Layer7 Privileged Access Management

Expand all | Collapse all

Configure PAM with Classic ASP in IIS

Jump to Best Answer
  • 1.  Configure PAM with Classic ASP in IIS

    Posted 26 days ago
      |   view attached
    Hello,
    Some has some exemplo to configure Classic ASP on PAM. I try to configure an exemplo but it's not working, the "cspmclientatl" library is initializeted but when I call the method "retrieveCredentials" I got the error code 408.

    SO: Windows Server 2016 Standard
    IIS: 10
    Site: ClassicASP (32Bits apppool)



    ------------------------------
    Thanks,
    Benini
    ------------------------------

    Attachment(s)

    zip
    Classic ASP.zip   225K 1 version


  • 2.  RE: Configure PAM with Classic ASP in IIS

    Posted 4 days ago
    As I understand it you wish to configure PAM for a web page using ASP.  I am not sure if that will work, but you can try it, and start by creating a TCP Service.  Start the Launch URL with http:// or https://, as needed.  Follow that with <Local IP> <First Port>, not the actual address and port, which will be picked up from the device.  Finish the Launch URL with whatever follows when you go to the web page outside of PAM.  Look at the example under the Launch URL field.

    I generally use CA PAM Browser for the Browser Type and enter an * in the Access List field, which will allow you to go to any page accessible from the initial page.  The Application Protocol should be Web Portal.  Set the port as needed, ie 80 for http or 443 for https.  You may also specify port redirection if needed.  I recommend not bothering with with Auto Login at this point.  Make sure you can get the web portal login page and login manually first. 

    Create a device for the server on which you are trying to access the web page, and add the service.  Create a policy and make sure the service you created is selected.  You can now go to the Access page,  click Restart Session, and then click the link button for your portal.  Login if the desired page appears.

    Once you've got this working you can try adding Auto Login to the service.  This is only an option for the CA PAM Browser.  You will have to select the Auto Login Method, but in most cases this will be CA PAM HTML Web SSO or CA PAM HTTP Web SSO.  It will depend on your page.  The former method will require the use of the Learn Tool, to identify the Username and Password fields, and the "Enter" button.  Be aware that all 3 must appear when the page is displayed, or Auto Login will not work, even if the Learn Tool is used successfully.  You can't page down or scroll to see another field.  Here is a link to the relevant page in the documentation:  https://docops.ca.com/ca-privileged-access-manager/3-3/EN/implementing/configure-policies-to-provision-user-access-to-devices-and-applications/configure-devices/set-up-access-to-a-target-device/create-tcp-udp-services-to-access-a-device/configure-a-service-to-access-a-web-portal/how-to-configure-automatic-login-to-web-portals.  There are other factors that may prevent this from working.  It all depends on the page.

    Give this a try.  If it does not work you should open a ticket, so we can coordinate a webex.



    ------------------------------
    Principal Support Engineer
    Broadcom
    ------------------------------



  • 3.  RE: Configure PAM with Classic ASP in IIS
    Best Answer

    Posted 4 days ago
    I misread your post.  I see now that you are trying to use A2A.  Here is the information I have for the 408 error:

    The A2A client always checks whether it is called from a script, in which case it has to determine the name of the script being executed so that it can verify script mappings. The check is performed by searching for the full path of a shell binary, such as /bin/bash or /bin/sh, in the process tree. If a full shell path is found, PAM will look for the child process to determine the script name. For a user logging into the default shell, the shell process with show up in the process tree with name "-<shell>", e.g. "-bash" or "-ksh". This will not trigger the script logic. But if the user enters a different shell by explicitly calling it either from the command line or from a login script, there will be a shell process with the full path in the process tree and the A2A client will look for the name of the script. If the user does not invoke a script but executes the cspmclient command directly from the command line, no script name will be found and error 408 with message "fail to get script name" will be returned.
    To avoid this problem, either stay in the default shell and execute the cspmclient binary from there, or put the command in a script and execute the script.

    In addition, not having write permission to the cspm_c_client_log.txt file is a common cause of a 408.

    $CSPM_CLIENT_HOME\cspmclient\config\cspm_client_config.xml <logfile>/opt/cloakware/cspmclient/log/cspm_client_log.txt</logfile> <c_logfile>/tmp/cspm_c_client_log.txt</c_logfile>

    There are two log files for Full Client. One is used by daemon process. By default, it is in /INSTALDIR/cloakware/cspmclient/log/cspm_client_log.txt. This log file is exclusively owned by one user which launches the process. The second one is owned by a stub executable, which eventually is owned by any user who calls. Korn Shell script is an example. So by default, the second log file is put in /tmp directory, with the setting, like, <c_logfile>/tmp/cspm_c_client_log.txt</c_logfile>. The /tmp dir can be accessed by any user and we don't have any control about the permission of users in customer environment. So if you want to move this file to any other location , you have to be sure any user who calls our stub executable has the write permission to this second log file.

    Another customer discovered they did not have permission to the M:\WINDOWS\TEMP directory. In fact, they said "the folder is set to no sharing, so I am unable to open the security tab on this folder" and they had to change the location of "c_logfile".

    When all else fails, reboot the Windows machine.

    Let me know if this helps.  Once again, I'm sorry for any confusion caused by my initial post.



    ------------------------------
    Principal Support Engineer
    Broadcom
    ------------------------------