Target's cookieDomain and agent configured cookieDomain doesnt match error

book

Article ID: 140880

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

 

What is the impact of setting FccCompatMode to yes in the Web Agent
ACO ?

 

Resolution


The impact is that switching the FCCCOMPATMODE value from no to yes

will allow compatibility with your 4.x Agent if you have

still. But it will potentially create problems :


  - It will break some password services; 

  - It will break some functionalities in the OpenID Authentication

    Scheme;

  - It will remove the SMTRYNO cookie;

  - It will brake the protection level feature;

  - It will brake the tracking session domain feature;


But it will allow the following :


  - It will produce the FORMCRED cookie :

  - It will allow you to run Policy Server with the CA Adapter;

  - It will allow compatibility between 4.x agent and the other

    versions above;

  - It will allow to run compatibility with Web Agent running on

    Domino Web Server;



Additional Information


Having the FCCCOMPATMODE set to yes :

 

- It will break some password services, 


  Password change behavior when FCCCOMPATMODE is set to Yes


    On a POST to an FCC the FCC will generate a number of cookies. This

     includes the FORMSCRED cookie which is created when FCCCompatMode

     is set to the value YES.


    This cookie represents the old way of doing forms login and should

     be considered deprecated. The functionality only exists today to

     provide backwards compatibility with older SiteMinder

     installations.


   https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=8386


- It will break some functionalities in the OpenID Authentication

  Scheme :


  OpenID Authentication Scheme


   Disable the FCCCompatMode Parameter


    Agents use an FCCCompatMode configuration parameter for backward

    compatibility with older versions of the product. For newer

    versions of the product (such as r12.5), this parameter must be

    disabled for better security when using certain features.


  https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8-03/configuring/policy-server-configuration/authentication-schemes/openid-authentication-scheme.html


- It will remove the SMTRYNO cookie :


  SMTRYNO cookie not set if FCCCompatMode =YES and Login page is posting to an FCC


    When you have a login page (ASP or JSP) that is posting to the

    login.fcc and a Webagent with FCCCompatMode = Yes the SMTRYNO

    cookie is not generated.


    With FCCCompatMode = No SMTRYNO cookie is correctly generated.


    The SMTRYNO cookie could be useful to track authentication

    attempts.


  https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=49556


  SMTRYNO Cookie Not Generating


    SMTRYNO cookie is not being generated.  The login.fcc file

    contains @smretries=6.


    Make sure FCCCompatMode is not enabled.  This Agent Configuration

    Object parameter defaults to no when not explicitly set.

 

  https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=109851


- It will brake the protection level feature :


  Authentication Scheme Protection Level Ignored When Changing The TARGET Parameter of Login FCC  


    Using a lower authentication scheme protection level set of

    credentials, we are able to obtain a higher session level only by

    tampering the target.


  https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=117253


- It will brake the tracking session domain feature;


  Tracksessiondomain parameter in ACO and use FQDN as the cookie domain


   Run the agent in Normal Mode(FccCompatMode=No) if you want to use the cookie domain as same as hostname.


  https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=40655


- It will produce the FORMCRED cookie :


  What is FORMCRED cookie ?   

 

    On a POST to an FCC the FCC will generate a number of

    cookies. This includes the FORMSCRED cookie which is created when

    FCCCompatMode is set to the value YES. This cookies represents the

    old way of doing forms login and should be considered deprecated.

    The functionality only exists today to provide backwards

    compatibility with older SiteMinder installations.  The FORMCRED

    cookie is generated from the USERNAME and PASSWORD variables. In

    the default mode (FCCCOmpatMode="NO"), The FCC will log the user

    in directly and on successful authentication redirect the user

    back to the TARGET url with a SMSESSION cookie using SSO instead

    of FORMCRED credentials to access the TARGET.

  

  https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=46283


- It will allow you to run Policy Server with the CA Adapter :


  Arcot Auth Scheme not returning to Target after Authentication


    For CA Single Sign-On Policy Server to work with Adapter there are

    certain Agent configuration object parameters need to be

    configured else we will see the above behavior.


    FCCCompatMode Yes


  https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=109017

  

  Configuring CA Single Sign-On Policy Server


    To configure CA Single Sign-On Policy Server to integrate with CA

    Adapter, perform the following steps (on the system hosting CA

    Single Sign-On Policy Server).


     | Parameter     | Value |

     |---------------+-------|

     | FCCCompatMode | Yes   |

 

  https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/advanced-authentication/9-1/installing/ca-adapter-installation/configuring-ca-single-sign-on-policy-server.html

 

- It will allow compatibility between 4.x agent and the other

  versions above :


  Use FCCs and NTCs in a Mixed Environment


    FCC Compatibility Mode Use FCC Compatibility Mode to help FCCs and

    NTCs to operate with 4.x Web Agents. Enable the FCCCompatMode agent

    configuration parameter (FCCCompatMode="Yes") to enable an r5.x, r6.x,

    or the current version of the FCC/NTC can serve up forms for resources

    that are protected by 4.x agents or third-party applications.


    For traditional Web Agents, the FCCCompatMode parameter is enabled

    by default. Framework Agents have the FCCCompatMode parameter

    disabled by default.


  https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8-03/configuring/web-agent-configuration/forms-authentication/using-credential-collectors-between-4-x-type-and-newer-type-agents.html


- It will allow to run compatibility with Web Agent running on

    Domino Web Server :


  Framework and Traditional Agent Architectures


   Traditional agents are installed on the following web servers:


     Domino (all supported versions)


   Framework Agents are installed on the following web servers:


     Microsoft Internet Information Services (IIS) 7.0, 7.5


     Apache 2.0.54, 2.2.x, and other Apache 2.0-based servers, such as

     the IBM HTTP Server and the HP Apache server


     Oracle iPlanet Web Server versions 6.1 and above


  https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8-03/configuring/web-agent-configuration/web-agents-overview/framework-and-traditional-agent-architectures.html