Symantec Access Management

Version: 12.8

CA Access Gateway Proxy UI URL: http://gateway.local:8080/proxyui/siteminderagent/forms/login.fcc?TYPE=33554433&REALMOID=06-f044c088-cf24-48be-8011-6450… 

I already connect the CA Access Gateway to the users AD via policy server. With the URL above, when I input the wrong username or password and press login, the page gives warning such as "Error: Invalid username or password ". But when I input the correct username and password which is exist inside the users AD, the page is just refreshed, no warning appear, and I am not redirected into the admin dashboard. When I check the response, the error one gives me proper response with code 200, but the correct login gives no response with code 302. I don't know what to do, I already try to check the login.fcc files inside C:\Program Files\CA\secure-proxy\Tomcat\webapps\proxyui\forms\login.fcc but i cannot do a thing. I also check the login.fcc inside C:\Program Files\CA\secure-proxy\proxy-engine\examples\forms\login.fcc. 

does anyone has the same problem with me?

does anyone can help me with this problem?

does anyone know which is the place that I should get the response from or where the login form POST the login action into.

gidharmawan

Here are the things you need to check.

Check-1:

In your agent configuration object, is UseSecureCookies=YES, if it is, then change it to UseSecureCookies=NO. The URL you are accessing is on http. Hence if UseSecureCookie flag is enabled, then the SMSession Cookie is set as Secure and would only traverse on https. In this case you'll see this behavior of page refreshed, but you are authenticated and an SMSession Cookie is created. Just that the browser won't send it because the URL is http.

Check-2:

Use a tool like fiddler (OR F12 in IE / Chrome, go to Network). Check what Cookies are being set after the credentials are submitted. Check the CookieDomain of the Cookie (VS what is the CookieDomain / CookieDomainScope in ACO). Using "gateway.local"; which means there is only one "."; that is not correct. May be the browser isn't able to set a Cookie in the top domain i.e. ".local".

Reference : How is the resolved Cookie Domain determined for a - CA Knowledge 

Check-3:

Have we checked the WebAgentTrace.log (on CA Access Gateway) and smaccess.log (audit log on Policy Server); does either of logs indicate login success OR any other anomalies.

Regards

Hubert

Thank you for your response,

Check-1:

I already check the ACO, the UseSecureCookies attribute is set to NO already in my setting.

Check-2:

I already check the cookie domain and it is targeted to .local as I am intended. I already read and experiment with the attribute of cookie as what mention inside your reference and still result the same

Check-3:

I cannot find WebAgentTrace.log on CA Access Gateway server. About the smaccess.log on policy server, I think what you mean is smps.log? because my smaccess.log is empty, and my smps.log got the log when I am trying to login. The log consist of something like this:

[572/1092][Wed Oct 03 2018 14:32:43][SmAuthUser.cpp:5564][INFO][sm-log-00000] Execution time exceeded threshold. (CSmAuthUser::Authenticate, 23814, 5000, agent=access_gateway_default_agent client=*192.168.1.70 server=http://gateway.local:8080 resource=/proxyui/ action=GET user=ssoadmin)
[572/1092][Wed Oct 03 2018 14:32:43][SmAuthUser.cpp:5274][INFO][sm-log-00000] Execution time exceeded threshold. (CSmAuthUser::VerifyUserCredentials, 23814, 5000, agent=access_gateway_default_agent client=*192.168.1.70 server=http://gateway.local:8080 resource=/proxyui/ action=GET user=ssoadmin)
[572/1092][Wed Oct 03 2018 14:32:43][SmAuthUser.cpp:5198][INFO][sm-log-00000] Execution time exceeded threshold. (CSmAuthUser::AuthenticateUserDir, 26750, 5000, agent=access_gateway_default_agent client=*192.168.1.70 server=http://gateway.local:8080 resource=/proxyui/ action=GET user=ssoadmin)
[572/1092][Wed Oct 03 2018 14:32:43][Sm_Auth_Message.cpp:1968][INFO][sm-log-00000] Execution time exceeded threshold. (CSm_Auth_Message::AuthenticateUser, 26750, 5000, agent=access_gateway_default_agent client=*192.168.1.70 server=http://gateway.local:8080 resource=/proxyui/ action=GET user=ssoadmin)
[572/1092][Wed Oct 03 2018 14:32:43][AgentAuth.cpp:321][INFO][sm-log-00000] Execution time exceeded threshold. (CSm_Auth_Message::ProcessAgentMessage, 26750, 5000, agent=access_gateway_default_agent client=*192.168.1.70 server=http://gateway.local:8080 resource=/proxyui/ action=GET user=ssoadmin)
[572/1092][Wed Oct 03 2018 14:32:43][Sm_Auth_Message.cpp:510][INFO][sm-log-00000] Execution time exceeded threshold. (CSm_Auth_Message::ProcessMessage, 26750, 5000, agent=access_gateway_default_agent client=*192.168.1.70 server=http://gateway.local:8080 resource=/proxyui/ action=GET user=ssoadmin)
[572/1092][Wed Oct 03 2018 14:32:43][CServer.cpp:6372][INFO][sm-log-00000] Execution time exceeded threshold. (CServer::ProcessRequest, 26750, 5000, agent=access_gateway_default_agent client=*192.168.1.70 server=http://gateway.local:8080 resource=/proxyui/ action=GET user=ssoadmin)
[572/1352][Wed Oct 03 2018 14:39:47][CServer.cpp:1866][INFO][sm-Server-01760] Closing Idle connection for session # 24
[572/1352][Wed Oct 03 2018 14:39:47][CServer.cpp:1866][INFO][sm-Server-01760] Closing Idle connection for session # 23
[572/1352][Wed Oct 03 2018 14:44:47][CServer.cpp:1866][INFO][sm-Server-01760] Closing Idle connection for session # 26
[572/1352][Wed Oct 03 2018 14:44:47][CServer.cpp:1866][INFO][sm-Server-01760] Closing Idle connection for session # 25

Hi Giovanni,

Regarding check 2, if you have set the cookie domain to .local only will not work as the browser would expect a valid domain name like ".whatever.local". You may see this if you capture the browser headers and checking if the cookie is being set or not, and if it is set, seeing the domain is correct.

Regarding check 3, WebAgentTrace.log needs to be enabled (by default is disabled). See Web Agent logs at the following location: Tech Tip : Howto enable Tracing in Access Gateway (fka: Secure Proxy Server) 

Note that in Linux, the SecureProxyTrace.conf file is located under /secure-proxy/proxy-engine/conf/defaultagent

Then, once you have enabled this trace, you can reproduce the issue and see in the trace what is happening when you try to access to get more information on this.

Hope this helps

Hi Albert, thank you for your response

regarding check-2, I already change the domain of the cookies successfully and the login page still didn't redirecting me into the dashboard. still got the same error 302 from POST. the domain of the cookie is ".domain.local" as all of my servers are inside a domain named "domain.local" and I already register all of the server inside the domain DNS.

regarding check-3, I already enabled WebAgentTrace.log by using your guide through the link. the log is created, but with no content like what happen to my smaccess.log (at policy server)

I also already check other log files at Access Gateway/proxy server such as affwebserv.log, proxyui.log, WebAgent.log, server.log inside "C:\Program Files\CA\secure-proxy\proxy-engine\logs" and I don't think it gives any issues.

Best regards,

Giovanni Ryan

Giovanni gidharmawan

The URL that is being accessed is https://gateway.local:port/ and the CookieDomain seems to be set as ".domain.local". This to me seems incorrect.

Also even if we changed the CookieDomain to ".gateway.local"; it would be still incorrect, because in the URL there is no [dot] before 'gateway'. The first [dot] appears before 'local'.

This would be a valid scenario as an example. If the URL was https://something.gateway.local:port/ and CookieDomain is set as .gateway.local.

To resolve this you'll have to change the CA AG URL to https://gateway.domain.local:port/ which falls inline with the CookieDomain of ".domain.local" defined within ACO.  This is just a recommendation based on our best understanding, based off the information that has been provided here. Hence it would be prudent to investigate and test.

I'll recommend to look at the following things for investigation.

• URL being accessed on the browser (specifically the FQDN).
• CookieDomain in ACO e.g. ".domain.local"
• CookieDomainScope in ACO e.g. should be disabled OR should be set as '2' to match the two [dots] in CookieDomain.
• Fiddler Traces to see what Cookie is being set. You may use other Cookie Editor addons which are available in Chrome / Firefox to view the Cookies.

Regards

Hubert

HubertDennis Albert_Fernandez

Thank you for you guys help! I finally can solve my problem. You guys are correct, the problem is the domain name that I use. I didn't join all the server in one DNS domain, therefore it was not working, which should be one of the pre-requisites before installing CA SSO. I already start from the beginning with joining all the server first in one domain, "domain.local", and every server follows with .domain.local. after that everything works fine! thanks again for the big help!

Best regards,

Giovanni Ryan