Unexpected POST preservation data lost after SPS authentication
Article ID: 229142
Updated On:
Products
CA Single Sign On Agents (SiteMinder)
CA Single Sign On Secure Proxy Server (SiteMinder)
SITEMINDER
Issue/Introduction
When running CA Access Gateway (SPS), when this one receives POST
request for authentication, the response redirect to a Web Agent with
a GET instead of a POST, and the POSTed data get lost.
The browser POST data to the protected
/postpreservation/allheaders.php resource.
fiddler.saz
Line 3 :
POST http://wa.training.com/postpreservation/allheaders.php
fname=joe&lname=blo
HTTP/1.1 200 OK
Date: Fri, 29 Oct 2021 13:35:54 GMT
Server: Apache/2.4.46 (Unix) OpenSSL/1.0.2k-fips PHP/7.2.10
<HTML>
<BODY onLoad="document.AUTOSUBMIT.submit();">
This page is used to hold your data while you are being authorized for your request.
<BR>
<BR>
You will be forwarded to continue the authorization process. If
this does not happen automatically, please click the Continue
button below.
<FORM NAME="AUTOSUBMIT" METHOD="POST" ENCTYPE="application/x-www-form-urlencoded"
ACTION="http://WIN-FS0E050TVAM.training.com/siteminderagent/ntlm/smntlm.ntc?CHALLENGE=
&SMAGENTNAME=-SM-PP3%2bhkmJwUxZIJFANyV6yj8ZazyMxNYg
&TARGET=-SM-http%3a%2f%2fwa%2etraining%2ecom%2fpostpreservation%2fallheaders%2ephp">
<INPUT TYPE="HIDDEN" NAME="SMPostPreserve" VALUE="rF4BQbc58kRRUBhNrE+mGR5gKe6QVim3MKQvJ1uNUM0noboSiZR4BUY7/Qg78i0B">
<INPUT TYPE="SUBMIT" VALUE="Continue"></FORM></BODY></HTML>
CA Access Gateway (SPS) receives the POSTed data and authenticates
user with Windows Authentication.
Line 4 :
POST http://win-fs0e050tvam.training.com/siteminderagent/ntlm/smntlm.ntc?CHALLENGE=&SMAGENTNAME=-SM-PP3%2bhkmJwUxZIJFANyV6yj8ZazyMxNYg&TARGET=-SM-http%3a%2f%2fwa%2etraining%2ecom%2fpostpreservation%2fallheaders%2ephp HTTP/1.1
SMPostPreserve=rF4BQbc58kRRUBhNrE%2BmGR5gKe6QVim3MKQvJ1uNUM0noboSiZR4BUY7%2FQg78i0B
HTTP/1.1 302 302
Date: Fri, 29 Oct 2021 13:35:56 GMT
Server: Apache/2.4.46 (Win64) mod_jk/1.2.48
Line 6 :
GET http://win-fs0e050tvam.training.com/siteminderagent/ntlm/smntlm.ntc?CHALLENGE=&SMAGENTNAME=-SM-PP3%2bhkmJwUxZIJFANyV6yj8ZazyMxNYg&TARGET=-SM-http%3a%2f%2fwa%2etraining%2ecom%2fpostpreservation%2fallheaders%2ephp HTTP/1.1
HTTP/1.1 302 302
Date: Fri, 29 Oct 2021 13:35:56 GMT
Server: Apache/2.4.46 (Win64) mod_jk/1.2.48
Set-Cookie: SMNTLMCOOKIE=DONE; Domain=.training.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; HttpOnly
Set-Cookie: SMCHALLENGE=NTC_CHALLENGE_DONE; Domain=.training.com; Path=/
Set-Cookie: SMSESSION=Uxgm4e8RI1nZxlzO5O9vJAUPkk6v8Z46zqUSTlLu20 [...] /Qy+NhF; Domain=.training.com; Path=/
Location: http://wa.training.com/postpreservation/allheaders.php
But the CA Access Gateway (SPS) direct back the browser to the
targeted resource with a GET instead of a POST, and the headers
"fname=joe&lname=blo" aren't sent :
Line 7 :
GET http://wa.training.com/postpreservation/allheaders.php
HTTP/1.1 200 OK
Date: Fri, 29 Oct 2021 13:35:57 GMT
Server: Apache/2.4.46 (Unix) OpenSSL/1.0.2k-fips PHP/7.2.10
<br />Connection: keep-alive
<br />Cache-Control: max-age=0
<br />Upgrade-Insecure-Requests: 1
<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
<br />Referer: http://wa.training.com/
<br />Accept-Encoding: gzip, deflate
<br />Accept-Language: en-US,en;q=0.9
<br />SM_TRANSACTIONID: 0000000000000000000000006601a8c0-4ed0-617bf8bd-4dff3700-1e2672f1aabd
<br />SM_SDOMAIN: .training.com
<br />SM_REALM: postpreservation
<br />SM_REALMOID: 06-00049bbd-b4eb-117b-ae80-0165c0a80000
<br />SM_AUTHTYPE: NT Challenge/Response
<br />SM_AUTHREASON: 0
<br />SM_SESSIONDRIFT: -1
<br />SM_UNIVERSALID: jblo
<br />SM_AUTHDIROID: 0e-0000b5a9-2f33-1101-8b3f-0165c0a80000
<br />SM_AUTHDIRNAME: AD
<br />SM_AUTHDIRSERVER: 192.168.1.112:389
<br />SM_AUTHDIRNAMESPACE: LDAP:
<br />cookie: SMSESSION=nsY5i1LchuoxQQUsfbxfBqxZMRz8DaWMFL6uQB02JC/ZvOr0BWD5vXOI/Q/bLMQEJxObmnDuKl4JruOKfOf+dVBh2uJAAeRt5Y/9sPagiQWiiZ11saOcPPAzJiXE++U07vJ9GVQ06rXkAL6QpVrMswMDCqzBjP/cZm/vHnZTzyoWdhrGr4SH1qKIAuWurHomWY3KsLlIO+h6XNbrTlEE41rfDP20dLQb636vIGREsPe4TUm9/FCZdMUCo1/b/A+yj4XSgVKicOKiY/lY7NMlhxBKEJKayYXwDUA9erLbJkQjhfUbGb/qpHLpnaSYp3KDGVI5iMPBhw51lTDuqxYIzZdwW+LFn0xVyP6dXEJ6rwisYzct1ZCrs89Q/jJqpP7T/NZAsHbLUfWUa8GH3mkV7pJakp13NXFfQom+E/iZ2O/z+Wa5No6kpnvgIBhc+yrgAn4W2yVlzwWuD1Ti3YRmSnkf9DANHGt2GnglUW2/NSlqt64aIjgIc22LgZoK7AHVYGl60GWHgD3afkHEnXqbf45yPqN6GSV/RZUdsx4hnvEdAXTiaxaEBZED1KaSxVdNnXVtQAZ9QjazzmKPulrOv7TkXJ7wfwBiTwwGjS9SyLS0JrNjICQz+6wEjvuyIy6ZZgC4QQ4273Vv0c87pRUcLlAsRktfEpiCnywFa5rVwoqRr1AzaeMjPNqhfQd8PrYDKxBnpyAlr/btHrqkqYtXAwUYdn9lfWA8j5mLCaofAlPN4OdjowKdX0Ver8QQE64vfhuACHly8ypP+JJffxODx4xah+Qtg/L4SkBgyX+s7RvwsV9mHMSgwhY95nr58eJLnJdhpYHSlaktr+9mGhXsY8/qezZ9t7XpHFSREsTLEX2Xf8Q8YqrhM1q0UyKD8xlr+R6E3GPFIu1lQ2xIlhfW5I+z2f5cEvLv7mmZJoGkcKlHWe8ikRweXkiQpd9WnoUTJhfhjNsuqNqGVO7jVK72gDQanRoXYBVwLsEFnpP2s+17fyXw1umqADV5aDbEYkmLA3ppKGL1gUQhAgrEdBFI5ohXMFcIwHWhzxXBH0OXfD9c2yzxJf8rxWZxDwFu1TCPEpi6wiX5bVQM4EUu+hjDbkxNu3gLaoM4
<br />SM_USER: TRAINING\jblo
<br />SM_USERDN: cn=jblo,cn=Users,dc=training,dc=com
<br />SM_SERVERSESSIONID: zDDdzuXDH8vDzREoaxmthCI8MuY=
<br />SM_SERVERSESSIONSPEC: gVMelOsPB5bPKglEhk0y5EsrgzB9Zu4nBWIahf6wTko+eBPfEe4hui+ekVkEcC+bucqJmjipdj6NRJpFRm9l5dm+mzsJIYEsU9VANJVVimvGku0m7mxuSx43ndSJy1QussqYaI5y5oJ3SvlsOw7kYJj3Hw+LNpotTjDEJI6RmlxSK1Sn2faec/ZRmCtkl4j3yTOF/7IzeTouSHrkjAtgdSW2cKIi1B+a5Q++npTi3sc9joAwD1VP4wtusbjdyvECS2zZEAgpjdGRWoT/BqVf/Czlf+4DAAtY93md2NRI9zppgoSpOHvJsFctJIXW7Re/nJ2jnpXv0ObgAf6MKMSncTvZKgfei6I6g/5PzZVVpfweJi89NdYZ+1ZdZSoW4PSfC/yhUR9ECvuiMClvTWbxetZAlj6jN/jg5ey+M4Tdgsq9QlgQ/LEHsA==
<br />SM_TIMETOEXPIRE: 7199
<br />SM_SERVERIDENTITYSPEC:
<br />
We would expect the headers POSTed instead like this :
POST http://wa.training.com/postpreservation/allheaders.php
fname=joe&lname=blo
HTTP/1.1 200 OK
Date: Mon, 22 Nov 2021 10:56:18 GMT
Server: Apache/2.4.46 (Unix) OpenSSL/1.0.2k-fips PHP/7.2.10
[...]
<br />SM_SERVERIDENTITYSPEC:
<br />joe blo
<br />
The CA Access Gateway (SPS) shows receiving the POSTed data, but
nothing when sending back the response to the target URL.
sps-win.trace :
[10/29/2021][15:35:56][4276][5508][5b8eb277-f16a4564-f04d983a-83f08e54-edbf1969-8d]
[SmNtc::getCredentials][Request for SSPI NTLM using NTLM Map]
[10/29/2021][15:35:56][4276][5508][5b8eb277-f16a4564-f04d983a-83f08e54-edbf1969-8d]
[SmNtc::getCredentialsNTLMMap]
[ SMNTLMCOOKIE Cookie ID 15913008-66d998c1-e9486b36-40dfdcf8-8891cdce-28c1 ]
[10/29/2021][15:35:56][4276][5508][5b8eb277-f16a4564-f04d983a-83f08e54-edbf1969-8d]
[SmNtc::getCredentialsNTLMMap][SMNTLMCOOKIE entry **not found** in NTLM Map, NTLM Type 1 request]
[10/29/2021][15:35:56][4276][5508][][CSmSSPIServer::initializeSSPI]
[Initializing SSPI library.]
[10/29/2021][15:35:56][4276][5508][][CSmSSPIServer::initializeSSPI]
[Initialization of SSPI library is success.]
[10/29/2021][15:35:56][4276][5508][][CSmSSPIServer::initializeSSPI]
[Security packages details: capabilities = 8928179 version = 1
rpcid = 9 max token size = 48256 name = Negotiate
comment = Microsoft Package Negotiator ]
[10/29/2021][15:35:56][4276][5508][][CSmSSPIServer::processNTLMRequest]
[Calling AcceptSecurityContext with handle: (lower) 0 (upper) 0]
[10/29/2021][15:35:56][4276][5508][][CSmSSPIServer::processNTLMRequest]
[Handle is INVALID (This is OK if there is no handle yet)]
[10/29/2021][15:35:56][4276][5508][][CSmSSPIServer::processNTLMRequest]
[AcceptSecurityContext returned : 0x00000000]
[10/29/2021][15:35:56][4276][5508][][CSmSSPIServer::processNTLMRequest]
[Returned from AcceptSecurityContext with handle: (lower) 1630930422992]
[10/29/2021][15:35:56][4276][5508][][CSmSSPIServer::processNTLMRequest]
[Returned from AcceptSecurityContext with handle: (upper) 2214921294672]
[10/29/2021][15:35:56][4276][5508][5b8eb277-f16a4564-f04d983a-83f08e54-edbf1969-8d]
[SmNtc::getCredentialsNTLMMap]
[NTLM Authentication request is successfully completed for user TRAINING\jblo.]
[10/29/2021][15:35:56][4276][5508][5b8eb277-f16a4564-f04d983a-83f08e54-edbf1969-8d]
[HandleCredCollectorReturn][POST preservation, handling return from credential collector.]
[10/29/2021][15:35:56][4276][5508][5b8eb277-f16a4564-f04d983a-83f08e54-edbf1969-8d]
[HandleCredCollectorReturn][http response http://wa.training.com/postpreservation/allheaders.php]
[10/29/2021][15:35:56][4276][5508][5b8eb277-f16a4564-f04d983a-83f08e54-edbf1969-8d]
[CSmCredentialManager::GatherAdvancedAuthCredentials]
[SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthCredentials returned SmSuccess.]
[10/29/2021][15:35:56][4276][5508][5b8eb277-f16a4564-f04d983a-83f08e54-edbf1969-8d]
[CSmCredentialManager::GatherAdvancedAuthCredentials][Calling SM_WAF_AG_PLUGIN->ProcessAdvancedAuthCredentials.]
[10/29/2021][15:35:56][4276][5508][5b8eb277-f16a4564-f04d983a-83f08e54-edbf1969-8d]
[CSmCredentialManager::GatherAdvancedAuthCredentials]
[SM_WAF_AG_PLUGIN->ProcessAdvancedAuthCredentials returned SmNoAction.]
[10/29/2021][15:35:57][4276][5508][5b8eb277-f16a4564-f04d983a-83f08e54-edbf1969-8d]
[AuthenticateUser][User 'TRAINING\jblo' is authenticated by Policy Server.]
[10/29/2021][15:35:57][4276][5508][5b8eb277-f16a4564-f04d983a-83f08e54-edbf1969-8d]
[Tomcat5SerializedAgentData::doResponse][HTTP Status Code = 302]
Environment
Policy Server 12.8SP5 on Redhat 7;
CA Access Gateway (SPS)12.8SP5 on Windows 2016;
Web Agent 6.0SP5CR35 on Apache 2.2.34 on RedHat 5;
Resolution
- Upgrade CA Access Gateway (SPS) to 12.8SP7 in order to fix this
issue.
Feedback
Yes
No
Powered by
