Error : 500 Kerberos Fallback to Forms Using Authentication Chain

book

Article ID: 223391

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Federation (SiteMinder)

Issue/Introduction

 

When running CA Access Gateway (SPS), when the Kerberos Authentication
fails, the browser doesn't go to the HTML Form Authentication Scheme,
and it reports HTTP code 500.

 

Cause

 

From the logs, the Authentication Schemes are executed on
the Web Agent 12.52SP1CR11 on Apache 2.4. As per documentation, the
Kerberos Fallback to HTML Forms should be executed on CA Access
Gateway (SPS) only, and CA Access Gateway (SPS) should be version
12.8SP2 (you're running 12.8SP1) (1).

So said, in order for this implementation to work, CA Access Gateway
(SPS) should execute both Authentication Schemes. The chaining should
happen on the CA Access Gateway (SPS). CA Access Gateway (SPS) should
be higher than 12.8SP2 version, and we strongly suggest you to upgrade
to the same version as per Policy Server 12.8SP4.

 

Environment

 

  Policy Server 12.8SP4 on RedHat 7;
  CA Access Gateway (SPS) 12.8SP1 on RedHat 7;
  Cookie Provider Web Agent 12.52SP1CR11 on Apache 2.4.29 RedHat 7;

 

Resolution

 

Upgrade CA Access Gateway (SPS) to 12.8SP4;

Implement "Kerberos Fallback to Forms Using Authentication Chain" on
CA Access Gateway (SPS) to fix this issue;

Additional Information

 

(1)

    Configure Kerberos Fallback to Forms Using Authentication Chain

      From Release 12.8.02, you can configure Kerberos Fallback to
      form-based authentication schemes as an Authentication Chain.

      [...]

      The Authentication Chain implementation in SiteMinder is limited
      to be used with Access Gateway. Ensure that Access Gateway is
      configured to support Kerberos.

    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/policy-server-configuration/authentication-schemes/authentication-chaining/configure-kerberos-fallback-to-forms-using-authentication-chain.html