"/authazws/AuthRestService" fails to authenticate any users
search cancel

"/authazws/AuthRestService" fails to authenticate any users

book

Article ID: 101626

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

"/authazws/AuthRestService" fails to authenticate any users
Description    
We have Access Gateway (SPS) deployed in our environments with "authazws" enabled. Basically we use its "/authazws/AuthRestService/login" and "/authazws/AuthRestService/authz" RESTful services through our in-house-built Security API. 

Calling "/authazws/AuthRestService/login" to the new SPS always had "LOGIN_FAILED" result even though the same request being sent to the existing SPS was authenticated OK.

The same user in Policy Server Test Tool was tested authentication OK. 

smps.log:
[ERROR][sm-Ldap-00650] CSmDsLdapProvider::Search(): Wrong syntax of LDAP search filter: (uid=)

Wireshark shows following response from webservices:
<loginResponse><authenticationResponses/><message>Authentication Failed</message><resultCode>LOGIN_FAILED</resultCode></loginResponse>

sps-trace.log: 
User 'unknown' is not authenticated by Policy Server.

smtracedefault.log: 
LogMessage:ERROR:[sm-Ldap-00650] CSmDsLdapProvider::Search(): Wrong syntax of LDAP search filter: (uid=)

server.log: SM_USERDN and SM_USER are empty:
Header SM_USERDN :
Header SM_USER :

Environment

SSO 12.8 - Policy Server and Access Gateway.
Windows Server 2016

Resolution

Customer was using the following xml to log in
 


<loginRequest> 
<binaryCreds></binaryCreds> 
<userName>USERNAME</userName> 
<password>PASSWORD</password> 
<action>GET</action> 
</loginRequest>



This was solved by changing:


<userName>USERNAME</userName>


To:


<username>USERNAME</username>



It looks as if "userName" was changed to "username" (or  became case sensitive) between 12.7 and 12.8. This is reflected in a difference  in the documentation:

12.7 uses userName: 

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-7/configuring/ca-access-gateway-configuration/configuring-the-authentication-and-authorization-web-services.html (see "Authentication REST Interface")

12.8 uses username: 

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/access-gateway-configuration/configuring-the-authentication-and-authorization-web-services.html (see "Authentication REST Interface")