Permissions Required for Siteminder Agent Logs and Traces on Windows Server

book

Article ID: 196300

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) SITEMINDER

Issue/Introduction

This details the granular permissions required for the Siteminder Web Agent to Create, Rotate, and Delete agent Log and Trace files on a Windows OS where the Web Agent is protecting resources on an IIS Web Server

Cause

The web Agent (LLAWP) is a child process of the IIS WEb Server Process (W3WP).  The LLAWP process inherits the user assigned to the web site the web agent is protecting.  The Web Site assumes to the user identity from the Application Pool.

During Agent configuration, the appropriate permissions to the siteminder agent /log directory should be granted automatically.  However, sometimes the Identity of the Application Pool, or the Application Pool itself is modified.  Sometimes the '/log' directory is moved at some point AFTER agent configuration.  When these events occur, sometimes the web agent doesn't have sufficient permissions to create, rotate (rename), or delete the agent logs and traces under the new directory or the new Application Pool Identity.

Environment

Release : 12.52; 12.52 SP01

Component : SITEMINDER -WEB AGENT for IIS

Resolution

1) Add the IIS_IUSRS group to the Siteminder Agent "/log" directory

2) Grant the following permissions to the IIS_IUSRS Group:

Modify

Read & Execute

List Folder Contents

Read

Write

3) Save the changes to the '/logs' directory

4) Stop and Start IIS

The IIS_IUSRS group is a default security group on the Windows Server OS that automatically contains all of the Application Pool Identities.  This will ensure that any user configured to an Application Pool will automatically have access to Create, Rotate (Rename) and Delete Agent log and trace files.