When running CA Access Gateway (SPS), when this one receives a POST request for authentication, the response redirects to a Web Agent with a GET instead of a POST, and the POSTed data gets lost.
Policy Server 12.8SP5 on Redhat 7;
CA Access Gateway (SPS)12.8SP5 on Windows 2016;
Web Agent 6.0SP5CR35 on Apache 2.2.34 on RedHat 5;
The browser POST data to the protected /postpreservation/allheaders.php resource.
fiddler.saz
Line 3 :
POST http://sps.example.com/postpreservation/allheaders.php
fname=<name>&lname=<lastname>
HTTP/1.1 200 OK
Date: Fri, 29 Oct 2021 13:35:54 GMT
Server: Apache/2.4.46 (Unix) OpenSSL/1.0.2k-fips PHP/7.2.10
<HTML>
<BODY onLoad="document.AUTOSUBMIT.submit();">
This page is used to hold your data while you are being authorized for your request.
<BR>
<BR>
You will be forwarded to continue the authorization process. If this does not happen automatically, please click the Continue button below.
<FORM NAME="AUTOSUBMIT" METHOD="POST" ENCTYPE="application/x-www-form-urlencoded" ACTION="http://wa.example.com/siteminderagent/ntlm/smntlm.ntc?CHALLENGE=&SMAGENTNAME=-SM-<value>&TARGET=-SM-http%3a%2f%2fsps%2eexample%2ecom%2fpostpreservation%2fallheaders%2ephp">
<INPUT TYPE="HIDDEN" NAME="SMPostPreserve" VALUE="<value>">
<INPUT TYPE="SUBMIT" VALUE="Continue"></FORM></BODY></HTML>
CA Access Gateway (SPS) receives the POSTed data and authenticates the user with Windows Authentication.
Line 4 :
POST http://wa.example.com/siteminderagent/ntlm/smntlm.ntc?CHALLENGE=&SMAGENTNAME=-SM-<value>&TARGET=-SM-http%3a%2f%2fsps%2eexample%2ecom%2fpostpreservation%2fallheaders%2ephp HTTP/1.1
SMPostPreserve=<value>
HTTP/1.1 302 302
Date: Fri, 29 Oct 2021 13:35:56 GMT
Server: Apache/2.4.46 (Win64) mod_jk/1.2.48
Line 6:
GET http://wa.example.com/siteminderagent/ntlm/smntlm.ntc?CHALLENGE=&SMAGENTNAME=-SM-<value>&TARGET=-SM-http%3a%2f%2fsps%2example%2ecom%2fpostpreservation%2fallheaders%2ephp HTTP/1.1
HTTP/1.1 302 302
Date: Fri, 29 Oct 2021 13:35:56 GMT
Server: Apache/2.4.46 (Win64) mod_jk/1.2.48
Set-Cookie: SMNTLMCOOKIE=DONE; Domain=.example.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; HttpOnly
Set-Cookie: SMCHALLENGE=NTC_CHALLENGE_DONE; Domain=.example.com; Path=/
Set-Cookie: SMSESSION=<value>; Domain=.example.com; Path=/
Location: http://sps.example.com/postpreservation/allheaders.php
But the CA Access Gateway (SPS) directs back the browser to the targeted resource with a GET instead of a POST, and the headers "fname=<name>&lname=<lastname>" aren't sent:
Line 7 :
GET http://sps.example.com/postpreservation/allheaders.php
HTTP/1.1 200 OK
Date: Fri, 29 Oct 2021 13:35:57 GMT
Server: Apache/2.4.46 (Unix) OpenSSL/1.0.2k-fips PHP/7.2.10
<br />Referer: http://sps.example.com/
<br />SM_SDOMAIN: .example.com
<br />SM_REALM: postpreservation
<br />SM_AUTHTYPE: NT Challenge/Response
<br />SM_AUTHREASON: 0
<br />SM_SESSIONDRIFT: -1
<br />cookie: SMSESSION=<value>
<br />SM_USER: EXAMPLE\<lastname>
<br />SM_USERDN: cn=<lastname>,cn=Users,dc=example,dc=com
<br />
The headers would be expected to be POSTed like this:
POST http://sps.example.com/postpreservation/allheaders.php
fname=<name>&lname=<lastname>
HTTP/1.1 200 OK
Date: Mon, 22 Nov 2021 10:56:18 GMT
Server: Apache/2.4.46 (Unix) OpenSSL/1.0.2k-fips PHP/7.2.10
[...]
<br />SM_SERVERIDENTITYSPEC:
<br /><name> <lastname>
<br />
The CA Access Gateway (SPS) shows receiving the POSTed data, but nothing when sending back the response to the target URL.
sps.trace :
[10/29/2021][15:35:56][4276][5508][5b8eb277-f16a4564-f04d983a-83f08e54-edbf1969-8d][SmNtc::getCredentials][Request for SSPI NTLM using NTLM Map]
[10/29/2021][15:35:56][4276][5508][5b8eb277-f16a4564-f04d983a-83f08e54-edbf1969-8d][SmNtc::getCredentialsNTLMMap][ SMNTLMCOOKIE Cookie ID <value> ]
[10/29/2021][15:35:56][4276][5508][5b8eb277-f16a4564-f04d983a-83f08e54-edbf1969-8d][SmNtc::getCredentialsNTLMMap][SMNTLMCOOKIE entry **not found** in NTLM Map, NTLM Type 1 request]
[10/29/2021][15:35:56][4276][5508][][CSmSSPIServer::initializeSSPI][Initializing SSPI library.]
[10/29/2021][15:35:56][4276][5508][][CSmSSPIServer::initializeSSPI][Initialization of SSPI library is success.]
[10/29/2021][15:35:56][4276][5508][][CSmSSPIServer::initializeSSPI][Security packages details: capabilities = 8928179 version = 1 rpcid = 9 max token size = 48256 name = Negotiate comment = Microsoft Package Negotiator ]
[10/29/2021][15:35:56][4276][5508][][CSmSSPIServer::processNTLMRequest][Calling AcceptSecurityContext with handle: (lower) 0 (upper) 0]
[10/29/2021][15:35:56][4276][5508][][CSmSSPIServer::processNTLMRequest][Handle is INVALID (This is OK if there is no handle yet)]
[10/29/2021][15:35:56][4276][5508][][CSmSSPIServer::processNTLMRequest][AcceptSecurityContext returned : 0x00000000]
[10/29/2021][15:35:56][4276][5508][][CSmSSPIServer::processNTLMRequest][Returned from AcceptSecurityContext with handle: (lower) <value>]
[10/29/2021][15:35:56][4276][5508][][CSmSSPIServer::processNTLMRequest][Returned from AcceptSecurityContext with handle: (upper) <value>]
[10/29/2021][15:35:56][4276][5508][5b8eb277-f16a4564-f04d983a-83f08e54-edbf1969-8d][SmNtc::getCredentialsNTLMMap][NTLM Authentication request is successfully completed for user EXAMPLE\<lastname>.]
[10/29/2021][15:35:56][4276][5508][5b8eb277-f16a4564-f04d983a-83f08e54-edbf1969-8d][HandleCredCollectorReturn][POST preservation, handling return from credential collector.]
[10/29/2021][15:35:56][4276][5508][5b8eb277-f16a4564-f04d983a-83f08e54-edbf1969-8d][HandleCredCollectorReturn][http response http://sps.example.com/postpreservation/allheaders.php]
[10/29/2021][15:35:56][4276][5508][5b8eb277-f16a4564-f04d983a-83f08e54-edbf1969-8d][CSmCredentialManager::GatherAdvancedAuthCredentials][SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthCredentials returned SmSuccess.]
[10/29/2021][15:35:56][4276][5508][5b8eb277-f16a4564-f04d983a-83f08e54-edbf1969-8d][CSmCredentialManager::GatherAdvancedAuthCredentials][Calling SM_WAF_AG_PLUGIN->ProcessAdvancedAuthCredentials.]
[10/29/2021][15:35:56][4276][5508][5b8eb277-f16a4564-f04d983a-83f08e54-edbf1969-8d][CSmCredentialManager::GatherAdvancedAuthCredentials][SM_WAF_AG_PLUGIN->ProcessAdvancedAuthCredentials returned SmNoAction.]
[10/29/2021][15:35:57][4276][5508][5b8eb277-f16a4564-f04d983a-83f08e54-edbf1969-8d][AuthenticateUser][User 'EXAMPLE\<lastname>' is authenticated by Policy Server.]
[10/29/2021][15:35:57][4276][5508][5b8eb277-f16a4564-f04d983a-83f08e54-edbf1969-8d][Tomcat5SerializedAgentData::doResponse][HTTP Status Code = 302]
Upgrade CA Access Gateway (SPS) to 12.8SP7 to benefit from the fix DE519263 (1) that solves the issue.