we are having a very strange issue with siteminder. We have siteminder 6.x and kerberos authscheme and it is working perfectly fine. Now we are migrating to siteminder 12.8. I configured siteminder 12.8 with kerberos and checked all principalname and tokens and policy server is able to connect to KDC without any issue.
next I created a out of the box kerberos authscheme (little different than 6.x because in 6.x it was a custom auth scheme with kerberos library).
Policies, rules, realm and domains are migrated from 6.x as it is.
Now the issue I am facing is the every time user is trying to access 12.8. I see user is authenticated but there is no authorization event recorded. In the webagent trace log or smtracedefault log I don't see anything related to authorization. in smaccess log I see many authaccept event for that user but no azreject event. It seems siteminder is not firing Az events at all. This is not the case from 6.x policy server.
I have two policies
1) allow policy - with one ream and one rule - webagent events get, post
2) denied access policy - with one rule = OnAccessReject
Here is the webagent trace log format.
components: AgentFunc/IsProtected, AgentFunc/Login, AgentFunc/Validate, AgentFunc/Authorize, AgentFunc/GetConfig, Server/Connection_Management, Server/Policy_Server_General, IsProtected/Resource_Protection, Login_Logout/Authentication, Login_Logout/Policy_Evaluation, Login_Logout/Session_Management, Login_Logout/Send_Response, Login_Logout/Receive_Request, IsAuthorized/Policy_Evaluation, IsAuthorized/Send_Response, IsAuthorized/Receive_Request, IsAuthorized/AzMapping, ODBC/Connection_Management, LDAP/Ldap_Call_Begin_End, LDAP/Connection_Management, LDAP/Ldap_Error_Messages
data: Date, Time, Pid, Domain, AgentName, AuthScheme, Realm, Rule, Resource, Message, Policy, Function, AuthReason, Directory, UserDN, ReturnValue, Query, User, AuthStatus, Data, Group, Result, Returns, SearchKey, ErrorString, ErrorValue, Property, IPAddr, Action, TransactionName, RequestIPAddr, CallDetail
according to this setting all messages related to Az should be logged, but specifically for this domain and policies, I don't see any messages.
One more thing I tried was to use the smtest tool. for time being I reverted the kerberos auth scheme to basic auth scheme and used sm test tool to authenticate and authorize. I see all messages in policy server logs. But the moment I configure the realm with kerberos auth scheme, I don't see any message and users are not authorized.
I have never seen such an issue before where the siteminder is not doing any Az. Has any of you seen this before and have an idea what could be wrong?#siteminder #kerberosauthscheme