Symantec Access Management

Hi,

We have an external facing SharePoint 2010 portal protected by Site Minder. The customers are complaining the following issue.

The customers are able to login into the portal by using their username / password. After successful login when they click any of the link within the application to navigate to other pages, they are redirected to the login page again. They need to enter their credentials again. This happen only to some of the customers.

This issue happens with all the browsers like IE, Chrome, Mozilla.

We tried to troubleshoot the issue by using fiddler and found that the SMCOOKIE gets cleared automatically on the client browser. We asked them to disable all the browser add-ons, and clear cookies, temporary internet files, etc. But nothing provides a permanent solution.

We have enabled the web agent trace on the login servers and i am seeing the below errors.

[5804/5780][Tue Nov 24 2015 01:54:43][CSmLowLevelAgent.cpp:533][ERROR] LLA: SiteMinder Agent Api function failed - 'Sm_AgentApi_IsProtectedEx' returned '-1'.

[5804/5780][Tue Nov 24 2015 01:54:43][CSmProtectionManager.cpp:192][ERROR] HLA: Component reported fatal error: 'Low Level Agent'.

[5804/5780][Tue Nov 24 2015 01:54:43][CSmHighLevelAgent.cpp:805][ERROR] HLA: Component reported fatal error: 'Session Manager'.

[5804/7048][Tue Nov 24 2015 01:54:55][CSmResourceManager.cpp:269][WARNING] HLA: Missing resource data.

[5804/7048][Tue Nov 24 2015 01:54:55][CSmLowLevelAgent.cpp:533][ERROR] LLA: SiteMinder Agent Api function failed - 'Sm_AgentApi_IsProtectedEx' returned '-1'.

[5804/7048][Tue Nov 24 2015 01:54:55][CSmProtectionManager.cpp:192][ERROR] HLA: Component reported fatal error: 'Low Level Agent'.

[5804/7048][Tue Nov 24 2015 01:54:55][CSmHighLevelAgent.cpp:805][ERROR] HLA: Component reported fatal error: 'Session Manager'.

[5804/5780][Tue Nov 24 2015 01:55:07][CSmResourceManager.cpp:269][WARNING] HLA: Missing resource data.

[5804/5780][Tue Nov 24 2015 01:55:07][CSmLowLevelAgent.cpp:533][ERROR] LLA: SiteMinder Agent Api function failed - 'Sm_AgentApi_IsProtectedEx' returned '-1'.

[5804/5780][Tue Nov 24 2015 01:55:07][CSmProtectionManager.cpp:192][ERROR] HLA: Component reported fatal error: 'Low Level Agent'.

[5804/5780][Tue Nov 24 2015 01:55:07][CSmHighLevelAgent.cpp:805][ERROR] HLA: Component reported fatal error: 'Session Manager'.

[5804/5972][Tue Nov 24 2015 02:01:32][CSmFormTemplateObj.cpp:226][ERROR] Error opening form template 'E:\Program Files\CA\webagent\win64\affwebservices\redirectjsp\relay.unauth': No such file or directory.

[5804/5972][Tue Nov 24 2015 02:01:33][CSmFormTemplateObj.cpp:226][ERROR] Error opening form template 'E:\Program Files\CA\webagent\win64\affwebservices\redirectjsp\relay.unauth': No such file or directory.

[5804/5972][Tue Nov 24 2015 02:05:19][CSmFormTemplateObj.cpp:226][ERROR] Error opening form template 'E:\Program Files\CA\webagent\win64\affwebservices\redirectjsp\relay.unauth': No such file or directory.

[5804/9600][Tue Nov 24 2015 02:06:39][CSmFormTemplateObj.cpp:226][ERROR] Error opening form template 'E:\Program Files\CA\webagent\win64\affwebservices\redirectjsp\relay.unauth': No such file or directory.

[5804/9600][Tue Nov 24 2015 02:06:49][CSmHttpPlugin.cpp:1546][WARNING] Unable to process APPSESSION cookie.

[5804/9600][Tue Nov 24 2015 02:06:49][CSmHttpPlugin.cpp:1546][WARNING] Unable to process APPSESSION cookie.

This doesn't seems to be the actual issue. Still i am unable to find any root cause for this problem. Can anyone tell me / suggest me the solution to this repeated login issue?

Best Regards,

Kathir

Kathir,

Thanks for submitting your question. I think in this case we'd need to take a look at the actual header trace, WebAgent trace logs from the same time period, as well as Policy Server trace logs from the same time. This will give us a complete end-to-end view of what is happening when a user is being forced to re-authenticate when accessing a Sharepoint resource.

Is this the Agent for Sharepoint or the standard Web Agent? Achieving SSO in Sharepoint with the standard Web Agent is much more complex than the purpose-built Agent and requires several important configuration changes to work correctly. It's also not clear if this was working before and is a new problem, or if this never worked correctly, so if you can clarify when this started happening, that might give us a hint as to what is going on.

My recommendation, if you haven't done so already, is to open a formal support case and supply, at minimum, the above requested information, along with the following details about your environment:

* Policy Server version
* Web Agent/Sharepoint Agent version
* Operating system versions
* Persistent sessions/session store enabled yes/no?

My suspicion is that this is probably simply a configuration issue, but we'll need to look at all the data to be sure.

Thanks for your reply.

We are using the standard CA Agent For SharePoint product for the SharePoint Integration. Unfortunately I cannot share all the logs, because the policy servers are owned by different team and I do not have access.

The Agent for SharePoint installed on the RHEL 6 on the reverse proxy servers. the version is 12.5

The login page developed by using ASP.Net and running on the login servers (IIS - Windows 2008) with web agent installed on it. Its internally calling the relay.fcc.

I am seeing the following entry on the LocalConfig.conf

PersistentCookies="NO" in both reverse proxy

This entire setup was working well earlier and we are facing this issue in last few months. I will try to get the policy server information from the policy server team.

Thanks.

Best Regards,

Kathir.K

Will you be able to share the fiddler log ?