ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Cert+Basic authentication scheme failing under SPS 6.0

book

Article ID: 51607

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Description:

Problem Definition

Customer upgraded their Secure Proxy server from SPS 5.5 to SPS 6.0 and applications protected by SPS 6.0 Certificate + Basic authentication scheme were receving login errors

Environment

OS: Win 2003
SMPS: 6 SP5 CR12
SPS: 6 SP3 CR01

User Directory: Active Directory

Log Analysis

Here's a request flow:

[15:14:03][** Received request from agent][demo.smlab.com][][][][][][][][][4888][11/17/2008][][][][][][][][][]
[][Login][][][][][][CSm_Auth_Message::ProcessAgentMessage][]
[15:14:03][Authenticating user.][demo][/protected][testuser][][Advance Transactions][][][][][4888][11/17/2008][][][][testuser][5][0][Basic and Certificate][][][][][][][][4f3fb9d0-eb6f955a-47fbe96b-a223ab38-ee06a586-a4][][CSm_Auth_Message::AuthenticateUser][]
[15:14:03][Auth Scheme used: Cert+Basic][][][][][][][][][][4888][11/17/2008][][][][][][][Cert+Basic][][][][][][][][][][getSpecificScheme][] [15:14:03][LDAP search of (uid=testuser) took 0 seconds and 0 microseconds][][][][][][][][][][4888][11/17/2008][][][][][][][][][][][][][][][][][CSmDsLdapConn::SearchExts][]
[15:14:03][Authenticating user by the auth scheme][][][testuser][][][][][Customers][][4888][11/17/2008][][][][uid=testuser,ou=users,o=smlab.com][][][Basic and Certificate][LDAP://10.8.204.222:389/uid=testuser,ou=users,o=smlab.com][][][]
[][][][][][CSmAuthUser::Authenticate][]
[15:14:03][Verifying user's basic credentials][][][uid=testuser,ou=users,o=smlab.com][][][][][][][4888][11/17/2008][][][][][][][][][][][][][][][][][SmAuthenticate]]
[15:14:03][Parsed certificate for SubjectDN][][][][][][][][][][4888][11/17/2008][21 21 DD 2B F5 97 B2 A6 2D 30
2E 6C E0 76 E8 73][O=smlab.com,OU=users,CN=testuser][C=US,O=smlab,OU=users][][][][][][][][][][][][][][parseCert][] [15:14:03][Print currentCert.certBinLen:872][][][][][][][][][][4888][11/17/2008][][][][][][][][][][][][][][][][][SmAuthenticate][]
[15:14:03][Print currentCert's subjectDN, issuerDN, CertSerial and CertDistPt][][][][][][][][][][4888][11/17/2008][21 21 DD 2B F5 97 B2 A6 2D 30 2E 6C E0 76 E8 73][O=smlab.com,OU=users,CN=testuser][C=US,O=smlab,OU=users][][][][][][][][][][][][][][SmAuthenticate][] [15:14:03][Comparing to IssuerDN.][][][][][][][][][][4888][11/17/2008][][][C=US,O=smlab,OU=users][][][][][][][][][][][][][][GetCertMapObject][]
[15:14:03][Comparing to Reversed IssuerDN.][][][][][][][][][][4888][11/17/2008][][][OU=users,O=smlab,C=US][][][][][][][][][][][][][][GetCertMapObject][]
[15:14:03][Unable to find issuer DN in certificate mapping rules][][][][][][][][][][4888][11/17/2008][][][][][][][][][][][][][][NO_CERTMAP_OBJECT][][][SmAuthenticate][]
[15:14:03][Authentication failed][][][uid=testuser,ou=users,o=smlab.com][][][][][][][4888][11/17/2008][][uid=testuser,ou=users,o=smlab.com][][][][][][][][][][][][][][][SmAuthenticate][]
[15:14:03][Auth Scheme used:Cert+Basic][][][][][][][][][][4888][11/17/2008][][][][][][][Cert+Basic][][][][][][][][][][getSpecificScheme][] [15:14:03][Leave function getSpecificScheme][][][][][][][][][][4888][11/17/2008][][][][][][][][][][][][]
[][][][2][getSpecificScheme][]
[15:14:03][Authenticating user...][][][testuser][][][][][][][4888][11/17/2008][][][][][][][][][][][][][
][][][][SmAuthenticate][]
[15:14:03][Will be authenticating user.][][][testuser][][][][][][][4888][11/17/2008][][][][][][][][][][][][][][
][][Sm_AuthApi_Success][SmAuthenticate][]
[15:14:03][Accumulating OnAuthReject policy responses...][demo][/protected][testuser][][Advance
Transactions][][][Active Directory Domain][][4888][11/17/2008][][][][testuser][3][0][Basic and
Certificate][][][][][][][][4f3fb9d0-eb6f955a-47fbe96b-a223ab38-ee06a586-a4][][CSm_Auth_Message::AuthenticateUser][]
[15:14:03][** Status: Not Authenticated. ][demo][][testuser][][Advance
Transactions][][][Active Directory Domain][][4888][11/17/2008][][][][testuser][][][Basic and Certificate][][][][][][][][][][CSm_Auth_Message::SendReply][]
[15:14:03][Leave function CSm_Auth_Message::SendReply][][][][][][][][][][4888][11/17/2008][][][][][][][]
[][][][][][][][][][CSm_Auth_Message::SendReply][]

Solution:

The user testuser was getting authentication rejections because of policy server "Unable to find issuer DN" in certificate mapping rules. The certificate mapping was verified for this user directory. through the siteminder admin console -> Advanced -> Certificate Mapping tab.

Under SPS 5.5 the Issuer DN had spaces, e.g.

C=US, O=smlab, OU=users  

However, to make the Cert+Basic authentication scheme work under SPS 6.0 the certificate mapping needed to be changed to

C=US,O=smlab,OU=users  

i.e. the spaces after the commas in the certificate mapping DN were removed.

Environment

Release:
Component: SMSPS