.Unauth page problem
search cancel

.Unauth page problem

book

Article ID: 191380

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction


We're running a Web Agent and when user tries to login and provides
wrong credentials, the browser is redirected to the Authentication
Scheme and not to the .unauth page. How can we make the browser to get
the content of the .unauth page instead of going back to the
Authentication Scheme ?

Environment


Web Agent 12.52SP1CR09 on Apache 2.4 on RedHat 6

Cause


You've configured the Form HTML Authentication Scheme that way :

login.fcc :

  <!-- SiteMinder Encoding=UTF-8; --> 
  @username=%USER% 
  @smretries=0
  
  [...]

According to the documentation, if you set smretries to 0, the Web
Agent will undefinitely send back the user to the login page, if you
haven't Password Policy to manage the login attempts. 

Incorrect Password Group Box

  If you use an HTML forms authentication scheme with the default
  login.fcc template that ships with the web agent, set the smretries
  directive in the login.fcc file to 0, so that the password policy
  determines the number of retries allowed based on the value you enter
  in this field.

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8-03/using/administrative-ui/password-services-dialog-reference/expiration-tab.html

Configure HTML Forms Authentication

  smretries

    Indicates the number of times a browser can try to log in. This
    directive acts as a counter; it is not a security mechanism.  If you
    set this directive to 0, the number of log-in attempts is unlimited.

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8-03/configuring/policy-server-configuration/authentication-schemes/configure-html-forms-authentication.html

And we see in the fiddler traces that the browser indeed goes to back
to the Authentication Scheme at login failure :

Fiddler.saz

Line 27

GET
https://myserver.mydomain.com/siteminderagent/forms/login.fcc?TYPE=33554433&REALMOID=06-0001ds3w-546d-5ws9-b544-36d952a225555&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-4g4sd5s55ew52s55d55w55s5444ds45e55s555cx55s55&TARGET=-SM-https%3A%2F%2Fmyserver.mydomain.com%2F

  HTTP/1.1 200 OK 
  Date: Tue, 19 May 2020 08:02:25 GMT
  
  Please enter your username and password :
  
  Enter

Line 48

POST
https://myserver.mydomain.com/siteminderagent/forms/login.fcc?TYPE=33554433&REALMOID=06-0001ds3w-546d-5ws9-b544-36d952a225555&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-4g4sd5s55ew52s55d55w55s5444ds45e55s555cx55s55&TARGET=-SM-https%3A%2F%2Fmyserver.mydomain.com%2F
SMENC=UTF-8&SMLOCALE=US-EN&USER=myuser&PASSWORD=adsadws&target=https%3A%2F%2Fmyserver.mydomain.com%2F&smquerydata=&smauthreason=0&smagentname=4g4sd5s55ew52s55d55w55s5444ds45e55s555cx55s55&postpreservationdata=
  
  HTTP/1.1 200 OK 
  Date: Tue, 19 May 2020 08:02:48 GMT

  Please enter your username and password :
  
  Enter

tracewa.log :

  [05/19/2020][10:02:25][*81.47.233.7][0000000000000000000000000100007f-9b35-5
  ec39291-74ff1700-156748334fcc][][][][GET][/siteminderagent/forms/login.fcc?TYPE
  =33554433&REALMOID=06-0001ds3w-546d-5ws9-b544-36d952a225555&GUID=&SMAUTHREASO
  N=0&METHOD=GET&SMAGENTNAME=-SM-4g4sd5s55ew52s55d55w55s5444ds45e55s555cx55s55
  &TARGET=-SM-https%3A%2F%2Fmyserver.mydomain.com%2F][CSmHttpPlugin::ProcessResource]
  [Resolved cookie domain: '.mydomain.com'.][]

  [05/19/2020][10:02:25][*81.47.233.7][0000000000000000000000000100007f-9b35-5
  ec39291-74ff1700-156748334fcc][][][][][][SmFcc::getLocalePath][Localized Pat
  h = /opt/CA/webagent/samples/forms/login.fcc, working locale = default][]

  [05/19/2020][10:02:25][][][][][][][][CSmFormTemplateCache::GetForm][Serving 
  form template '/opt/CA/webagent/samples/forms/login.fcc' from cache.][]

  [05/19/2020][10:02:48][*81.47.233.7][0000000000000000000000000100007f-9b35-5
  ec392a8-777f6700-255b291173e0][][][][][/siteminderagent/forms/login.fcc?TYPE=33
  554433&REALMOID=06-0001ds3w-546d-5ws9-b544-36d952a225555&GUID=&SMAUTHREASON=0
  &METHOD=GET&SMAGENTNAME=-SM-7kpL5SoUVfp77vdAqsTTX2DirLl3CTfvE42RFkCTEucninb%
  2bylmnA74e%2fwOC%2byb3&TARGET=-SM-https%3A%2F%2Fmyserver.mydomain.com%2F][C
  SmHttpPlugin::ProcessResource][Autoauthorizing URL : 'https://indi.telefonic
  a.es/siteminderagent/forms/login.fcc?TYPE=33554433
  &REALMOID=06-0001ds3w-546d-5ws9-b544-36d952a225555&GUID=&SMAUTHREASON=0
  &METHOD=GET
  &SMAGENTNAME=-SM-4g4sd5s55ew52s55d55w55s5444ds45e55s555cx55s55
  &TARGET=-SM-https%3A%2F%2Fmyserver.mydomain.com%2F' , Method: 'POST' ][]

  [05/19/2020][10:02:48][*81.47.233.7][0000000000000000000000000100007f-9b35-5
  ec392a8-777f6700-255b291173e0][][][REALM_INDI][GET][/][AuthenticateUser][Use
  r 'myuser' is not authenticated by Policy Server.][]

  [05/19/2020][10:02:48][*81.47.233.7][0000000000000000000000000100007f-9b35-5
  ec392a8-777f6700-255b291173e0][][][REALM_INDI][GET][/][SmFcc::getLocalePath]
  [Localized Path = /opt/CA/webagent/samples/forms/login.fcc, working locale = default][]

Resolution


Set smretries=1 in order to allow only 1 login attempt to get on unsuccessful login attempt the content of the .unauth in the browser.
Powered by Wolken Software