Description:
We have a web based application the allows the user to open word documents when the user clicks on the open button another login box pops up even though the user has already authenticated. We added the "OPTIONS" action to the rule protecting these resources and still have the same issue. We are running Apache 2 with SiteMinder Web Agent 6QMR5 CR9. The log shows:
[01/07/2009][11:18:36][716996][12851][0a31404a-af0c4-4964d5dc-3233-c8350a63] [ProcessRequest][Start new request.] [01/07/2009][11:18:36][716996][12851][0a31404a-af0c4-4964d5dc-3233-c8350a63] [CSmHttpPlugin::ProcessResource][Resolved HTTP_HOST: 'application.customer.com'.] [01/07/2009][11:18:36][716996][12851][0a31404a-af0c4-4964d5dc-3233-c8350a63] [CSmHttpPlugin::ProcessResource][Resolved hostname: 'application.customer.com'.] [01/07/2009][11:18:36][716996][12851][0a31404a-af0c4-4964d5dc-3233-c8350a63] [CSmHttpPlugin::ProcessResource][Resolved agent name: 'cmdevi625_was61'.] [01/07/2009][11:18:36][716996][12851][][CSmHttpPlugin::ResolveClientIp] [Resolved Client IP address '10.103.23.85'.] [01/07/2009][11:18:36][716996][12851][0a31404a-af0c4-4964d5dc-3233-c8350a63] [CSmHttpPlugin::ProcessResource][Resolved URL: '/Application/'.] [01/07/2009][11:18:36][716996][12851][0a31404a-af0c4-4964d5dc-3233-c8350a63] [CSmHttpPlugin::ProcessResource][Resolved METHOD: 'OPTIONS'.] [01/07/2009][11:18:36][716996][12851][0a31404a-af0c4-4964d5dc-3233-c8350a63] [CSmHttpPlugin::ProcessResource][Resolved cookie domain: '.lmig.com'.] [01/07/2009][11:18:36][716996][12851][0a31404a-af0c4-4964d5dc-3233-c8350a63] [CSmHttpPlugin::ProcessidentityCookie][Decoded SMIDENTITY Cookie - User = '[redacted]'] [01/07/2009][11:18:36][716996][12851][0a31404a-af0c4-4964d5dc-3233-c8350a63] [CSmHttpPlugin::EstablishSession][Processed SMIDENTITY cookie.] [01/07/2009][11:18:36][716996][12851][0a31404a-af0c4-4964d5dc-3233-c8350a63] [IsResourceProtected][Resource is protected from Policy Server.] [01/07/2009][11:18:36][716996][12851][0a31404a-af0c4-4964d5dc-3233-c8350a63] [CSmHttpPlugin::ProcessResponses][Processing Is Protected responses.] [01/07/2009][11:18:36][716996][12851][0a31404a-af0c4-4964d5dc-3233-c8350a63] [ProcessCredentials][Plugin interface SmNoAction.] [01/07/2009][11:18:36][716996][12851][0a31404a-af0c4-4964d5dc-3233-c8350a63] [ProcessRequest][CredentialManager returned SmNo or SmNoAction, calling ChallengeManager.] [01/07/2009][11:18:36][716996][12851][0a31404a-af0c4-4964d5dc-3233-c8350a63] [ProcessRequest][Challenge Manager returned SmExit, end new request.]
Solution:
The solution to this problem requires setting PersistentCookies="YES" as well as authorizing the user for the OPTIONS method.
Here's the details of the problem and why PersistentCookies solves it:
When you activate editing an Office document in-place, the following sequence occurs:
PersistentCookies solves this, because Office uses the same underlying code as IE for creating HTTP connections. If the document is requested from IE, and a persistent cookie is used, then the cookie is stored on disk, and is accessible both by IE and the embedded IE used by Office. In step 4, instead of no cookie being sent, the session cookie is sent, and the resource is authorized.