Symantec Access Management

ISSUE:

Custom HTTP Module unable to read the HTTP Headers set by SiteMinder in the integrated pipeline mode.

DESCRIPTION:

Customer has developed a custom HTTP Module which is expected to read the HTTP Headers set by SiteMinder e.g. SM_USER, SM_USERDN etc. The application pipeline mode is set to integrated.

However, the custom HTTP Module is unable to read any of the HTTP Headers set by SiteMinder module.

Other observations :

• If the application pool is switched to CLASSIC pipeline mode the custom module is able to read the SiteMinder headers.
• Simple dump header aspx/asp page prints all the SiteMinder headers including SM_USER without any issue.
• SiteMinder HTTP module is set on the top of the list in the view ordered pane in IIS Manager

ENVIRONMENT:

1. Web Server OS: Windows 2008 R2/Windows 2012/ Windows 2012 R2
2. Web Server : IIS 7.0/ IIS 7.5/ IIS 8.0/ IIS 8.5
3. Application Pool : Integrated Pipeline Mode

CAUSE:

After having a closer look at the IIS Failed request tracing it was found that the custom HTTP Module was registered for an event at a stage earlier than "AUTHENTICATE_REQUEST" which is where SiteMinder modules sets most of the HTTP headers.

The following tasks are performed by the HttpApplication class (in the order) while the request is being processed in the integrated pipeline mode.

1. Validate the request, which examines the information sent by the browser and determines whether it contains potentially malicious markup. For more information, see ValidateRequest and Script Exploits Overview.
2. Perform URL mapping, if any URLs have been configured in the UrlMappingsSection section of the Web.config file.
3. Raise the BeginRequest event.
4. Raise the AuthenticateRequest event.
5. Raise the PostAuthenticateRequest event.
6. Raise the AuthorizeRequest event.
7. Raise the PostAuthorizeRequest event.
8. Raise the ResolveRequestCache event.
9. Raise the PostResolveRequestCache event.
10. Raise the MapRequestHandler event. An appropriate handler is selected based on the file-name extension of the requested resource. The handler can be a native-code module such as the IIS 7.0 StaticFileModule or a managed-code module such as the PageHandlerFactory class (which handles .aspx files).
11. Raise the PostMapRequestHandler event.
12. Raise the AcquireRequestState event.
13. Raise the PostAcquireRequestState event.
14. Raise the PreRequestHandlerExecute event.
15. Call the ProcessRequest method (or the asynchronous version IHttpAsyncHandler.BeginProcessRequest) of the appropriate IHttpHandler class for the request. For example, if the request is for a page, the current page instance handles the request.
16. Raise the PostRequestHandlerExecute event.
17. Raise the ReleaseRequestState event.
18. Raise the PostReleaseRequestState event.
19. Perform response filtering if the Filter property is defined.
20. Raise the UpdateRequestCache event.
21. Raise the PostUpdateRequestCache event.
22. Raise the LogRequest event.
23. Raise the PostLogRequest event.
24. Raise the EndRequest event.
25. Raise the PreSendRequestHeaders event.
26. Raise the PreSendRequestContent event.

So obviously, for any custom module to be able to read the HTTP headers set by SiteMinder module in the AUTHENTICATE_REQUEST phase, it has to be registered either at the AUTHENTICATE_REQUEST or any events after it e.g POST_AUTHENTICATE_REQUEST

RESOLUTION:

Modify custom HTTP Module  to register and read HTTP request headers set by SiteMinder at the event equal or after AUTHENTICATE_REQUEST.

Note : If there are two Modules subscribed to the same event in the request life-cycle (e.g AUTHENTICATE_REQUEST)..it is still possible to configure the order of the execution of the SiteMinder module by altering the RequestPriority. This has been covered in our bookshelf itself:

IIS Web Server Settings

ADDITIONAL INFORMATION:

https://msdn.microsoft.com/en-us/library/bb470252.aspx