search cancel

Logged-in user failed to access higher-authentication-level resources


Article ID: 33311


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On



Resources are protected with Integrated Windows Authentication (IWA) scheme.

User login via level 5 IWA. When users access resources that require higher authentication level (level 10) than the existing user session, Policy Server rejects the step-up user access with following error:

[9592][8908][Sm_Az_Message.cpp:595][CSm_Az_Message::ProcessMessage][s2393/r8][winagent][][][][highwinrealm][highwindomain][][][][][][][][][][][][][][** Status: Not Authorized. Session is not authorized for this security level][][][][][][][][][kMwBI49TESlO…4dFFGSC][][][cn=administrator,CN=Users,dc=NAWAL,dc=com]



With IWA, Webagent redirects user to creds.ntc for authentication with CHALLENGE header value append to the query string, e.g:

The CHALLENGE header consists of the encrypted user name from the existing user session. Webagent compares the user authenticated by IIS with the user name passed from the CHALLENGE query string. If they matched, NTLM will challenge user again and if user login with same user credentials, Webagent validates the user against the existing authentication level. Policy Server then rejects user access again. Hence, the request is going in loop.



Additional logic is added in Webagent to identify step-up authentication. It removes the CHALLENGE header from the query string when the logged-in user is accessing higher level protection realm..

Tentatively, fix will be incorporated with following releases:

·      R12.51 CR8

·      R12.52 SP1 CR4

·      R12.52 SP2



 Use same protection level across the authentication schemes to avoid getting into the deadlock.


Release: ESPSTM99000-12.51-Single Sign On-Extended Support Plus