EnforceRealmTimeouts ACO not working on Web Agent
Article ID: 237021
Updated On:
Products
Issue/Introduction
When running a Web Agent, even if the sm_timetoexpire gets changed to 14400 as per EnforceRealmTimeouts implementation, the user still gets logged out after 3600 seconds.
Environment
Policy Server 12.8SP3 on Windows;
Web Agent 12.52SP1CR11 on IIS10 on Windows;
Policy Store on Active Directory;
Session Store on ODBC;
Cause
The realm on which the user logs in sets the max timeout to 2 hrs and idle timeout to 1 hr.
The second realm where the timeout enforcement is set has a max timeout configuration of 4 hrs and an idle timeout of 15 mins.
As both realms are persistent, the session data gets written into the Session Store on access to the first application, where the login occurs, and where the idle timeout is set for 1 hr:
/myApp/mydir/
That idle timeout is written in the Session data, and this Session data is written into the Session Store.
Then every 15 mins, the Web Agent validates the session with the Policy Server from the second application, as both realms are configured to "validate session" set to 15 mins, which means that the Web Agent will ask the Policy Server to validate the session in the Session Store every 15 mins.
Once the Policy Server sees the validation time in the session data reaches 1 hr, and the browser hasn't visited the first application, then it says that the idle timeout is reached and redirects the browser to the login page.
If both realms are set to non-persistent, this behavior won't happen as the Session Store data won't be used.
To illustrate:
The browser first login in the /myApp/mydir realm:
fiddler.saz:
Line 43:
GET https://_login.example.com/myApp/mydir/headers.jsp
HTTP/1.1 302 Found
Date: Wed, 23 Feb 2022 10:29:32 GMT
Server: Apache
Location: https://_host_login2.example.com/myAuthenticate/myloginpage?TYPE=33554433&REALMOID=06-a441122ss52-6s22-4d08-94da-8e35ebc86b47&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-ksllwls55d552asviGpin4MRCUOrl%2bi%2baulFcEvY6%2b8KjscnC1JtFtfJRWZnl3uHD3&TARGET=-SM-https%3A%2F%2F_login.example.com%2FmyApp%2Fmydir%2Fheaders.jsp
Line 83:
GET https://_host_login2.example.com/myAuthenticate/mysecondloginpage?TYPE=33554433&REALMOID=06-a441122ss52-6s22-4d08-94da-8e35ebc86b47&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-ksllwls55d552asviGpin4MRCUOrl%2bi%2baulFcEvY6%2b8KjscnC1JtFtfJRWZnl3uHD3&TARGET=-SM-https%3A%2F%2F_login.example.com%2FmyApp%2Fmydir%2Fheaders.jsp HTTP/1.1
HTTP/1.1 302 Found
Date: Wed, 23 Feb 2022 10:29:46 GMT
Server: myServer
Location: https://_login.example.com/myApp/mydir/headers.jsp
Line 84:
GET https://_login.example.com/myApp/mydir/headers.jsp
HTTP/1.1 200
Date: Wed, 23 Feb 2022 10:29:46 GMT
Server: apache
The browser accesses the second application each minute for an hour:
Line 88:
GET https://_host_app.example.com/myheaders.aspx
HTTP/1.1 200 OK
Server: Microsoft-IIS/10.0
set-cookie: SMSESSION=cc4IOHdJYxXsF/ [...] Tbioh3kS2AAHjhUMkOtyPWzuJJk86ZrlD1hly6VYbLnCPIiAkD; path=/; domain=example.com; secure; HTTPOnly
Date: Wed, 23 Feb 2022 10:29:55 GMT
[...]
Line 104:
GET https://_host_app.example.com/myheaders.aspx
HTTP/1.1 200 OK
Server: Microsoft-IIS/10.0
set-cookie: SMSESSION=xUYwbHYbfT/Rsy9A2Y4J0xEiP2bvBbCT8Yj [...] FidsSLx3JWwXFZ4B4IwvmGpnxIlqZLf/JtFT59kn9oSIiBW; path=/; domain=example.com; secure; HTTPOnly
Date: Wed, 23 Feb 2022 10:30:55 GMT
[...]
One hour after the login, then the browser gets redirected to the login page as idle timeout has been reached:
Line 1609:
GET https://_host_app.example.com/myheaders.aspx
SMSESSION=yEG6JkURuu2UVcyGnFHB9Zi0Jnc
HTTP/1.1 302 HTTP/1.1 302 Object Moved
Location: https://_login.example.com/siteminderagent/forms/login.fcc?TYPE=167772161&REALMOID=06-55122s522-3bee-4755-a529-483860a41777&GUID=0&SMAUTHREASON=4&METHOD=GET&SMAGENTNAME=-SM-iHNtaVZwkY%2fHMrR1gfNjo%2ffx2lG%2fRIBn7%2fXtHqt3GBpvnXRwfpbv2TmXni8JQLJ%2bo3sHUa1Vwm%2bfbXkhF8R2LLy7t3TJcfoP&TARGET=-SM-https%3A%2F%2F_host_app.example.com%2Fmyheaders.aspx
Server: Microsoft-IIS/10.0
Date: Wed, 23 Feb 2022 11:29:56 GMT
Line 1611:
GET https://_login.example.com/siteminderagent/forms/login.fcc?TYPE=167772161&REALMOID=06-55122s522-3bee-4755-a529-483860a41777&GUID=0&SMAUTHREASON=4&METHOD=GET&SMAGENTNAME=-SM-iHNtaVZwkY%2fHMrR1gfNjo%2ffx2lG%2fRIBn7%2fXtHqt3GBpvnXRwfpbv2TmXni8JQLJ%2bo3sHUa1Vwm%2bfbXkhF8R2LLy7t3TJcfoP&TARGET=-SM-https%3A%2F%2F_host_app.example.com%2Fmyheaders.aspx
Cookie: SMSESSION=yEG6JkURuu2UVcyGnFHB9Zi0Jnc
HTTP/1.1 200
Date: Wed, 23 Feb 2022 11:29:56 GMT
Server: apache
Set-Cookie: SMSESSION=CmQlUlkTZE4mjkpJvZNhXpmur6BQ14z2
Login
Username :
Password :
webagent.log:
[5520/6968][Wed Feb 23 2022 10:50:13] agentname='_myAgent1.example.com,_myAgent1.example.com'.
[5520/6968][Wed Feb 23 2022 10:50:13] agentname='_myagent2.example.com,_myagent2.example.com'.
[5520/6968][Wed Feb 23 2022 10:50:13] enforcerealmtimeouts='yes'.
The Policy Server founds the idle timeout from the Session Data from the Session Store:
smtracedefault.log :
[02/23/2022][12:29:56][8420][13260][CSmHttpPlugin.cpp:489][CSmHttpPlugin::ProcessResource][00000000000000000000000044cd1dac-20e4-62161ab4-33cc-01a30029][][][][][][Resolved hostname: '_host_app.example.com'.]
[02/23/2022][12:29:56][8420][13260][CSmHttpPlugin.cpp:850][CSmHttpPlugin::ProcessResource][00000000000000000000000044cd1dac-20e4-62161ab4-33cc-01a30029][*10.0.0.1][][_myAgent1.example.com][/myheaders.aspx][][Resolved METHOD: 'GET'.]
[02/23/2022][12:29:56][8420][13260][CSmLowLevelAgent.cpp:1044][AuthenticateUser][00000000000000000000000044cd1dac-20e4-62161ab4-33cc-01a30029][*10.0.0.1][][_myAgent1.example.com][/myheaders.aspx][][Validating session '7b08626b-92a0-42b2-8647-a3c755c5be64' for user 'cn=myuser,dc=example,dc=com' in zone 'SM'.]
[02/23/2022][12:29:56][8420][13260][CSmLowLevelAgent.cpp:1123][AuthenticateUser][00000000000000000000000044cd1dac-20e4-62161ab4-33cc-01a30029][*10.0.0.1][][_myAgent1.example.com][/myheaders.aspx][][Failed to validate session '' for user 'cn=myuser,dc=example,dc=com' in zone 'SM'.]
[02/23/2022][12:29:56][8420][13260][CSmLowLevelAgent.cpp:1380][AuthenticateUser][00000000000000000000000044cd1dac-20e4-62161ab4-33cc-01a30029][*10.0.0.1][][_myAgent1.example.com][/myheaders.aspx][][User 'cn=myuser,dc=example,dc=com' is not authenticated by Policy Server.]
[02/23/2022][12:29:56][8420][13260][CSmHttpCredCore.cpp:2013][CSmHttpCredCore::DoFormsChallenge][00000000000000000000000044cd1dac-20e4-62161ab4-33cc-01a30029][*10.0.0.1][][_myAgent1.example.com][/myheaders.aspx][][Redirecting to credential collector 'https://_login.example.com/siteminderagent/forms/login.fcc?TYPE=167772161&REALMOID=06-55122s522-3bee-4755-a529-483860a41777&GUID=0&SMAUTHREASON=4&METHOD=GET&SMAGENTNAME=-SM-iHNtaVZwkY%2fHMrR1gfNjo%2ffx2lG%2fRIBn7%2fXtHqt3GBpvnXRwfpbv2TmXni8JQLJ%2bo3sHUa1Vwm%2bfbXkhF8R2LLy7t3TJcfoP&TARGET=-SM-https%3A%2F%2F_host_app.example.com%2Fmyheaders.aspx'.]
smtracedefault.log
[02/23/2022][12:29:56.433][12:29:56][3616][4840][SmMessage.cpp:557][CSmMessage::ParseAgentMessage][s5196/r18][][][][][][][][][][][][][][][][][][][00000000000000000000000044cd1dac-20e4-62161ab4-33cc-01a30029][Receive request attribute 221, data size is 60][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[02/23/2022][12:29:56.433][12:29:56][3616][4840][SmSessionServer.cpp:571][][][][][][][][][][][][][][][][][][][][][][LogMessage:ERROR:[sm-Server-06007] failed. Error code : 2][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[02/23/2022][12:29:56.433][12:29:56][3616][4840][SmAuthSession.cpp:379][SmAuthSession][][][][][][][][][][][][][][][][][][][][][Idle timeout exceeded][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[02/23/2022][12:29:56.433][12:29:56][3616][4840][Sm_Auth_Message.cpp:4902][CSm_Auth_Message::SendReply][s5196/r18][_myAgent1.example.com][][][][/][_myAgent1.example.com][][][][][][][][][][][][][][** Status: Not Validated. Session has expired][][][][][][Session has expired][][myRealm][][][][][][][][][06-55122s522-3bee-4755-a529-483860a41777][][][][][][][][][][][][][][][][][][][][][]
pstore.xml (from command "XPSExport pstore.xml -xb -npass")
First application /myApp/mydir/
<Object Class="CA.SM::Realm"
Xid="CA.SM::Realm@06-a441122ss52-6s22-4d08-94da-8e35ebc86b47"
<Property Name="CA.SM::Realm.Name">
<StringValue>/myApp/mydir/</StringValue>
</Property>
<Property Name="CA.SM::Realm.ResourceFilter">
<StringValue>/myApp/mydir/</StringValue>
</Property>
<Property Name="CA.SM::Realm.MaxTimeout">
<NumberValue>7200</NumberValue> (2hrs)
</Property>
<Property Name="CA.SM::Realm.IdleTimeout">
<NumberValue>3600</NumberValue> (1hr)
</Property>
<Property Name="CA.SM::Realm.SyncAudit">
<BooleanValue>false</BooleanValue>
</Property>
<Property Name="CA.SM::Realm.SessionType">
<NumberValue>1</NumberValue>
</Property>
<Property Name="CA.SM::Realm.SessionDrift">
<NumberValue>900</NumberValue>
Second application /
<Object Class="CA.SM::Realm"
Xid="CA.SM::Realm@06-55122s522-3bee-4755-a529-483860a41777"
<Property Name="CA.SM::Realm.Name">
<StringValue>/</StringValue>
</Property>
<Property Name="CA.SM::Realm.ResourceFilter">
<StringValue>/</StringValue>
</Property>
<Property Name="CA.SM::Realm.MaxTimeout">
<NumberValue>14400</NumberValue>
</Property>
<Property Name="CA.SM::Realm.IdleTimeout">
<NumberValue>900</NumberValue> (15 mns)
<Property Name="CA.SM::Realm.SessionType">
<NumberValue>1</NumberValue>
</Property>
<Property Name="CA.SM::Realm.SessionDrift">
<NumberValue>900</NumberValue>
SessionType :
1 X Peristent = 1
2 - Non-peristent = 0
Resolution
Set both realms as non-persistent to solve this issue.
Feedback
