When authenticating non-defined users with IWA the browser is not responding

Document ID:  TEC1445774
Last Modified Date:  07/17/2017
{{active ? 'Hide' : 'Show'}} Technical Document Details

Products

  • CA Single Sign-On

Releases

  • CA Single Sign-On:Release:12.52 SP1
  • CA Single Sign-On:Release:12.52
  • CA Single Sign-On:Release:12.51

Components

  • SITEMINDER -WEB AGENT FOR IIS:SMIIS
Issue:

When we have accesses to protected resources by non-defined users in our User Directory, the browser becomes non-responsive and keep showing a white screen. We use IWA authentication, and we see many AuthAttempt entries in smaccess.log when this happens.

Environment:
Web Agent on IIS
Cause:

For the IWA use case, the Authentication is done by the IIS server. The Web Agent and Policy Server "trust" the IIS Authentication. After the Authentication process, the Web Agent and the Policy Server need to authorize the User to access the request. And as such, the Policy Server needs to find the User in the User Store. If the Policy Server doesn't find the User in the User Store, then the Policy Server cannot authorize the User. You'll see "Authentication Attempt" failed errors in smaccess.log. As such, the Policy Server will request the Web Agent to authenticate the User again. As the authentication is done by the IIS server, then the transaction enters in a loop. The Web Agent will trust the successful authentication from the IIS Server and the Web Agent will request the Policy Server to authorize the User.

Depending on the brower, this loop will continue until a number of times after which the browser will stop processing.

Resolution:

In this case, in order to avoid this loop, the solution would be to redirect user to a not authenticated page through redirect responses.

For example, if a redirect response is created in such way that when user is not authenticated Web Agent should redirect to http://server.com/notauthenticated.html. This shows that the particular user is not authenticated to access the page.


Create new rules with OnAuthReject and create a Webagent-onreject-redirect response. If user is not authenticated he will be then redirected to desired page avoiding the loop.

Please help us improve!

Will this information enable you to resolve your issue?

Please tell us what we can do better.

{{feedbackText.length ? feedbackText.length : '0'}}/255

{{status}}

Not what you were looking for?

Search Again >

Product Information

Support by Product >

Communities

Join a Community >

Chat with CA

Just give us some brief information and we'll connect you to the right CA ExpertCA sales representative.

Our hours of availability are 8AM - 5PM CST.

All Fields Required

connecting

We're matching your request.

Unfortunately, we can't connect you to an agent. If you are not automatically redirected please click here.

  • {{message.agentProfile.name}} will be helping you today.

    View Profile


  • Transfered to {{message.agentProfile.name}}

    {{message.agentProfile.name}} joined the conversation

    {{message.agentProfile.name}} left the conversation

  • Your chat with {{$storage.chatSession.messages[$index - 1].agentProfile.name}} has ended.
    Thank you for your interest in CA.


    Rate Your Chat Experience.

    {{chat.statusMsg}}

agent is typing