Unexpected POST preservation data lost after SPS authentication
search cancel

Unexpected POST preservation data lost after SPS authentication

book

Article ID: 229142

calendar_today

Updated On:

Products

CA Single Sign On Agents (SiteMinder) CA Single Sign On Secure Proxy Server (SiteMinder) SITEMINDER

Issue/Introduction


When running CA Access Gateway (SPS), when this one receives a POST request for authentication, the response redirects to a Web Agent with a GET instead of a POST, and the POSTed data gets lost.

 

Environment

 

  Policy Server 12.8SP5 on Redhat 7;
  CA Access Gateway (SPS)12.8SP5 on Windows 2016;
  Web Agent 6.0SP5CR35 on Apache 2.2.34 on RedHat 5;  

 

Cause


The browser POST data to the protected /postpreservation/allheaders.php resource.

fiddler.saz

Line 3 :

    POST http://sps.example.com/postpreservation/allheaders.php 
    fname=<name>&lname=<lastname>
    
      HTTP/1.1 200 OK
      Date: Fri, 29 Oct 2021 13:35:54 GMT
      Server: Apache/2.4.46 (Unix) OpenSSL/1.0.2k-fips PHP/7.2.10
      
      <HTML>
        <BODY onLoad="document.AUTOSUBMIT.submit();">
         This page is used to hold your data while you are being authorized for your request.
         <BR>
         <BR>

           You will be forwarded to continue the authorization process. If this does not happen automatically, please click the Continue button below.
         
         <FORM NAME="AUTOSUBMIT" METHOD="POST" ENCTYPE="application/x-www-form-urlencoded" ACTION="http://wa.example.com/siteminderagent/ntlm/smntlm.ntc?CHALLENGE=&SMAGENTNAME=-SM-<value>&TARGET=-SM-http%3a%2f%2fsps%2eexample%2ecom%2fpostpreservation%2fallheaders%2ephp">

          <INPUT TYPE="HIDDEN" NAME="SMPostPreserve" VALUE="<value>">
          <INPUT TYPE="SUBMIT" VALUE="Continue"></FORM></BODY></HTML>

CA Access Gateway (SPS) receives the POSTed data and authenticates the user with Windows Authentication.
      
Line 4 :

    POST http://wa.example.com/siteminderagent/ntlm/smntlm.ntc?CHALLENGE=&SMAGENTNAME=-SM-<value>&TARGET=-SM-http%3a%2f%2fsps%2eexample%2ecom%2fpostpreservation%2fallheaders%2ephp HTTP/1.1
    SMPostPreserve=<value>

      HTTP/1.1 302 302
      Date: Fri, 29 Oct 2021 13:35:56 GMT
      Server: Apache/2.4.46 (Win64) mod_jk/1.2.48

Line 6:

    GET http://wa.example.com/siteminderagent/ntlm/smntlm.ntc?CHALLENGE=&SMAGENTNAME=-SM-<value>&TARGET=-SM-http%3a%2f%2fsps%2example%2ecom%2fpostpreservation%2fallheaders%2ephp HTTP/1.1

      HTTP/1.1 302 302
      Date: Fri, 29 Oct 2021 13:35:56 GMT
      Server: Apache/2.4.46 (Win64) mod_jk/1.2.48
      Set-Cookie: SMNTLMCOOKIE=DONE; Domain=.example.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; HttpOnly
      Set-Cookie: SMCHALLENGE=NTC_CHALLENGE_DONE; Domain=.example.com; Path=/
      Set-Cookie: SMSESSION=<value>; Domain=.example.com; Path=/
      Location: http://sps.example.com/postpreservation/allheaders.php

But the CA Access Gateway (SPS) directs back the browser to the targeted resource with a GET instead of a POST, and the headers "fname=<name>&lname=<lastname>" aren't sent:
  
Line 7 :

    GET http://sps.example.com/postpreservation/allheaders.php

      HTTP/1.1 200 OK
      Date: Fri, 29 Oct 2021 13:35:57 GMT
      Server: Apache/2.4.46 (Unix) OpenSSL/1.0.2k-fips PHP/7.2.10

      <br />Referer: http://sps.example.com/
      <br />SM_SDOMAIN: .example.com
      <br />SM_REALM: postpreservation
      <br />SM_AUTHTYPE: NT Challenge/Response
      <br />SM_AUTHREASON: 0
      <br />SM_SESSIONDRIFT: -1
      <br />cookie:  SMSESSION=<value>
      <br />SM_USER: EXAMPLE\<lastname>
      <br />SM_USERDN: cn=<lastname>,cn=Users,dc=example,dc=com
      <br /> 

The headers would be expected to be POSTed like this:

    POST http://sps.example.com/postpreservation/allheaders.php
    fname=<name>&lname=<lastname>

      HTTP/1.1 200 OK
      Date: Mon, 22 Nov 2021 10:56:18 GMT
      Server: Apache/2.4.46 (Unix) OpenSSL/1.0.2k-fips PHP/7.2.10

      [...]
      
      <br />SM_SERVERIDENTITYSPEC: 
      <br /><name> <lastname>
      <br /> 

The CA Access Gateway (SPS) shows receiving the POSTed data, but nothing when sending back the response to the target URL.
  
sps.trace :

    [10/29/2021][15:35:56][4276][5508][5b8eb277-f16a4564-f04d983a-83f08e54-edbf1969-8d][SmNtc::getCredentials][Request for  SSPI NTLM using NTLM Map]
    [10/29/2021][15:35:56][4276][5508][5b8eb277-f16a4564-f04d983a-83f08e54-edbf1969-8d][SmNtc::getCredentialsNTLMMap][  SMNTLMCOOKIE  Cookie ID <value>   ]
    [10/29/2021][15:35:56][4276][5508][5b8eb277-f16a4564-f04d983a-83f08e54-edbf1969-8d][SmNtc::getCredentialsNTLMMap][SMNTLMCOOKIE entry **not found** in NTLM Map, NTLM Type 1 request]
    [10/29/2021][15:35:56][4276][5508][][CSmSSPIServer::initializeSSPI][Initializing SSPI library.]
    [10/29/2021][15:35:56][4276][5508][][CSmSSPIServer::initializeSSPI][Initialization of SSPI library is success.]
    [10/29/2021][15:35:56][4276][5508][][CSmSSPIServer::initializeSSPI][Security packages details: capabilities = 8928179  version = 1 rpcid = 9   max token size = 48256   name = Negotiate  comment = Microsoft Package Negotiator ]
    [10/29/2021][15:35:56][4276][5508][][CSmSSPIServer::processNTLMRequest][Calling AcceptSecurityContext with handle: (lower) 0 (upper) 0]
    [10/29/2021][15:35:56][4276][5508][][CSmSSPIServer::processNTLMRequest][Handle is INVALID (This is OK if there is no handle yet)]
    [10/29/2021][15:35:56][4276][5508][][CSmSSPIServer::processNTLMRequest][AcceptSecurityContext returned : 0x00000000]
    [10/29/2021][15:35:56][4276][5508][][CSmSSPIServer::processNTLMRequest][Returned from AcceptSecurityContext with handle: (lower) <value>]
    [10/29/2021][15:35:56][4276][5508][][CSmSSPIServer::processNTLMRequest][Returned from AcceptSecurityContext with handle: (upper) <value>]
    [10/29/2021][15:35:56][4276][5508][5b8eb277-f16a4564-f04d983a-83f08e54-edbf1969-8d][SmNtc::getCredentialsNTLMMap][NTLM Authentication request is successfully completed for user EXAMPLE\<lastname>.]
    [10/29/2021][15:35:56][4276][5508][5b8eb277-f16a4564-f04d983a-83f08e54-edbf1969-8d][HandleCredCollectorReturn][POST preservation, handling return from credential collector.]
    [10/29/2021][15:35:56][4276][5508][5b8eb277-f16a4564-f04d983a-83f08e54-edbf1969-8d][HandleCredCollectorReturn][http response http://sps.example.com/postpreservation/allheaders.php]
    [10/29/2021][15:35:56][4276][5508][5b8eb277-f16a4564-f04d983a-83f08e54-edbf1969-8d][CSmCredentialManager::GatherAdvancedAuthCredentials][SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthCredentials returned SmSuccess.]
    [10/29/2021][15:35:56][4276][5508][5b8eb277-f16a4564-f04d983a-83f08e54-edbf1969-8d][CSmCredentialManager::GatherAdvancedAuthCredentials][Calling SM_WAF_AG_PLUGIN->ProcessAdvancedAuthCredentials.]
    [10/29/2021][15:35:56][4276][5508][5b8eb277-f16a4564-f04d983a-83f08e54-edbf1969-8d][CSmCredentialManager::GatherAdvancedAuthCredentials][SM_WAF_AG_PLUGIN->ProcessAdvancedAuthCredentials returned SmNoAction.]
    [10/29/2021][15:35:57][4276][5508][5b8eb277-f16a4564-f04d983a-83f08e54-edbf1969-8d][AuthenticateUser][User 'EXAMPLE\<lastname>' is authenticated by Policy Server.]
    [10/29/2021][15:35:57][4276][5508][5b8eb277-f16a4564-f04d983a-83f08e54-edbf1969-8d][Tomcat5SerializedAgentData::doResponse][HTTP Status Code = 302]

 

Resolution


Upgrade CA Access Gateway (SPS) to 12.8SP7 to benefit from the fix DE519263 (1) that solves the issue.

 

Additional Information