search cancel

Unexpected POST preservation data lost after SPS authentication

book

Article ID: 229142

calendar_today

Updated On:

Products

CA Single Sign On Agents (SiteMinder) CA Single Sign On Secure Proxy Server (SiteMinder) SITEMINDER

Issue/Introduction

 

When running CA Access Gateway (SPS), when this one receives POST
request for authentication, the response redirect to a Web Agent with
a GET instead of a POST, and the POSTed data get lost.

The browser POST data to the protected
/postpreservation/allheaders.php resource.

fiddler.saz

Line 3 :

POST http://wa.training.com/postpreservation/allheaders.php 
fname=joe&lname=blo

  HTTP/1.1 200 OK
  Date: Fri, 29 Oct 2021 13:35:54 GMT
  Server: Apache/2.4.46 (Unix) OpenSSL/1.0.2k-fips PHP/7.2.10
  
  <HTML>
    <BODY onLoad="document.AUTOSUBMIT.submit();">
     This page is used to hold your data while you are being authorized for your request.
     <BR>
     <BR>

       You will be forwarded to continue the authorization process. If
       this does not happen automatically, please click the Continue
       button below.
     
     <FORM NAME="AUTOSUBMIT" METHOD="POST" ENCTYPE="application/x-www-form-urlencoded"
      ACTION="http://WIN-FS0E050TVAM.training.com/siteminderagent/ntlm/smntlm.ntc?CHALLENGE=
      &SMAGENTNAME=-SM-PP3%2bhkmJwUxZIJFANyV6yj8ZazyMxNYg
      &TARGET=-SM-http%3a%2f%2fwa%2etraining%2ecom%2fpostpreservation%2fallheaders%2ephp">

      <INPUT TYPE="HIDDEN" NAME="SMPostPreserve" VALUE="rF4BQbc58kRRUBhNrE+mGR5gKe6QVim3MKQvJ1uNUM0noboSiZR4BUY7/Qg78i0B">
      <INPUT TYPE="SUBMIT" VALUE="Continue"></FORM></BODY></HTML>
CA Access Gateway (SPS) receives the POSTed data and authenticates
user with Windows Authentication.
      
Line 4 :

POST http://win-fs0e050tvam.training.com/siteminderagent/ntlm/smntlm.ntc?CHALLENGE=&SMAGENTNAME=-SM-PP3%2bhkmJwUxZIJFANyV6yj8ZazyMxNYg&TARGET=-SM-http%3a%2f%2fwa%2etraining%2ecom%2fpostpreservation%2fallheaders%2ephp HTTP/1.1
SMPostPreserve=rF4BQbc58kRRUBhNrE%2BmGR5gKe6QVim3MKQvJ1uNUM0noboSiZR4BUY7%2FQg78i0B

  HTTP/1.1 302 302
  Date: Fri, 29 Oct 2021 13:35:56 GMT
  Server: Apache/2.4.46 (Win64) mod_jk/1.2.48
  
Line 6 :

GET http://win-fs0e050tvam.training.com/siteminderagent/ntlm/smntlm.ntc?CHALLENGE=&SMAGENTNAME=-SM-PP3%2bhkmJwUxZIJFANyV6yj8ZazyMxNYg&TARGET=-SM-http%3a%2f%2fwa%2etraining%2ecom%2fpostpreservation%2fallheaders%2ephp HTTP/1.1

  HTTP/1.1 302 302
  Date: Fri, 29 Oct 2021 13:35:56 GMT
  Server: Apache/2.4.46 (Win64) mod_jk/1.2.48
  Set-Cookie: SMNTLMCOOKIE=DONE; Domain=.training.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; HttpOnly
  Set-Cookie: SMCHALLENGE=NTC_CHALLENGE_DONE; Domain=.training.com; Path=/
  Set-Cookie: SMSESSION=Uxgm4e8RI1nZxlzO5O9vJAUPkk6v8Z46zqUSTlLu20 [...] /Qy+NhF; Domain=.training.com; Path=/
  Location: http://wa.training.com/postpreservation/allheaders.php
But the CA Access Gateway (SPS) direct back the browser to the
targeted resource with a GET instead of a POST, and the headers
"fname=joe&lname=blo" aren't sent :
  
Line 7 :

GET http://wa.training.com/postpreservation/allheaders.php

  HTTP/1.1 200 OK
  Date: Fri, 29 Oct 2021 13:35:57 GMT
  Server: Apache/2.4.46 (Unix) OpenSSL/1.0.2k-fips PHP/7.2.10

  <br />Connection: keep-alive
  <br />Cache-Control: max-age=0
  <br />Upgrade-Insecure-Requests: 1
  <br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
  <br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
  <br />Referer: http://wa.training.com/
  <br />Accept-Encoding: gzip, deflate
  <br />Accept-Language: en-US,en;q=0.9
  <br />SM_TRANSACTIONID: 0000000000000000000000006601a8c0-4ed0-617bf8bd-4dff3700-1e2672f1aabd
  <br />SM_SDOMAIN: .training.com
  <br />SM_REALM: postpreservation
  <br />SM_REALMOID: 06-00049bbd-b4eb-117b-ae80-0165c0a80000
  <br />SM_AUTHTYPE: NT Challenge/Response
  <br />SM_AUTHREASON: 0
  <br />SM_SESSIONDRIFT: -1
  <br />SM_UNIVERSALID: jblo
  <br />SM_AUTHDIROID: 0e-0000b5a9-2f33-1101-8b3f-0165c0a80000
  <br />SM_AUTHDIRNAME: AD
  <br />SM_AUTHDIRSERVER: 192.168.1.112:389
  <br />SM_AUTHDIRNAMESPACE: LDAP:
  <br />cookie:  SMSESSION=nsY5i1LchuoxQQUsfbxfBqxZMRz8DaWMFL6uQB02JC/ZvOr0BWD5vXOI/Q/bLMQEJxObmnDuKl4JruOKfOf+dVBh2uJAAeRt5Y/9sPagiQWiiZ11saOcPPAzJiXE++U07vJ9GVQ06rXkAL6QpVrMswMDCqzBjP/cZm/vHnZTzyoWdhrGr4SH1qKIAuWurHomWY3KsLlIO+h6XNbrTlEE41rfDP20dLQb636vIGREsPe4TUm9/FCZdMUCo1/b/A+yj4XSgVKicOKiY/lY7NMlhxBKEJKayYXwDUA9erLbJkQjhfUbGb/qpHLpnaSYp3KDGVI5iMPBhw51lTDuqxYIzZdwW+LFn0xVyP6dXEJ6rwisYzct1ZCrs89Q/jJqpP7T/NZAsHbLUfWUa8GH3mkV7pJakp13NXFfQom+E/iZ2O/z+Wa5No6kpnvgIBhc+yrgAn4W2yVlzwWuD1Ti3YRmSnkf9DANHGt2GnglUW2/NSlqt64aIjgIc22LgZoK7AHVYGl60GWHgD3afkHEnXqbf45yPqN6GSV/RZUdsx4hnvEdAXTiaxaEBZED1KaSxVdNnXVtQAZ9QjazzmKPulrOv7TkXJ7wfwBiTwwGjS9SyLS0JrNjICQz+6wEjvuyIy6ZZgC4QQ4273Vv0c87pRUcLlAsRktfEpiCnywFa5rVwoqRr1AzaeMjPNqhfQd8PrYDKxBnpyAlr/btHrqkqYtXAwUYdn9lfWA8j5mLCaofAlPN4OdjowKdX0Ver8QQE64vfhuACHly8ypP+JJffxODx4xah+Qtg/L4SkBgyX+s7RvwsV9mHMSgwhY95nr58eJLnJdhpYHSlaktr+9mGhXsY8/qezZ9t7XpHFSREsTLEX2Xf8Q8YqrhM1q0UyKD8xlr+R6E3GPFIu1lQ2xIlhfW5I+z2f5cEvLv7mmZJoGkcKlHWe8ikRweXkiQpd9WnoUTJhfhjNsuqNqGVO7jVK72gDQanRoXYBVwLsEFnpP2s+17fyXw1umqADV5aDbEYkmLA3ppKGL1gUQhAgrEdBFI5ohXMFcIwHWhzxXBH0OXfD9c2yzxJf8rxWZxDwFu1TCPEpi6wiX5bVQM4EUu+hjDbkxNu3gLaoM4
  <br />SM_USER: TRAINING\jblo
  <br />SM_USERDN: cn=jblo,cn=Users,dc=training,dc=com
  <br />SM_SERVERSESSIONID: zDDdzuXDH8vDzREoaxmthCI8MuY=
  <br />SM_SERVERSESSIONSPEC: gVMelOsPB5bPKglEhk0y5EsrgzB9Zu4nBWIahf6wTko+eBPfEe4hui+ekVkEcC+bucqJmjipdj6NRJpFRm9l5dm+mzsJIYEsU9VANJVVimvGku0m7mxuSx43ndSJy1QussqYaI5y5oJ3SvlsOw7kYJj3Hw+LNpotTjDEJI6RmlxSK1Sn2faec/ZRmCtkl4j3yTOF/7IzeTouSHrkjAtgdSW2cKIi1B+a5Q++npTi3sc9joAwD1VP4wtusbjdyvECS2zZEAgpjdGRWoT/BqVf/Czlf+4DAAtY93md2NRI9zppgoSpOHvJsFctJIXW7Re/nJ2jnpXv0ObgAf6MKMSncTvZKgfei6I6g/5PzZVVpfweJi89NdYZ+1ZdZSoW4PSfC/yhUR9ECvuiMClvTWbxetZAlj6jN/jg5ey+M4Tdgsq9QlgQ/LEHsA==
  <br />SM_TIMETOEXPIRE: 7199
  <br />SM_SERVERIDENTITYSPEC: 
  <br /> 

We would expect the headers POSTed instead like this :

POST http://wa.training.com/postpreservation/allheaders.php
fname=joe&lname=blo

  HTTP/1.1 200 OK
  Date: Mon, 22 Nov 2021 10:56:18 GMT
  Server: Apache/2.4.46 (Unix) OpenSSL/1.0.2k-fips PHP/7.2.10

  [...]
  
  <br />SM_SERVERIDENTITYSPEC: 
  <br />joe blo
  <br /> 

The CA Access Gateway (SPS) shows receiving the POSTed data, but
nothing when sending back the response to the target URL.
  
sps-win.trace :

  [10/29/2021][15:35:56][4276][5508][5b8eb277-f16a4564-f04d983a-83f08e54-edbf1969-8d]
  [SmNtc::getCredentials][Request for  SSPI NTLM using NTLM Map]

  [10/29/2021][15:35:56][4276][5508][5b8eb277-f16a4564-f04d983a-83f08e54-edbf1969-8d]
  [SmNtc::getCredentialsNTLMMap]
  [  SMNTLMCOOKIE  Cookie ID 15913008-66d998c1-e9486b36-40dfdcf8-8891cdce-28c1   ]

  [10/29/2021][15:35:56][4276][5508][5b8eb277-f16a4564-f04d983a-83f08e54-edbf1969-8d]
  [SmNtc::getCredentialsNTLMMap][SMNTLMCOOKIE entry **not found** in NTLM Map, NTLM Type 1 request]

  [10/29/2021][15:35:56][4276][5508][][CSmSSPIServer::initializeSSPI]
  [Initializing SSPI library.]

  [10/29/2021][15:35:56][4276][5508][][CSmSSPIServer::initializeSSPI]
  [Initialization of SSPI library is success.]

  [10/29/2021][15:35:56][4276][5508][][CSmSSPIServer::initializeSSPI]
  [Security packages details: capabilities = 8928179  version = 1   
  rpcid = 9   max token size = 48256   name = Negotiate  
  comment = Microsoft Package Negotiator ]

  [10/29/2021][15:35:56][4276][5508][][CSmSSPIServer::processNTLMRequest]
  [Calling AcceptSecurityContext with handle: (lower) 0 (upper) 0]

  [10/29/2021][15:35:56][4276][5508][][CSmSSPIServer::processNTLMRequest]
  [Handle is INVALID (This is OK if there is no handle yet)]

  [10/29/2021][15:35:56][4276][5508][][CSmSSPIServer::processNTLMRequest]
  [AcceptSecurityContext returned : 0x00000000]

  [10/29/2021][15:35:56][4276][5508][][CSmSSPIServer::processNTLMRequest]
  [Returned from AcceptSecurityContext with handle: (lower) 1630930422992]

  [10/29/2021][15:35:56][4276][5508][][CSmSSPIServer::processNTLMRequest]
  [Returned from AcceptSecurityContext with handle: (upper) 2214921294672]

  [10/29/2021][15:35:56][4276][5508][5b8eb277-f16a4564-f04d983a-83f08e54-edbf1969-8d]
  [SmNtc::getCredentialsNTLMMap]
  [NTLM Authentication request is successfully completed for user TRAINING\jblo.]

  [10/29/2021][15:35:56][4276][5508][5b8eb277-f16a4564-f04d983a-83f08e54-edbf1969-8d]
  [HandleCredCollectorReturn][POST preservation, handling return from credential collector.]

  [10/29/2021][15:35:56][4276][5508][5b8eb277-f16a4564-f04d983a-83f08e54-edbf1969-8d]
  [HandleCredCollectorReturn][http response http://wa.training.com/postpreservation/allheaders.php]

  [10/29/2021][15:35:56][4276][5508][5b8eb277-f16a4564-f04d983a-83f08e54-edbf1969-8d]
  [CSmCredentialManager::GatherAdvancedAuthCredentials]
  [SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthCredentials returned SmSuccess.]

  [10/29/2021][15:35:56][4276][5508][5b8eb277-f16a4564-f04d983a-83f08e54-edbf1969-8d]
  [CSmCredentialManager::GatherAdvancedAuthCredentials][Calling SM_WAF_AG_PLUGIN->ProcessAdvancedAuthCredentials.]

  [10/29/2021][15:35:56][4276][5508][5b8eb277-f16a4564-f04d983a-83f08e54-edbf1969-8d]
  [CSmCredentialManager::GatherAdvancedAuthCredentials]
  [SM_WAF_AG_PLUGIN->ProcessAdvancedAuthCredentials returned SmNoAction.]

  [10/29/2021][15:35:57][4276][5508][5b8eb277-f16a4564-f04d983a-83f08e54-edbf1969-8d]
  [AuthenticateUser][User 'TRAINING\jblo' is authenticated by Policy Server.]

  [10/29/2021][15:35:57][4276][5508][5b8eb277-f16a4564-f04d983a-83f08e54-edbf1969-8d]
  [Tomcat5SerializedAgentData::doResponse][HTTP Status Code = 302]

 

Environment

 

  Policy Server 12.8SP5 on Redhat 7;
  CA Access Gateway (SPS)12.8SP5 on Windows 2016;
  Web Agent 6.0SP5CR35 on Apache 2.2.34 on RedHat 5;  

 

Resolution

 

- Upgrade CA Access Gateway (SPS) to 12.8SP7 in order to fix this
  issue.