Logout fails intermittently with CASiteMinderWebagentModule error 500
search cancel

Logout fails intermittently with CASiteMinderWebagentModule error 500

book

Article ID: 366819

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

A federated application hosted in Azure Cloud Environment that is protected by SiteMinder Access Gateway version 12.8.6.
Application logout received error 500 intermittently.

The data flow is as following:

1. The IIS application calls logout, and that calls the LogoffURI of access gateway.

2. Logout page on access gateway clears all cookie from browser, then redirect back to IIS application url default home location

https://example.com/default/home

There is a siteminder agent on IIS host, and Error 500 appears on IIS web server. 

Logout request never made to access gateway. And there is no error on either side of agent trace log.

 <EventData>
  <Data Name="ContextId">{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx}}</Data>
  <Data Name="ModuleName">CASiteMinderWebagentModule</Data>
  <Data Name="Notification">536870912</Data>
  <Data Name="HttpStatus">500</Data>
  <Data Name="HttpReason">500 Server Error</Data>
  <Data Name="HttpSubStatus">0</Data>
  <Data Name="ErrorCode">0</Data>
  <Data Name="ConfigExceptionInfo"></Data>
 </EventData>

 <System>
  <Provider Name="WWW Server" Guid="{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx}"/>
  <EventID>0</EventID>
  <Version>1</Version>
  <Level>3</Level>
  <Opcode>18</Opcode>
  <Keywords>0x100</Keywords>
  <TimeCreated SystemTime="yyyy-mm-ddT16:50:26.865Z"/>
  <Correlation ActivityID="{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx}}"/>
  <Execution ProcessID="8328" ThreadID="10320"/>
  <Computer>..........</Computer>
 </System>
 <EventData>
  <Data Name="ContextId">{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx}}</Data>
  <Data Name="ErrorDescription">The server was unable to process your request</Data>
 </EventData>

Environment

OS: Windows Server 2016 Datacenter Version:
Access Gateway server version : 12.8.06

IIS Web agent: FileVersion: 12.52sp1cr11 build 2820
Web server: IIS

Resolution

Since SiteMinder Access Gateway never received logout redirect request, root cause is not on the access gateway.

The goal is to ensure logout request from IIS host was passing through every time.

It appear that SiteMinder IIS agent tries to intercept it, decode smsession, then decides it is NOT protected, however sometimes resulted in error 500.

Again the error was not on any SiteMinder logs, but only shows up on IIS failed request trace.

The proposed solution is on IIS agent,  adding ACO ignoreurl=/example_logout_url, this way the agent will simply ignore it and let it pass.

After the ACO change, issue is resolved.