Symantec Access Management

Expand all | Collapse all

siteminder authorization issue with kerberos

Jump to Best Answer
  • 1.  siteminder authorization issue with kerberos

    Posted 02-04-2020 08:19 AM

    Hi all,

    we are having a very strange issue with siteminder. We have siteminder 6.x and kerberos authscheme and it is working perfectly fine. Now we are migrating to siteminder 12.8. I configured siteminder 12.8 with kerberos and checked all principalname and tokens and policy server is able to connect to KDC without any issue.

    next I created a out of the box kerberos authscheme (little different than 6.x because in 6.x it was a  custom auth scheme with kerberos library).

    Policies, rules, realm and domains are migrated from 6.x as it is.

    Now the issue I am facing is the every time user is trying to access 12.8. I see user is authenticated but there is no authorization event recorded. In the webagent trace log or smtracedefault log I don't see anything related to authorization. in smaccess log I see many authaccept event for that user but no azreject event. It seems siteminder is not firing Az events at all.  This is not the case from 6.x policy server.

    I have two policies

    1) allow policy - with one ream and one rule - webagent events get, post

    2) denied access policy - with one rule = OnAccessReject

    Here is the webagent trace log format.

    components: AgentFunc/IsProtected, AgentFunc/Login, AgentFunc/Validate, AgentFunc/Authorize, AgentFunc/GetConfig, Server/Connection_Management, Server/Policy_Server_General, IsProtected/Resource_Protection, Login_Logout/Authentication, Login_Logout/Policy_Evaluation, Login_Logout/Session_Management, Login_Logout/Send_Response, Login_Logout/Receive_Request, IsAuthorized/Policy_Evaluation, IsAuthorized/Send_Response, IsAuthorized/Receive_Request, IsAuthorized/AzMapping, ODBC/Connection_Management, LDAP/Ldap_Call_Begin_End, LDAP/Connection_Management, LDAP/Ldap_Error_Messages

    data: Date, Time, Pid, Domain, AgentName, AuthScheme, Realm, Rule, Resource, Message, Policy, Function, AuthReason, Directory, UserDN, ReturnValue, Query, User, AuthStatus, Data, Group, Result, Returns, SearchKey, ErrorString, ErrorValue, Property, IPAddr, Action, TransactionName, RequestIPAddr, CallDetail

    version: 1.1

    according to this setting all messages related to Az should be logged, but specifically for this domain and policies, I  don't see any messages.

    One more thing I tried was to use the smtest tool. for time being I reverted the kerberos auth scheme to basic auth scheme and used sm test tool to authenticate and authorize. I see all messages in policy server logs. But the moment I configure the realm with kerberos auth scheme, I don't see any message and users are not authorized. 

    I have never seen such an issue before where the siteminder is not doing any Az. Has any of you seen this before and have an idea what could be wrong?

    #siteminder #kerberosauthscheme


  • 2.  RE: siteminder authorization issue with kerberos
    Best Answer

    Posted 02-05-2020 02:30 AM
    The issue is resolved by adding SSOZoneName parameter in ACO for the agent. It was requirement based on the setting we have in our environment. Since authentication was going in loop due to cookie issue related to SSOZoneName, it was not reaching authorization step.