Exception occured during SESSION cookie creation. Exception: An invalid domain [.xxx.xxxxxl] was specified for this cookie

book

Article ID: 193412

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

 

We're running a Web Agent Option Pack and when a user tries to reach
the SP side after IDP authentication, the browser gets error 500 and
the Federation Service reports :

  [05/01/2020][11:53:51][18675][3560912640][6f3d5b0e-9f7101d1-bead3e79-f5cdfd7
  7-44451s2-2ba][FWSBase.java][createSessionCookie][Placing smsession in brow
  ser [CHECKPOINT = SSO_PLACESMSSESSIONTOBROWSER_REQ]]

  [05/01/2020][11:53:51][18675][3560912640][6f3d5b0e-9f7101d1-bead3e79-f5cdfd7
  7-44451s2-2ba][FWSBase.java][createSessionCookie][Transaction with ID: 6f3d
  5b0e-9f7101d1-bead3e79-f5cdfd77-44451s2-2ba failed. Reason: FWSB_SESSION_CO
  OKIE_CREATION_ERROR]

  [05/01/2020][11:53:51][18675][3560912640][6f3d5b0e-9f7101d1-bead3e79-f5cdfd7
  7-44451s2-2ba][FWSBase.java][createSessionCookie][Exception occured
  during SESSION cookie creation. Exception: An invalid domain
  [.mydomain.local] was speci fied for this cookie]

  [05/01/2020][11:53:51][18675][3560912640][6f3d5b0e-9f7101d1-bead3e79-f5cdfd7
  7-44451s2-2ba][FWSBase.java][createSessionCookie][Ending the
  request proces sing with the HTTP response code: 500]

How can we fix that ?

More, we see 2 SMSESSION cookies created with 2 different domains. The
Web Agent Option Pack create one with domain

  "Domain=.mymachine.mysubsubdomain.mysubdomain.mydomain.com"

which doesn't make sense because it is a machine name, not a domain,
but still the cookie will only be used with that machine, and the Web
Agent create another one with 

  "domain=.mysubdomain.mydomain.com"

How can we fix both behavior ? Are they related ?

 

Environment

 

  Web Agent Option Pack on Tomcat 9.0.36 on RedHat 7;
  Web Agent 12.52SP1CR09 on IIS 10 on Windows 2016;
  Policy Server 12.8SP3 on Windows 2016;

 

Resolution

 

Both issues aren't related. You need to think that Web Agent Option
Pack and Web Agent aren't sharing the same ACO parameters, and the
embedded Agent in the Web Agent Option Pack has very limited list of
ACO available :

  Web Agent Option Pack :: ACO : Full List
  https://knowledge.broadcom.com/external/article?articleId=49319

As such, Web Agent Option Pack is not designed to run as a Backend Web
Agent which is proxied by another Web Agent. In your setting the Web
Agent running on IIS 10 is a ARR proxy to the backend Web Agent Option
Pack.

So said, to fix the issue "Exception: An invalid domain", configure
the LegacyCookieProcessor feature on Tomcat Server according to
recommendations here :

  Legacy Federation Troubleshooting
  https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-52-01/troubleshooting/legacy-federation-troubleshooting.html

You can also fix the cookie domain which haven't the same domain by
configuring ARR on IIS with the following rules :

  <proxy enabled="true" reverseRewriteHostInResponseHeaders="false" />