search cancel

Policy server triggering OnAuthReject policy for genuine users

book

Article ID: 202692

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

 

We're running a Policy Server and this one cannot authenticate a user
reporting OnAuthReject, when the same user is part of user directory
and policy.

  Policy Server reports :

  [08/27/2020][03:07:07.224][2664866][140056616478464][Ldap Search callout succeeds.]
  [][][][SmDsLdapProvider.cpp:2361][CSmDsLdapProvider::Search][][][][][][][][][][][]
  [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][
  (Search) Base: 'dc=training,dc=com', Filter: '(&(myAlias=jsmith)(objectclass=users))'.
   Status: 0 entries.][][][][][][]

How can we fix that ?

 

Environment

 

  Policy Server 12.8SP2 build 1992 on RedHat 6;
  Policy Store on CA Directory 14.1;

 

Cause

 

The issue is due to the fact that a Custom Authentication Scheme fails
to authenticate the user, and as such, the Policy Server has no chance
to authenticate the user. We see the Policy Server visiting the second
User Directory as it completes its processing.

Policy Server initiates the Custom Authentication Scheme and looks
into the first User Directory (myUserDirectory):

  [1742376/139800023652096][Thu Sep 10 2020
  00:25:45][SmAuthServer.cpp:364][INFO][sm-Server-02760] Initialized
  authentication scheme myCustomAuthenticationScheme

smtracedefault.log :

  [09/10/2020][00:25:45.527][1742376][139800023652096][Authenticating user.]
  [myAgent]
  [/myapp/mypage.html][jsmith]
  [Sm_Auth_Message.cpp:780][CSm_Auth_Message::AuthenticateUser][][]
  [myDomain]
  [myRealm][][][][][][][][][][][][]
  [][][5][0][myCustomAuthenticationScheme][][][][][][]
  [jsmith][][06-00000105-2f81-4f2e-abc9-fb378eda5444][][][][][][]
  [][][][][][][][][][][][][][][][]

  [09/10/2020][00:25:45.527][1742376][139800023652096][Start of call InitDir.]
  [][][][SmDsDir.cpp:66][CSmDsDir::CSmDsDir][][][][][][][][][][][][][][][][]
  [][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
  [About to initialize directory, Oid='0e-0000003c-2f81-4f2d-afc9-fb378eda1142', 
  Name='myUserDirectory'][][][][][][]

  [09/10/2020][00:25:45.528][1742376][139800023652096][LogMessage:INFO:
  [sm-Server-02760] Initialized authentication scheme myCustomAuthenticationScheme]
  [][][][SmAuthServer.cpp:364][][][][][][][][][][][][][][][][][][][][][][]
  [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

  [09/10/2020][00:25:45.533][1742376][139800023652096]
  [Ldap Search callout succeeds.][][][][SmDsLdapProvider.cpp:2361]
  [CSmDsLdapProvider::Search][][][][][][][][][][][][][][][][][][][][][][][]
  [][][][][][][][][][][][][][][][][][][][][][][(Search) Base: 'dc=training,dc=com', 
  Filter: '(&(myAlias=jsmith)(!(myGroup=Group))
  (!(myGroup=Group-2))(!(myGroup=Group-3)))'. Status: 1 entries.]
  [][][][][][]

Policy Server executes the Custom Authentication Scheme after that
line :

  [09/10/2020][00:25:45.533][1742376][139800023652096]
  [Authenticating user by the auth scheme][][][jsmith]
  [SmAuthUser.cpp:5448][CSmAuthUser::Authenticate][][][][][][]
  [mySecondUserDirectory][][][][][][][][][][][][][]
  [myCustomAuthenticationScheme][][][][]
  [SYgcF6QoYYrAvrxFNKl9s3eeQ4I=][]
  [cn=jsmith,dc=training,dc=com][][][][][]
  [][][][][][][][][LDAP://myldapserver.mydomain.com:389/cn=jsmith,dc=training,dc=com]
  [][][][][][][][][][]

[...]

As the Custom Code doesn't execute successfully, the Policy Server
cannot trusts its authentication, and thus it visits the second User
Directory configured in the Domain to terminate its processing
reporting that the Custom Authentication Scheme hasn't authenticated
successfully the user and starts processing Authentication Reject :

  [09/10/2020][00:25:45.540][1742376][139800023652096][Start of call InitDir.]
  [][][][SmDsDir.cpp:66][CSmDsDir::CSmDsDir][][][][][][][][][][][][][][][][]
  [][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
  [About to initialize directory, Oid='0e-00000165-2f81-4f2d-afc9-fb378eda4444', 
  Name='mySecondUserStore'][][][][][][]

  [09/10/2020][00:25:46.588][1742376][139800023652096][Ldap Search callout succeeds.]
  [][][][SmDsLdapProvider.cpp:2361][CSmDsLdapProvider::Search][][][][][][][]
  [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
  [][(Search) Base: 'dc=training,dc=com', Filter: '(&(myAlias=jsmith)
  (objectclass=users))'. Status: 0 entries.][][][][][][]

  [09/10/2020][00:25:46.588][1742376][139800023652096]
  [Accumulating OnAuthReject policy responses...]
  [myAgent]
  [/myapp/mypage.html][jsmith]
  [Sm_Auth_Message.cpp:1847][CSm_Auth_Message::AuthenticateUser][][]
  [myDomain][myRealm]
  [][][mySecondUserStore][][][][][][][][][][][][1][0]
  [myCustomAuthenticationScheme][][][][][][][jsmith]
  [][06-00000105-2f81-4f2e-abc9-fb378eda5444][][][][][][][][][][][][][][][]
  [][][][][][][]

When looking at debug traces from the Custom Authentication Scheme, we
see that the Custom Code stops at that message :

  myAuthenticate() - No user context found, returning now

Comparing the Custom Authentication Scheme traces with the source
code, we see that this one stops at a specific line and never reaches
the message that authentication ends :

CustomAuthScheme.log :

  [2020-09-10 00:25:46,586] myAuthenticate() - start
  [2020-09-10 00:25:46,586] myAuthenticate() - No user context found, returning now

The Custom Authentication Scheme in Java code is :

CustomAuthenticationScheme.java

  public myResult authenticate(myContext context) {
    this.logger.debug("myAuthenticate() - start");
    myContext myApiContext = context.getContext();
    myUserContext theUserContext = context.getUserContext();
    if (null == theUserContext || !theUserContext.isUserContext()) {
       this.logger.error("myAuthenticate() - No user context found, returning now");
       return new myResult(NO_USER_CONTEXT, 0);
     } 

[...]

    this.logger.debug("myAuthenticate() - end");

 

Resolution

 

Fixing the Custom Authentication Scheme solved the issue.