Exception occured during SESSION cookie creation. Exception: An invalid domain [.xxx.xxxxxl] was specified for this cookie


Article ID: 193412


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER



We're running a Web Agent Option Pack and when a user tries to reach
the SP side after IDP authentication, the browser gets error 500 and
the Federation Service reports :

  7-44451s2-2ba][FWSBase.java][createSessionCookie][Placing smsession in brow

  7-44451s2-2ba][FWSBase.java][createSessionCookie][Transaction with ID: 6f3d
  5b0e-9f7101d1-bead3e79-f5cdfd77-44451s2-2ba failed. Reason: FWSB_SESSION_CO

  7-44451s2-2ba][FWSBase.java][createSessionCookie][Exception occured
  during SESSION cookie creation. Exception: An invalid domain
  [.mydomain.local] was speci fied for this cookie]

  7-44451s2-2ba][FWSBase.java][createSessionCookie][Ending the
  request proces sing with the HTTP response code: 500]

How can we fix that ?

More, we see 2 SMSESSION cookies created with 2 different domains. The
Web Agent Option Pack create one with domain


which doesn't make sense because it is a machine name, not a domain,
but still the cookie will only be used with that machine, and the Web
Agent create another one with 


How can we fix both behavior ? Are they related ?




  Web Agent Option Pack on Tomcat 9.0.36 on RedHat 7;
  Web Agent 12.52SP1CR09 on IIS 10 on Windows 2016;
  Policy Server 12.8SP3 on Windows 2016;




Both issues aren't related. You need to think that Web Agent Option
Pack and Web Agent aren't sharing the same ACO parameters, and the
embedded Agent in the Web Agent Option Pack has very limited list of
ACO available :

  Web Agent Option Pack :: ACO : Full List

As such, Web Agent Option Pack is not designed to run as a Backend Web
Agent which is proxied by another Web Agent. In your setting the Web
Agent running on IIS 10 is a ARR proxy to the backend Web Agent Option

So said, to fix the issue "Exception: An invalid domain", configure
the LegacyCookieProcessor feature on Tomcat Server according to
recommendations here :

  Legacy Federation Troubleshooting

You can also fix the cookie domain which haven't the same domain by
configuring ARR on IIS with the following rules :

  <proxy enabled="true" reverseRewriteHostInResponseHeaders="false" />