||||||||||||Retrieve an object from the object cache.||||1c-67b3c2b0-9e28-11d3-95e7-00c04f7468ef|

05/21/2017|19:06:20.356|19:06:20|3160|364|SmObjStore.cpp:3538|IsADEnhanced|||||||||||||||||||||Global Preferences:|||||

05/21/2017|19:06:20.356|19:06:20|3160|364|SmDsLdapProvider.cpp:1371|CSmDsLdapProvider::InitDir|||||||||||||||||||||Binding 'user' connection to LDAP server bank #1: dc.bnhptest.local:389|

05/21/2017|19:06:20.356|19:06:20|3160|364|SmLdapPs.cpp:146|SmLdapPs::set_prldap_opt_io_max_timeout|||||||||||||||||||||PRLDAP_OPT_IO_MAX_TIMEOUT set to 10000 milliseconds|

05/21/2017|19:06:20.356|19:06:20|3160|364|SmLdapPs.cpp:146|SmLdapPs::set_prldap_opt_io_max_timeout|||||||||||||||||||||PRLDAP_OPT_IO_MAX_TIMEOUT set to 10000 milliseconds|

05/21/2017|19:06:20.356|19:06:20|3160|364|SmDsLdapProvider.cpp:1438|CSmDsLdapProvider::InitDir|||||||||||||||dc.bnhptest.local|389|||||Using LDAP server bank #1|

05/21/2017|19:06:20.356|19:06:20|3160|364|SmDsDir.cpp:81|CSmDsDir::CSmDsDir|||||||||||||||||||||Return from call InitDir.|

05/21/2017|19:06:20.356|19:06:20|3160|364|SmDsObj.cpp:94|CSmDsObj::IsValid|||||||||||||||||||||Start of call IsValid.|

05/21/2017|19:06:20.356|19:06:20|3160|364|SmDsObj.cpp:96|CSmDsObj::IsValid|||||||||||||1||||||||Return from call IsValid.|

05/21/2017|19:06:20.356|19:06:20|3160|364|SmDsDir.cpp:1080|CSmDsDir::GetDirectoryVersionInfo|||||||||||||||||||||Enter function CSmDsDir::GetDirectoryVersionInfo|

05/21/2017|19:06:20.356|19:06:20|3160|364|SmDsDir.cpp:1082|CSmDsDir::GetDirectoryVersionInfo|||||||||||||3||||||||Leave function CSmDsDir::GetDirectoryVersionInfo|||||||||||||||||||||||||||||||||||||00:00:00.000000|

05/21/2017|19:06:20.356|19:06:20|3160|364|SmObjCache.cpp:830|CSmObjCache::Fetch|||||||||||||||||||||Retrieve an object from the object cache.||||1c-67b3c2b0-9e28-11d3-95e7-00c04f7468ef|

05/21/2017|19:06:20.356|19:06:20|3160|364|SmObjStore.cpp:3538|IsADEnhanced|||||||||||||||||||||Global Preferences:|||||

05/21/2017|19:06:20.356|19:06:20|3160|364|smauthkerberos.cpp:140|SmAuthQuery|||||||||||||||||||||Enter function SmAuthQuery|

05/21/2017|19:06:20.356|19:06:20|3160|364|SmAuthServer.cpp:335||||||||||||||||||||||LogMessage:INFO:[sm-Server-02750] Loaded authentication scheme internal desktops sso. Version 768 . SiteMinder (TM) Kerberos Authentication Scheme|

05/21/2017|19:06:20.356|19:06:20|3160|364|smauthkerberos.cpp:183|SmAuthInit|||||||||||||||||||||Enter function SmAuthInit|

Stack Trace:

Ordinal9()-[0x73A40000] - C:\Program Files\CA\siteminder\bin\krb5_64.dll

krb5_cc_resolve()-[0x73A47630] - C:\Program Files\CA\siteminder\bin\krb5_64.dll

SmAuthenticate()-[0x7FF9CFA82130] - C:\Program Files\CA\siteminder\bin\smauthkerberos.dll

SmAuthInit()-[0x7FF9CFA806F0] - C:\Program Files\CA\siteminder\bin\smauthkerberos.dll

SmSamlDataProvider::operator=()-[0x7FF9D369DA90] - C:\Program Files\CA\siteminder\bin\SmAuth.dll

CSmAuthUser::AuthenticateUserDir()-[0x7FF9D36BDE30] - C:\Program Files\CA\siteminder\bin\SmAuth.dll

CSmSessionAssuranceCache::~CSmSessionAssuranceCache()-[0x7FF6F1830AF0] - C:\Program Files\CA\siteminder\bin\smpolicysrv.exe

CSmAz::SetContextContainer()-[0x7FF6F17F8B10] - C:\Program Files\CA\siteminder\bin\smpolicysrv.exe

CSmSessionAssuranceCache::~CSmSessionAssuranceCache()-[0x7FF6F1830AF0] - C:\Program Files\CA\siteminder\bin\smpolicysrv.exe

CSmPolicyExtensionCache::~CSmPolicyExtensionCache()-[0x7FF6F186E700] - C:\Program Files\CA\siteminder\bin\smpolicysrv.exe

CServer::ProcessRequest()-[0x7FF9D996FE60] - C:\Program Files\CA\siteminder\bin\SMUTILITIES.dll

ThreadPool::Run()-[0x7FF9D995B4E0] - C:\Program Files\CA\siteminder\bin\SMUTILITIES.dll

ThreadPool::Run()-[0x7FF9D995B4E0] - C:\Program Files\CA\siteminder\bin\SMUTILITIES.dll

ThreadPoolBase::ThreadProc()-[0x7FF9D99AD5A0] - C:\Program Files\CA\siteminder\bin\SMUTILITIES.dll

beginthreadex()-[0x7FF9D9144E78] - C:\Windows\SYSTEM32\MSVCR120.dll

endthreadex()-[0x7FF9D9144F94] - C:\Windows\SYSTEM32\MSVCR120.dll

BaseThreadInitThunk()-[0x7FF9E11B15C0] - C:\Windows\system32\KERNEL32.DLL

RtlUserThreadStart()-[0x7FF9E15043B4] - C:\Windows\SYSTEM32\ntdll.dll

did anyone face this issue before? is this a 12.6 issue? 

BTW: It does not matter where I locate the krb5.ini file, it crashes everytime. 

Regards, 

Oren

Hi Oren,

This will need support to replicate the issue in house.

Could you please open a support ticket if you haven't already ?

PS: I had a quick look at our defect tracking system and I couldn't find any matching issue.

Regards,

Ujwol 

Hi Ujwol and thank you for your quick reply, 

This issue is straightforward to replicate, just set Kerberos Authentication Schema on 12.6 SP2 or SP1 and fire isAuthenticated request from the Siteminder Test Tool. 

BTW, I have open a case (with severity 2) on it. 

Regards,

Oren

Hi

I'm experiencing the exact same issue. 

Is there anything new about this??

I'm using ca policy server and ca access gateway both 12.6 sp1 version.

Thanks

Hi, 

Open a case.

There is a file missing or a config change that you can do to fix this.