Error: 500 error with AD User Store

book

Article ID: 49043

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Description:

When user hits the URL having Active Directory as user store user gets 500 error in the browser, this happens when customer is using HTML based Auth Scheme or using Basic Authentication Scheme. Customer gets the below error in Event Viewer as

Log Name: Application
Source: SiteMinder Agent
Date: 4/4/2012 10:18:29 AM
Event ID: 26
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: hostname.domain.com
Description: LogonUser failed for specified user shown below.
user1

In this error smps.log will not show any error and Webagent Trace logs/Policy server Trace logs shows that the user is successfully Authenticated/Authorized

Solution:

When check the User Directory Configuration found "Use authenticated user's security context" was checked. Unchecking the Use authenticated user's security context the user was able to login to application with any issues.

Reason why user gets 500 error:

Workgroups do not support security context.

An User Directory is configured for AD and feature "Run in Authenticated User's Security Context" is selected. When the user accesses the protected resource on domain control server with valid credentials, a SSO session is generated. Now, in the same session the user tries to access resources on the workstation that is not part of the domain, the resource is denied

access because the user is not found on the workstation machine.

For Issue Resolution:

Set ACO "ForceIISproxyuser" to yes along with DefaultUsername and DefaultPassword, for the IIS web server that is in workgroup.

ForceIISproxyuser specifies whether the Web Agent uses an IIS proxy account to grant access to requested resources on IIS web servers to users who normally lack sufficient privileges to access the IIS web server.

Alternatively, either uncheck "Run in Authenticated User's Security Context" or configure the workstation machine so that it is part of the domain of the domain control server

Environment

Release:
Component: SMPLC