Symantec Access Management

 View Only
  • 1.  Any other techinque instead of SMTRYNO

    Posted Sep 01, 2017 02:13 AM

    Hi,

    I know SMTRYNO is used to store the failure login attempts. Is there any other way to achieve this same functionality using Siteminder without using this cookie?

     

    Actually we need this to remediate the pen testing findings. Please advise.

     

    Thanks,

    Karthick.



  • 2.  Re: Any other techinque instead of SMTRYNO

    Posted Sep 01, 2017 03:16 AM

    What exactly are you trying to remediate ? Do you want to get rid of login failure tracking using cookie ? 

    You can also track the login failure on the server side by implement password policy.

     

     

     

    so you can configure password policy to disable user login after say 3 successive failed login attempt and enable it after X minutes.

    Does that work for you ?



  • 3.  Re: Any other techinque instead of SMTRYNO

    Posted Sep 02, 2017 02:46 AM

    Hi Ujwol Shrestha, 

     

    Thanks for your suggestion. Yes, I expect the options which you provided to me. 

    I would like to know, Does SMTRYNO cookie set default by Siteminder?

    Does this SMTRYNO won't be set, if we would change the FCCCompatMode=YES in ACO? Also, Does SMTRYNO is set for all type of authentication scheme or only for HTML form based authentication scheme? 

     

    Is there any section in Siteminder documentation to check on this SMTRYNO or other cookies to understand it? It would be helpful for me. 

     

    Please advise. 



  • 4.  Re: Any other techinque instead of SMTRYNO
    Best Answer

    Posted Sep 03, 2017 07:13 PM

    Hi Karthick,

     

    Please find my answers below :

     

    • Does SMTRYNO cookie set default by Siteminder?

    Ujwol => Yes, this is set by CA SSO web agent automatically If , the login page (login.fcc) has @smretries directive set to a value >0

     

    Reference : Configure HTML Forms Authentication - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation 

     

    smretries
    Indicates the number of times a browser can try to log in. This directive acts as a counter; it is not a security mechanism.  If you set this directive to 0, the number of log-in attempts is unlimited. If you set the number to 1 or greater, that indicates the number of log-in retries allowed. After you reach the limit, the browser displays the DynamicRetry.unauth page. This page can display a configured message explaining why the login failed. For smretries to be useful, configure this unauthorized file.

    You can use smretries to improve the user experience, for example:

     

    After a failed log-in attempt, you can display a message in the browser instructing the user what action to take.

     

    After a specific number is reached, display an invalid login message and redirect the user back to the login page to try again.

    Note: If users log in using a POST to an .fcc form, it appears that the user is given more attempts to log in beyond the value of the smretries directive. However, the user is allowed access only if they enter valid credentials within the number of attempts allowed by smretries.
    If you use the smretries directive in the login.fcc file, the Web Agent updates the SMTRYNO cookie in the browser for each failed login attempt. This cookie tracks the current number of failed login attempts. You can make your login.fcc form intelligent by adding javascript that looks for the SMTRYNO cookie then displays a message in the login screen itself.
    @username=%USER%
    @smretries=1
    <html>
    <head><title>Sample Login Form</title><head>
    <body>
    <h3> Please enter your login credentials</h3>
    <form method=post><table>
    <tr>
    <td>User Name</td>
    <td><input type=text name=USER></td>
    </tr>
    <tr>
    <td>Password</td>
    <td><input type=password name=PASSWORD></td>
    </tr>
    <input type=hidden name=target value="$$target$$">
    <input type=hidden name=smauthreason value="$$smauthreason$$">
    <tr><td><input type=submit></td></tr>
    </table></form></body>
    </html>
    • Does this SMTRYNO won't be set, if we would change the FCCCompatMode=YES in ACO?

    Ujwol => It will still set the SMTRYNO cookie , as long as you have @smretries directive in login.fcc

    • Does SMTRYNO is set for all type of authentication scheme or only for HTML form based authentication scheme? 

    Ujwol => It is set only for HTLM form based authentication scheme.

    • Is there any section in Siteminder documentation to check on this SMTRYNO or other cookies to understand it? It would be helpful for me.

    Ujwol => For SMTRYNO refer : Configure HTML Forms Authentication - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation For any other cookies please refer to documentation. If you couldn't find details of any specific cookie , let me know.

     

     

    Regards,

    Ujwol



  • 5.  Re: Any other techinque instead of SMTRYNO

    Posted Sep 06, 2017 10:47 PM

    Hi Ujwol, 

     

    Thank you so much for the information provided it to me. 

    Very useful. 

     

    Thanks, 

    Karthick



  • 6.  Re: Any other techinque instead of SMTRYNO

    Posted Sep 06, 2017 10:49 PM

    Glad to help. If your question has been answered, could you please mark my answer as correct to close this thread ?



  • 7.  Re: Any other techinque instead of SMTRYNO

    Posted Jul 23, 2018 07:28 AM

    Hi Ujwol

    This is really helpful, however i see the below issue while using SMTRYNO cookie. I have explained the issue along with the actual application flow.

     

    1. User accesses the application (xyz.com)
    2. User is redirected to the landing page where he/she clicks on login
    3. User is presented with a login page asking him/her to enter credentials
    4. User provides invalid credentials and SMTRYNO cookie is incremented by 1. The user is displayed an error message saying your credentials are invalid. (I believe this is done by reading the combination of SMTRYNO and SMAUTHREASON cookie)
    5. At this stage, user clicks on the application logo in the same window and he/she is redirected to the application landing page
    6. User again clicks on login and this time user is redirected to the same login page (as in step #3), but an invalid credentials message is thrown even when user hasn't provided the credentials. This is because the SMTRYNO cookie value is still 1. 

     

    Question: How can we not show the invalid credentials error message at step #6. For this to happen, the SMTRYNO cookie should be set to 0 when the user clicks on the application logo or we have change the code to throw the error message based on the combination of SMTRYNO cookie and some other cookie? 

    I am sure other clients also must have faced this issue. Any suggestions ?

     

    Thanks,

    Shivam



  • 8.  Re: Any other techinque instead of SMTRYNO

    Posted Aug 01, 2018 02:44 PM

    Team,

    Any suggestions on this?

    Thanks!

    Shivam



  • 9.  Re: Any other techinque instead of SMTRYNO

    Posted Aug 06, 2018 02:06 PM

    You can try by writing a javascript to clear out all or just SMTRYNO cookie on loading the page in browser



  • 10.  Re: Any other techinque instead of SMTRYNO

    Posted May 02, 2019 07:39 AM

    Is it possible not to show the cookie domain name for SMTRYNO Cookie?