Description:

07 SUPPORT PORTAL

We have a web based application the allows the user to open word documents when the user clicks on the open button another login box pops up even though the user has already authenticated. We added the "OPTIONS" action to the rule protecting these resources and still have the same issue. We are running Apache 2 with SiteMinder Web Agent 6QMR5 CR9. The log shows:

[01/07/2009][11:18:36][716996][12851][0a31404a-af0c4-4964d5dc-3233-c8350a63]
[ProcessRequest][Start new request.] 
[01/07/2009][11:18:36][716996][12851][0a31404a-af0c4-4964d5dc-3233-c8350a63]
[CSmHttpPlugin::ProcessResource][Resolved HTTP_HOST: 'application.customer.com'.] 
[01/07/2009][11:18:36][716996][12851][0a31404a-af0c4-4964d5dc-3233-c8350a63]
[CSmHttpPlugin::ProcessResource][Resolved hostname: 'application.customer.com'.] 
[01/07/2009][11:18:36][716996][12851][0a31404a-af0c4-4964d5dc-3233-c8350a63]
[CSmHttpPlugin::ProcessResource][Resolved agent name: 'cmdevi625_was61'.] 
[01/07/2009][11:18:36][716996][12851][][CSmHttpPlugin::ResolveClientIp]
[Resolved Client IP address '10.103.23.85'.] 
[01/07/2009][11:18:36][716996][12851][0a31404a-af0c4-4964d5dc-3233-c8350a63]
[CSmHttpPlugin::ProcessResource][Resolved URL: '/Application/'.] 
[01/07/2009][11:18:36][716996][12851][0a31404a-af0c4-4964d5dc-3233-c8350a63]
[CSmHttpPlugin::ProcessResource][Resolved METHOD: 'OPTIONS'.] 
[01/07/2009][11:18:36][716996][12851][0a31404a-af0c4-4964d5dc-3233-c8350a63]
[CSmHttpPlugin::ProcessResource][Resolved cookie domain: '.lmig.com'.] 
[01/07/2009][11:18:36][716996][12851][0a31404a-af0c4-4964d5dc-3233-c8350a63]
[CSmHttpPlugin::ProcessidentityCookie][Decoded SMIDENTITY Cookie - User = '[redacted]']
[01/07/2009][11:18:36][716996][12851][0a31404a-af0c4-4964d5dc-3233-c8350a63]
[CSmHttpPlugin::EstablishSession][Processed SMIDENTITY cookie.] 
[01/07/2009][11:18:36][716996][12851][0a31404a-af0c4-4964d5dc-3233-c8350a63]
[IsResourceProtected][Resource is protected from Policy Server.] 
[01/07/2009][11:18:36][716996][12851][0a31404a-af0c4-4964d5dc-3233-c8350a63]
[CSmHttpPlugin::ProcessResponses][Processing Is Protected responses.] 
[01/07/2009][11:18:36][716996][12851][0a31404a-af0c4-4964d5dc-3233-c8350a63]
[ProcessCredentials][Plugin interface SmNoAction.] 
[01/07/2009][11:18:36][716996][12851][0a31404a-af0c4-4964d5dc-3233-c8350a63]
[ProcessRequest][CredentialManager returned SmNo or SmNoAction, calling ChallengeManager.] 
[01/07/2009][11:18:36][716996][12851][0a31404a-af0c4-4964d5dc-3233-c8350a63]
[ProcessRequest][Challenge Manager returned SmExit, end new request.]

Solution:

The solution to this problem requires setting PersistentCookies="YES" as well as authorizing the user for the OPTIONS method.

Here's the details of the problem and why PersistentCookies solves it:

When you activate editing an Office document in-place, the following sequence occurs:

1. The document is downloaded by the browser.
2. The browser dispatches the document to the appropriate Office application.
3. The Office application loads the document, and then creates an HTTP connection to the server which sent the document, sending an OPTIONS request (as well as a couple of other requests afterward, but it is the first one which causes the failure).
4. The OPTIONS request contains no SiteMinder cookie, and because the resource is protected, SiteMinder challenges.
5. Office presents the challenge if it's protected by Basic, the challenge is a pop-up. If it's protected by forms, the form is displayed, but Office can't really process the form correctly.

PersistentCookies solves this, because Office uses the same underlying code as IE for creating HTTP connections. If the document is requested from IE, and a persistent cookie is used, then the cookie is stored on disk, and is accessible both by IE and the embedded IE used by Office. In step 4, instead of no cookie being sent, the session cookie is sent, and the resource is authorized.