SM_UNIVERSALID header unable to pass when loggedin via IWA on dev environment
Article ID: 134423
Updated On:
Products
Issue/Introduction
We're running a Web Agent and when a user get authenticated by Windows Authentication Scheme, then the header SM_UNIVERSALID doesn't get filled and passed to the application. We noticed this happens on unprotected resource after authentication.
How can we fix this ?
Environment
Policy Server 12.52SP1CR05 2113 on SunOS;
Web Agent 12.52SP1CR09 2614 on IIS 8.5 64bit on Windows 2012 R2 64bit;
Web Agent Cookie Provider 12.52SP1CR02 766 64 bit on Apache 2.2.11 on SunOS;
Resolution
In order to get the SM_UNIVERSALID header on unprotected application, you have to set the ACO parameter :
PreserveUniversalID = yes
1. This parameter has been added in Web Agent 12.52SP1CR08 and it is documented here :
New ACO Parameter preserveuniversalID
From 12.52 SP1 CR08, you can configure the preserveuniversalid ACO
parameter to set Universal ID to non-protected resources too when a valid SMSESSION cookie is available.
So said, if you don't set it or if you run version before 12.52SP1CR08, you won't be able to get the SM_UNIVERSALID on unprotected resource.
Historically, some Customers reported a security issue when the SM_UNIVERSALID is produced on unprotected page. That's the reason
why this header has been removed from the processing of the unprotected resource.
Since 12.52SP1CR08, you have the possibility to choose if you want the header on unprotected resource or not. By default (if not set), it is disable and the header will not show up on unprotected resource.
2. For a list of recently modified ACO parameter, rely on the release notes and documentation :
Cumulative Releases
List of Agent Configuration Parameters
Feedback
