ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

EnforceRealmTimeouts ACO not working on Web Agent

book

Article ID: 237021

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Agents (SiteMinder)

Issue/Introduction

 

When running a Web Agent, even if the sm_timetoexpire gets changed to
14400 as per EnforceRealmTimeouts implementation, the user still gets
logged out after 3600 seconds.

 

Cause

 

The realm on which the user logs in set the max timeout to 2 hrs and
idle timeout to 1 hr.

The second realm where the timeout enforcement is set, has
max timeout configuration of 4 hrs and idle timeout 15 mns.

As both realms are persistents, the session data gets written in the
Session Store on access to the first application, where the login
occurs, and where the idle timeout is set to 1 hr :

  /myApp/mydir/

That idle timeout is written in the Session data, and this Session
data is written in the Session Store.
  
Then each 15 mns, the Web Agent validates the session with the Policy
Server from the second application, as both realms are configured to
"validate session" set to 15 mns, which means that the Web Agent will
ask Policy Server to validate the session in the Session Store each 15
mns.

Once the Policy Server sees the validation time in the session data
reaches 1 hr, and the browser hasn't visited the first application,
then it says that the idle timeout is reached and redirect the browser
to the login page.

If both realms are set to non-persistent, this behavior won't happen
as the Session Store data won't be used.

To illustrate :

Browser first login in the /myApp/mydir realm :

fiddler.saz :

Line 43 :

GET https://mylogin.mydomain.com/myApp/mydir/headers.jsp

  HTTP/1.1 302 Found
  Date: Wed, 23 Feb 2022 10:29:32 GMT
  Server: Apache
  Location: https://mysecondlogin.mydomain.com/myAuthenticate/myloginpage?TYPE=33554433&REALMOID=06-a441122ss52-6s22-4d08-94da-8e35ebc86b47&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-ksllwls55d552asviGpin4MRCUOrl%2bi%2baulFcEvY6%2b8KjscnC1JtFtfJRWZnl3uHD3&TARGET=-SM-https%3A%2F%2Fmylogin.mydomain.com%2FmyApp%2Fmydir%2Fheaders.jsp

Line 83 :

GET https://mysecondlogin.mydomain.com/myAuthenticate/mysecondloginpage?TYPE=33554433&REALMOID=06-a441122ss52-6s22-4d08-94da-8e35ebc86b47&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-ksllwls55d552asviGpin4MRCUOrl%2bi%2baulFcEvY6%2b8KjscnC1JtFtfJRWZnl3uHD3&TARGET=-SM-https%3A%2F%2Fmylogin.mydomain.com%2FmyApp%2Fmydir%2Fheaders.jsp HTTP/1.1

  HTTP/1.1 302 Found
  Date: Wed, 23 Feb 2022 10:29:46 GMT
  Server: myServer
  Location: https://mylogin.mydomain.com/myApp/mydir/headers.jsp

Line 84 :

GET https://mylogin.mydomain.com/myApp/mydir/headers.jsp

  HTTP/1.1 200
  Date: Wed, 23 Feb 2022 10:29:46 GMT
  Server: apache

Then browser accesses the second application each minute for an hour :

Line 88 :

GET https://myapp.mydomain.com/myheaders.aspx

  HTTP/1.1 200 OK
  Server: Microsoft-IIS/10.0
  set-cookie: SMSESSION=cc4IOHdJYxXsF/ [...] Tbioh3kS2AAHjhUMkOtyPWzuJJk86ZrlD1hly6VYbLnCPIiAkD; path=/; domain=mydomain.com; secure; HTTPOnly
  Date: Wed, 23 Feb 2022 10:29:55 GMT

[...]

Line 104 :

GET https://myapp.mydomain.com/myheaders.aspx

  HTTP/1.1 200 OK
  Server: Microsoft-IIS/10.0
  set-cookie: SMSESSION=xUYwbHYbfT/Rsy9A2Y4J0xEiP2bvBbCT8Yj [...] FidsSLx3JWwXFZ4B4IwvmGpnxIlqZLf/JtFT59kn9oSIiBW; path=/; domain=mydomain.com; secure; HTTPOnly
  Date: Wed, 23 Feb 2022 10:30:55 GMT

[...]

One hour after the login, then the browser gets redirected to the
login page as idle timeout as been reached :

Line 1609 :

GET https://myapp.mydomain.com/myheaders.aspx
SMSESSION=yEG6JkURuu2UVcyGnFHB9Zi0Jnc

  HTTP/1.1 302 HTTP/1.1 302 Object Moved
  Location: https://mylogin.mydomain.com/siteminderagent/forms/login.fcc?TYPE=167772161&REALMOID=06-55122s522-3bee-4755-a529-483860a41777&GUID=0&SMAUTHREASON=4&METHOD=GET&SMAGENTNAME=-SM-iHNtaVZwkY%2fHMrR1gfNjo%2ffx2lG%2fRIBn7%2fXtHqt3GBpvnXRwfpbv2TmXni8JQLJ%2bo3sHUa1Vwm%2bfbXkhF8R2LLy7t3TJcfoP&TARGET=-SM-https%3A%2F%2Fmyapp.mydomain.com%2Fmyheaders.aspx
  Server: Microsoft-IIS/10.0
  Date: Wed, 23 Feb 2022 11:29:56 GMT

Line 1611 :

GET https://mylogin.mydomain.com/siteminderagent/forms/login.fcc?TYPE=167772161&REALMOID=06-55122s522-3bee-4755-a529-483860a41777&GUID=0&SMAUTHREASON=4&METHOD=GET&SMAGENTNAME=-SM-iHNtaVZwkY%2fHMrR1gfNjo%2ffx2lG%2fRIBn7%2fXtHqt3GBpvnXRwfpbv2TmXni8JQLJ%2bo3sHUa1Vwm%2bfbXkhF8R2LLy7t3TJcfoP&TARGET=-SM-https%3A%2F%2Fmyapp.mydomain.com%2Fmyheaders.aspx
Cookie: SMSESSION=yEG6JkURuu2UVcyGnFHB9Zi0Jnc

  HTTP/1.1 200
  Date: Wed, 23 Feb 2022 11:29:56 GMT
  Server: apache
  Set-Cookie: SMSESSION=CmQlUlkTZE4mjkpJvZNhXpmur6BQ14z2
  
  Login

  Username :
  Password :
  
webagent.log :
  [5520/6968][Wed Feb 23 2022 10:50:13] agentname='myAgent1.mydomain.com,myAgent1.mydomain.com'.

  [5520/6968][Wed Feb 23 2022 10:50:13] agentname='myagent2.mydomain.com,myagent2.mydomain.com'.

  [5520/6968][Wed Feb 23 2022 10:50:13] enforcerealmtimeouts='yes'.
The Policy Server founds the idle timeout from the Session Data from
the Session Store :
  
smtracedefault.log :

  [02/23/2022][12:29:56][8420][13260][CSmHttpPlugin.cpp:489][CSmHttpPlugin::ProcessResource]
  [00000000000000000000000044cd1dac-20e4-62161ab4-33cc-01a30029][][][][][]
  [Resolved hostname: 'myapp.mydomain.com'.]

  [02/23/2022][12:29:56][8420][13260][CSmHttpPlugin.cpp:850][CSmHttpPlugin::ProcessResource]
  [00000000000000000000000044cd1dac-20e4-62161ab4-33cc-01a30029][*10.0.0.1][]
  [myAgent1.mydomain.com][/myheaders.aspx][][Resolved METHOD: 'GET'.]

  [02/23/2022][12:29:56][8420][13260][CSmLowLevelAgent.cpp:1044][AuthenticateUser]
  [00000000000000000000000044cd1dac-20e4-62161ab4-33cc-01a30029][*10.0.0.1][]
  [myAgent1.mydomain.com][/myheaders.aspx][]
  [Validating session '7b08626b-92a0-42b2-8647-a3c755c5be64'
  for user 'cn=myuser,dc=training,dc=com' in zone 'SM'.]

  [02/23/2022][12:29:56][8420][13260][CSmLowLevelAgent.cpp:1123][AuthenticateUser]
  [00000000000000000000000044cd1dac-20e4-62161ab4-33cc-01a30029][*10.0.0.1][]
  [myAgent1.mydomain.com][/myheaders.aspx]
  [][Failed to validate session '' for user 'cn=myuser,dc=training,dc=com' in zone 'SM'.]

  [02/23/2022][12:29:56][8420][13260][CSmLowLevelAgent.cpp:1380][AuthenticateUser]
  [00000000000000000000000044cd1dac-20e4-62161ab4-33cc-01a30029][*10.0.0.1][]
  [myAgent1.mydomain.com][/myheaders.aspx][]
  [User 'cn=myuser,dc=training,dc=com' is not authenticated by Policy Server.]

  [02/23/2022][12:29:56][8420][13260][CSmHttpCredCore.cpp:2013]
  [CSmHttpCredCore::DoFormsChallenge][00000000000000000000000044cd1dac-20e4-62161ab4-33cc-01a30029]
  [*10.0.0.1][][myAgent1.mydomain.com][/myheaders.aspx][]
  [Redirecting to credential collector
  'https://mylogin.mydomain.com/siteminderagent/forms/login.fcc?TYPE=167772161
  &REALMOID=06-55122s522-3bee-4755-a529-483860a41777&GUID=0&SMAUTHREASON=4&METHOD=GET
  &SMAGENTNAME=-SM-iHNtaVZwkY%2fHMrR1gfNjo%2ffx2lG%2fRIBn7%2fXtHqt3GBpvnXRwfpbv2TmXni
  8JQLJ%2bo3sHUa1Vwm%2bfbXkhF8R2LLy7t3TJcfoP&TARGET=-SM-https%3A%2F%2Fmyapp.mydomain.com%2Fmyheaders.aspx'.]
smtracedefault.log

  [02/23/2022][12:29:56.433][12:29:56][3616][4840][SmMessage.cpp:557]
  [CSmMessage::ParseAgentMessage][s5196/r18][][][][][][][][][][][][][][][][][][]
  [00000000000000000000000044cd1dac-20e4-62161ab4-33cc-01a30029]
  [Receive request attribute 221, data size is 60][][][][][][][][][][][][][][][][][][]
  [][][][][][][][][][][][][][][][][][][][]

  [02/23/2022][12:29:56.433][12:29:56][3616][4840][SmSessionServer.cpp:571][][][][][]
  [][][][][][][][][][][][][][][][][LogMessage:ERROR:[sm-Server-06007] failed. Error code : 2]
  [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

  [02/23/2022][12:29:56.433][12:29:56][3616][4840][SmAuthSession.cpp:379][SmAuthSession]
  [][][][][][][][][][][][][][][][][][][][][Idle timeout exceeded][][][][][][][][][][]
  [][][][][][][][][][][][][][][][][][][][][][][][][][][][]

  [02/23/2022][12:29:56.433][12:29:56][3616][4840][Sm_Auth_Message.cpp:4902]
  [CSm_Auth_Message::SendReply][s5196/r18][myAgent1.mydomain.com]
  [][][][/][myAgent1.mydomain.com][][][][][][][][][][][][][]
  [** Status: Not Validated. Session has expired][][][][][][Session has expired][]
  [myRealm][][][][][][][][][06-55122s522-3bee-4755-a529-483860a41777][]
  [][][][][][][][][][][][][][][][][][][][]

pstore.xml

First application /myApp/mydir/
                
            <Object Class="CA.SM::Realm"
            Xid="CA.SM::[email protected]"

                <Property Name="CA.SM::Realm.Name">
                    <StringValue>/myApp/mydir/</StringValue>
                </Property>
                <Property Name="CA.SM::Realm.ResourceFilter">
                    <StringValue>/myApp/mydir/</StringValue>
                </Property>

            <Property Name="CA.SM::Realm.MaxTimeout">
                    <NumberValue>7200</NumberValue> (2hrs)
                </Property>
                <Property Name="CA.SM::Realm.IdleTimeout">
                    <NumberValue>3600</NumberValue> (1hr)
                </Property>
                <Property Name="CA.SM::Realm.SyncAudit">
                    <BooleanValue>false</BooleanValue>
                </Property>
                <Property Name="CA.SM::Realm.SessionType">
                    <NumberValue>1</NumberValue>
                </Property>
                <Property Name="CA.SM::Realm.SessionDrift">
                    <NumberValue>900</NumberValue>

Second application /                

            <Object Class="CA.SM::Realm"
            Xid="CA.SM::[email protected]"
            
                <Property Name="CA.SM::Realm.Name">
                    <StringValue>/</StringValue>
                </Property>
                <Property Name="CA.SM::Realm.ResourceFilter">
                    <StringValue>/</StringValue>
                </Property>

                <Property Name="CA.SM::Realm.MaxTimeout">
                    <NumberValue>14400</NumberValue>
                </Property>
                <Property Name="CA.SM::Realm.IdleTimeout">
                    <NumberValue>900</NumberValue> (15 mns)

                <Property Name="CA.SM::Realm.SessionType">
                    <NumberValue>1</NumberValue>
                </Property>
                <Property Name="CA.SM::Realm.SessionDrift">
                    <NumberValue>900</NumberValue>

SessionType :

 1 X Peristent                                               =    1
 2 - Non-peristent                                           =    0

 

Environment

 

  Policy Server 12.8SP3 on Windows;
  Web Agent 12.52SP1CR11 on IIS10 on Windows;
  Policy Store on Active Directory;
  Session Store on ODBC;

 

Resolution

 

- Set both realms as non persistent to solve this issue;