This week we have a post about policy troubleshooting. As always, we present the reported issue, what we found during troubleshooting, and how the problem was remedied.
|Issue||Valid user logins denied access|
|Symptoms||While attempting to login, users were being redirected back to the login page despite using a valid userid and valid password.|
|Troubleshooting||The customer provided a HAR (HTTP Archive) file from the Chrome Developer Tools console that recorded the transaction. The file showed the SMSESSION cookie being returned to the browser, thus confirming that authentication was working.|
We also had the customer provide a copy of the smaccess.log; it revealed that users were being authenticated (AuthAccept) for the resources, but not authorized (AzReject). Additionally, the customer mentioned that the policies had not been changed when they recently migrated from ASP.NET to ASP.NET Model View Controller (MVC).
|Condition||ASP.NET MVC is being used and the SiteMinder rules had ‘/*’ as the resource.|
|Cause||Prior to the migration, the application URIs had file extensions such as .asp and .htm, but the new URIs did not have file extensions. The rules that were created for the applications assumed that the URIs would have extensions; as a result, the new extension-less URIs did not behave in the same manner.|
Note: Rules are fired based on the resource that is being requested.
Before MVC, the URIs looked like this:
After MVC, the URI became like this:
The resource filter for the realm was set to ‘/scheduling/undergrads’. The effective resource and rule aggregate is:
The rule would allow valid requests that extended beyond ‘…/undergrads/’, but would deny requests that did not extend beyond it because there was not a match.
|Remedy||We had the customer remove ‘/’ from the rule and retest. Users were then able to access the site without any issues.|
As always, we hope that you have found this information useful. If you need IAM assistance, reach out to SIS today and we would be happy to assist you. And subscribe to our newsletter to be notified about the posting of future articles and other SIS news.