search cancel

Intermittently redirect to login page on non-persistent Realm

book

Article ID: 53953

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER

Issue/Introduction

 

When running a Policy Server, a bunch of the following errors can be seen in the smps.log:

   CSmSessionServer::GetSession() - Provider::GetSession() failed. Error code : 2

Intermittent behavior can be also seen where users who already have a SiteMinder session (but not a persistent session) hit a realm that is protected by persistent sessions and are redirected to the login page.

Multiple Policy Servers handle the traffic, and they all show this error in the logs.

 

Environment

 

Policy Server and ODBC Session Stores

 

 

Resolution

 

When a user hits a persistent realm a session is created in the Session Store.

To create a persistent session in the Policy Server 2 operations must be done in the Database:

  • Insert the session in the Session Store Database.
  • Validate the session in the Session Store Database using a select statement.

This is an atomic operation, in other words first insert the session and then validate it, but it can take place in 2 different Policy Servers since a load balancing is in use therefore the first operation can take place in one Database, and the second operation in the other Database.

The issue is that a rapid insert takes place in one Database and the immediate query is done from the other Database. As result, the session is not found in the Session Store and the user is not validated resulting in a redirect for credentials.

This issue is particular to High Availability Solutions like Oracle RAC or MS SQL Server Replication, but in any case, your Database Administrator must ensure that all the databases in the Session Store will have the same information.