Symantec Access Management

What I did here is created a hyperlink to the smpwservices in the after login application page. And the hyperlink contained the SMAUTHREASON=34&SMAGENTNAME=iisSampleAgent. Now when I enable the password policy, and try to login it's redirecting me to the unauthenticated user page. What could be the reason, how do I fix it?

itzAmlan

What does the Policy Server Trace Log say? Have we checked the Policy Server Trace log?

Creating a Link is for User Initiated Password Change. This has no bearing on why Login won't work and is a separate flow.

You do suggest that Password Policy has been enabled, Did we populate the UD Attributes? If we populated then make sure smdisabled flag and passwordData fields are empty before first login (On first login they are populated by siteminder). Also ensure attributes that are listed as RW needs to have Read / Write Access for Password Policies to work.

Regards

Hubert

No I didn't check the trace log.

When I was enabling the password policies, I have to give the user directory on which the password policy would be enabled. Earlier I left the Password Data field blank. But when enabling the password policy it asked to enter a value at the Password Data field so that the password policy could be saved, therefore I gave the name of the user directory up there.

and since that the issue has happened.

Please check the Policy Server Trace log, it should suggest what is happening.

You may use the below smtracedefault.txt to copy into your smtracedefault.txt; then enable trace logging.

Snippet of C:\CA\siteminder\config\smtracedefault.txt

components: AgentFunc/Init, AgentFunc/UnInit, AgentFunc/IsProtected, AgentFunc/Login, AgentFunc/ChangePassword, AgentFunc/Validate, AgentFunc/Logout, AgentFunc/Authorize, Server/Policy_Server_General, IsProtected, Login_Logout, IsAuthorized, Tunnel_Service, JavaAPI, Directory_Access, ODBC/Sql_Statement_Begin_End, ODBC/Sql_Errors, ODBC/Connection_Monitor, LDAP/Ldap_Call_Begin_End, LDAP/Internal_Operation, LDAP/Ldap_Error_Messages, Fed_Server

data: Date, PreciseTime, SrcFile, Function, TransactionName, Message, Data, AgentName, Resource, User, Group, Realm, Domain, Directory, Policy, Rule, ActiveExpr, Expression, ErrorValue, ReturnValue, ErrorString, IPAddr, IPPort, Result, Returns, CallDetail, AuthScheme, AuthReason, AuthStatus, Query

version: 1.1

Regards

Hubert

You said like upon the first login the fields : Disabled Flag, and Password Data should be auto populated with values. Therefore, I need not give it a value of my own?

Correct itzAmlan

However if for some reason those fields in the UserStore already are populated even before we defined them in SM User Directory Object; then there could be a problem.

For e.g. I define the following - then 'userstatus' field and 'pwdData' field in backend userstore should be BLANK when I am defining it.

Regards

Hubert

Hi Hubert,

In my case, the trace log is not populating any data. I haven't checked it before even. But while configuring the ACO, I entered the parameters for the tracefile : TraceAppend : yes ; TraceFile : Yes ; TraceFileName : C:\Logs\WebAgentTrace.log. The web agent log file is getting populated with data, but not the TraceFile.

Also, in the User Directory, I tried emptying Disabled Flag and the Password Data field, and then logged into the application. But I don't get, what do you mean by defining the Disabled Flag, and Password Data in the backend store. I am using JXplorer for the user directory. So where do I need to define these two attributes?

itzAmlan

Did you set TRACECONFIG File, for WebAgent it should point to <WebAgent_install_home>/config/WebAgentTrace.conf.

Make TraceAppend=No

See an example below from SecureProxyServer ACO.

Hi Hubert,

It happened to be like, after I enabled profiling the trace log is getting populated with data. But I was not able to grasp much from the trace log. Could you just help me understand, how to troubleshoot using the trace log?

In the other hand, in the directory structure(LDAP) I created two attributes for the user, by assigning them values. And explicitly defined those parameters as the blob parameters in the UserStore. Now I am not getting any unauthentication error while entering the application page. But when I am clicking on change password, it's redirecting me to an error page - http error 500.

I searched for the same, and found like if I protect the target for the smpwservices page, it would redirect me to the smpwservices page upon click on the change password.

Since I havenot tried protecting the target page, could you please tell me whether I am going correct or not.

Thanks!

itzAmlan

First we need to start looking at one issue at one time. Use one thread to discuss on particular issue. As I see we are discussing two different issues but both related to Password Services.

Issue-1 : When we enable Password Policy, after this login journey is failing. User are getting redirected to unauthenticated page.

Issue-2 : When we click on User Initiated Password Link page, it is redirecting you to an error i.e. HTTP 500.

Could we concentrate on ISSUE-1 and resolve that first, as ISSUE-1 is crucial for ISSUE-2 resolution i.e. ISSUE-1 has to be resolved first.

Now speaking specifically about ISSUE-1.

NOTE : This is a public forum, hence any information you share would be visible to the forum. Hence only do so if it is Demo Env or Dev. If it is Production Env, you'd be better off raising a support ticket with CA for CA Support Engg to look into your Env.

- What make / version is your User Store ?

- Could you insert an image of the User Directory Object from WAM UI?

- Could you insert an image of the Password Policy Object (first two tabs) from WAM UI?

- Could you attach you trace.log zip file

About ISSUE-2.

Kindly protect the TARGET for now. We'll get ISSUE-1 working, then check this.

Regards

Hubert

Hi Hubert,

I check in the following post : https://wiki.ca.com/display/sm1252sp1/Configure+the+Policy+Server+Profiler . But still couldn't get where could I enable the profiler. Please help.

itzAmlan

smconsole

Hi Hubert,

But I don't see any such console. Is the console available via the admin UI? The version of the admin UI is 12.52, and the version of the policy server is 12.51.

what OS is your policy server installed on? If it windows, open a run prompt and type 'smconsole' then hit enter. If it is non windows you'd need X11 forwarding enabled to present smconsole UI..

Hi Hubert,

Here is what I did :

I created a realm for the password successfully changed message page. And added the web agent actions rule[GET,POST] to this realm(see below).

Created a new policy for the self password change.

Added all users under this policy.

Added the self password change realm under this policy.

Went to the Password Policies, and gave the redirection URL.

Now in the application page, from where the user has the option to Change Password. I gave the url : http://localhost/siteminder/forms/smpwservices1.fcc?SMAUTHREASON=34&SMAGENTNAME=iis_agent&TARGET=http://localhost/pswdchng/index.htm

But now it is getting redirected to a blank page.

Where did I go wrong?

I think like, I have made something wrong in the authentication scheme. I have used html form template. Do I need to use any other authentication scheme?

Thanks Hubert. The issue got resolved.