This week we have a post about troubleshooting a web agent that is unable to resolve its agent name. As always, we present the reported issue, what we found during troubleshooting, and how the problem was remedied.
| Issue | Web Agent: Unable to resolve agent name |
| Symptoms | After attempting to authenticate, users receive the following error in the browser:Internal Server Error |
| Troubleshooting | We asked the client to check the web agent log for any errors. They provided the following:[10518/2244798208][Fri Jan 08 2021 18:14:32][CSmHttpPlugin.cpp:495][ERROR][sm-HTTPAgent-00050] Unable to resolve agent name for host 'www.acmecorp.com'. Exiting with HTTP 500 server error '00-0001'.We asked the client for the values associated with the following web agent parameters: • AgentName acme-apa-inst-01, 10.0.1.10:443 acme-apa-inst-02, 10.0.1.11:443 • DisableDNSLookup no • DefaultAgentName undefined The client had recently updated their Apache web servers to the latest version. During the upgrade, they added additional web server instances to the server machine. The new instances would not serve the same content as the existing web site and, as a result, required unique web agent identities. |
| Condition | The AgentName parameter was configured to use the IP address of the web server (instead of the Fully Qualified Distinguished Name (FQDN)) and the DefaultAgentName parameter was undefined. |
| Cause | The web agent could not determine the appropriate web agent identity for the protected resource. The request made to the web server used www.acmecorp.com, but the agent identity was mapped to the IP address (10.0.1.10:443). Additionally, there was no value set for the DefaultAgentName parameter. |
| Remedy | We had the client change the web agent values to the following: • AgentName: acme-apa-inst-01,www.acmecorp.com:443 acme-apa-inst-02,clientaccess.acmecorp.com:443 • DisableDNSLookup Yes • DefaultAgentName acme-apa-inst-01 The requested changes added the FQDN of the web server instances to the AgentName. Additionally, we had them set the DefaultAgentName to a valid web agent name; this would prevent an HTTP 500 error if the AgentName parameter was not properly configured in the future. We also had the client change DisableDNSLookup to ‘yes’. This modification protects the web agents against DNS Denial of Service attacks. This was not required to address the original issue, but it is a best practice. After restarting the web server and attempting to login, the issue was resolved. |
As always, we hope that you have found this information useful. If you need IAM assistance, reach out to SIS today and we would be happy to assist you. And subscribe to our newsletter to be notified about the posting of future articles and other SIS news.
