Symantec Access Management

 View Only
Expand all | Collapse all

WebAgent on IIS does not intercepts requests made on webservices resource ("*.svc"). It does other kind of resources (same path).

  • 1.  WebAgent on IIS does not intercepts requests made on webservices resource ("*.svc"). It does other kind of resources (same path).

    Posted Apr 29, 2015 08:43 AM

    Problem:

     

    WebAgent on IIS does not intercepts requests made on webservices resource ("*.svc"). It does other kind of resources (same path).

     


    For example this URI /toto is protected by Siteminder with basic athentication scheme.
    All URIs that starts by /toto are caught by Siteminder and we are prompted for login and password Except this URI /toto/WSService.svc

     

     

    We can not see the request in the Webagent traces
    We can see the /toto/WSService.svc displayed correctly in the browser and in the IIS access log
    We can see the following in the failed request tracing:

     

     

    ***. -NOTIFY_MODULE_START
    ModuleName CASiteMinderWebagentModule
    Notification 2
    fIsPostNotification false
    Notification AUTHENTICATE_REQUEST

     

     

    ***. -NOTIFY_MODULE_END
    ModuleName CASiteMinderWebagentModule
    Notification 2
    fIsPostNotificationEvent false
    NotificationStatus 0
    Notification AUTHENTICATE_REQUEST
    NotificationStatus NOTIFICATION_CONTINUE

     

    Solution:

     

    All modules were locked at the server level and the siteminder module was at the end at the application level.
    Unlocked them and put the siteminder module at the top (first module).
    If you need to protect a WebService for SOAP and REST request you may need to use SOA or WSS Agents.



  • 2.  Re: WebAgent on IIS does not intercepts requests made on webservices resource ("*.svc"). It does other kind of resources (same path).

    Posted Apr 29, 2015 10:15 AM

    Julien

     

    Confused with the solution suggestion. Did it work after the SiteMinder WebAgent Module was moved to the TOP on the Ordered List? Assuming it did work.

     

    Then we go on to state for using SOA or WSS Agent? Did we ask the Customer to remove WebAgent and add SOA or WSS Agent?

     

    Hence there is still a level of ambiguity to decipher which solution to use. 

     

     

    Regards

     

    Hubert



  • 3.  Re: WebAgent on IIS does not intercepts requests made on webservices resource ("*.svc"). It does other kind of resources (same path).

    Posted Apr 30, 2015 05:24 AM

    Hello Hubert,

     

    I did not want to confuse anyone by creating this tech note at the contrary.

     

    If you can not access *.svc resource on IIS server one of the cause could be that the Siteminder module is not the first one in the list. That one my issue with this specific customer. They accessed the WevService with GET and POST so a standard WebAgent was enough for them.

     

    Regarding usage of the SOA suite or the WSS agent, it you want to really protect a WebService to all calls it is better to use those agents and to validate your architecture with CA services folks.

     

    Hope it helps,

    Julien.