We have CA SSO federation setup in our environment with servers in cluster. We are getting error 400 BAD request when the request goes from particular sps server to policy server whereas it is working with other sps server which is configured for different policy server. Tested the federation by changing the policy servers and found that when request going to particular policy server it is failing.
Further to it the request is failing as after login unable to get the actual request details from expiry tables. So is there any way to check why it is having issues with particular policy server?
Is this policy server connected to same session store as other working PS?
On Mon, 18 Jun 2018 at 11:08, rajeuppa <
Yes the policy server is connected to same session store and what we found is that when request going to sps1 - policyserver1 the requested details are not getting saved in SS_EXPIRYDATA5 table whereas when request is going to sps2 - policyserver2 the details are getting saved correctly in the table and federation is getting successful.
Is there a way to check why the details are not getting saved correctly in database from policy server1?
Couple of items to check.
1. Is PS1 and PS2 pointing to the same PStore?
2. Have we checked that PS1 to SStore connection is successful. Does PS1 smps.log show any errors related to SStore.
3. Please check SStore connection parameters like username, IP address, port between PS1 and PS2.
Answer: Yes they are pointing to same Policy store. Verified from Database configuration files
Answer: We dont have session store in our environment
Strange, in your rely to Ujwol it is mentioned SStore (SS_EXPIRYDATA5 table) and in your reply to my comment it is stated no SStore.
Anyways, I would really start looking at the Policy Server Trace logs as to why PS1 is rejecting your request. As Joe suggested open a case OR you could also do a first hand review of the logs to move ahead.
Hi Rajesh ,
I would suggest you to open a case with CA Support and upload your Fiddler trace, FWStrace , smps log and policy server trace so we can review and see what is happening
Found the issue that Session store is not enabled on policy server due to which the request details are not getting stored in the session table which is making the request fail after authentication as in SP initiated flow the actual request details are fetched from Session tables. After enabling the session store on policy server the requests are working fine.
Thank all for helping us.