Web Agent : browser back to login page even if authentication succeeded

book

Article ID: 140392

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

 

When running some Web Agents in a given environment and when users try
to access applications, they login successfully, but right after, the
browser send them back to the login page.

To illustrate : 

User goes to the protected page :

   https://myapp.mydomain.com/

and then user is asked to provide credential on the login page on a
second Web Agent :

   http://mylogin.mydomain.com/

User gives correct credentials, but some seconds after coming back to
the application

   https://myapp.mydomain.com/

the browser is redirected again to 

   http://mylogin.mydomain.com/

 

Cause

 

First request occurs at 16:09:10 on the protected page :

  GET https://myapp.mydomain.com/ HTTP/1.1

    HTTP/1.1 302 Found
    Date: Thu, 07 Nov 2019 16:09:10 GMT
    Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips

The browser gets redirected for login page which request shows that
the login server is around 7 minutes in the past :

  GET https://mylogin.mydomain.com/login.fcc?TYPE=33619969
  &REALMOID=06-wss5c58d-5hh4-4985-8a88-328682456437&GUID=
  &SMAUTHREASON=0&METHOD=GET
  &SMAGENTNAME=$SM$F7h%2flZ9eqwaerdasdswkX4cKhulXfh%2bRzssadada0CLxmdsadsMVL7Vjvrtil7h
  &TARGET=$SM$https%3A%2F%2Fmyapp.mydomain.com%2F HTTP/1.1

    HTTP/1.1 200 HTTP/1.1 200 OK
    Server: Microsoft-IIS/8.0
    Date: Thu, 07 Nov 2019 16:02:34 GMT

After successfull login, the browser goes back to the protected
application and the server shows a time which is around 3 hours in the
past :

  GET https://myapp.mydomain.com/index.html HTTP/1.1

    HTTP/1.1 302 Found
    Date: Thu, 07 Nov 2019 13:02:25 GMT
    Server: Apache

And the next click on the same application, the server shows the
server time being 3 hours in the future.

  GET https://myapp.mydomain.com/myapp/index.html HTTP/1.1

    HTTP/1.1 302 Found
    Date: Thu, 07 Nov 2019 16:02:34 GMT
    Server: Apache

As the server time varies, then the idle and session timeout trigger
and the browser is sent back to the login page :

  GET https://mylogin.mydomain.com/login.fcc?TYPE=33619969
  &REALMOID=06-wss5c58d-5hh4-4985-8a88-328682456437
  &GUID=&SMAUTHREASON=0&METHOD=GET
  &SMAGENTNAME=$SM$F7h%2flZ9eqwaerdasdswkX4cKhulXfh%2bRzssadada0CLxmdsadsMVL7Vjvrtil7h
  &TARGET=$SM$https%3A%2F%2Fmyapp.mydomain.com%2F HTTP/1.1

    HTTP/1.1 200 HTTP/1.1 200 OK
    Server: Microsoft-IIS/8.0
    Date: Thu, 07 Nov 2019 16:02:34 GMT

 

Environment

 

  Web Agent 12.52SP01CR01 on Apache 2.4 on Linux; 

 

Resolution

 

- Make all the Web Server machine's clocks in sync to solve the issue.