Credential Manager Explained

Document ID : KB000050757
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

This Document Describes in detail about the Credential Manager component of Web agent , Various Errors that can be thrown by Credential Manager and Explanation of Those Error Messages.

For E.g.- Following Error messages are written by Credential Manager in Web agent Logs.

Agent Log Messages
====================

[CSmCredentialManager.cpp:235][ERROR] HLA: Analyzer from module 'SM_WAF_HTTP_PLUGIN' returned unknown response code '-1' for component 'Credential Manager'.
[CSmHighLevelAgent.cpp:873][ERROR] HLA: Component reported fatal error: 'Credential Manager'.

Trace Log Messages
=====================

[ProcessAdvancedAuthCredentials][Plugin interface returned SmFailure.]
[ProcessAdvancedAuthentication][CredentialManager returned SmFailure, end new request.]

Solution:

Here is the description of Credential Manager

  1. Credential Manage

    The Credential Manager is a High Level Agent component responsible for gathering valid user credentials present in a request, including single sign-on tokens, and user identity tokens. If a resource is not protected, the Credential Manager is never called. Otherwise, the Credential Manager is called on prior to calling the Authentication Manager. If valid credentials are not found, the High Level Agent then calls the Challenge Manager to request valid credentials from the requestor. The Credential Manager executes a GatherAdvancedAuthCredentials( ) method that, iterates through the list of registered credential analyzers such as HTTPPlugin('SM_WAF_HTTP_PLUGIN). As soon as an analyzer returns a stop processing response, the Challenge Manager stops calling analyzers and exits with an appropriate response. Otherwise, the Credential Manager will iterate through all analyzers before returning.

    If no analyzers respond to the gather credentials request, then the Credential Manager will return an error to the High Level Agent, who will then most likely call the Challenge Manager to produce an appropriate user challenge.

  2. Various Errors thrown by Credential manager and their causes

    Error Message:
    Trace Msg: "ProcessAdvancedAuthentication","CredentialManager returned SmFailure, end new request

    Causes:
    If credential manager fails to initialize.
    OR
    If HTTP Plug-in context fails to initialize in Credential Manager.
    OR
    If Credential Manager (CM from here on) fails to get the HTTP Configuration.

    Error Message:
    Trace Msg: "SmFcc::getCredentials","Error. Failed to allocate memory for alternate credential."

    Causes:
    If CM fails to allocate memory for certificate credentials. (valid forauthentication schemes that includes certificates)

    Error Message:
    Trace Msg: "SmFcc::getCredentials","Error. Failed to allocate memory for certificate credential.

    Cause:
    If CM fails to allocate memory for alternate certificate credentials. (valid for authentication schemes that includes certificates)

    Error Message:
    Trace Msg: SmFcc::validAuthScheme","Unable to resolve URL."

    Cause:
    If CM fails to resolve the given URL, i.e., Web Agent fails to extract the URL and Query values from Siteminder custom header SMLOCATION.

    Error Message:
    Trace Msg: SmFcc::validAuthScheme","Credentials not valid for use with this authentication scheme."

    Cause:
    If CM finds a bad URL, i.e., if the URL is not starting with '/' or "http://" or https://

    Error Message:
    Trace Msg: "SmFcc::getCredentials","Error. No redirect target found in namespace."

    Cause:
    If CM finds that target page for getting the credentials is missing.

    Error Message:
    Trace Msg: "SmFcc::getCredentials","Error. Target domain invalid."

    Cause:
    If CM finds that target is NOT in any configured valid target domains.

    Error Message:
    "SmFcc::getCredentials","Failed to get either Certificate or Forms credentials.",
    "SmFcc::getCredentials","Failed to get Form credentials.",
    "SmFcc::getCredentials","Failed to get the certificate credentials."

    Cause:
    If CM fails to get credentials for an auth scheme such as Cert, form, basic, or combinations.

    Error Message:
    Trace Msg: "SmFcc::generateForm","Too many retries."

    Cause:
    If CM finds that the number of tries to login (try count) has exceeded the maximum number of tries allowed.

    Error Message:
    Trace Msg: "SmFcc::setup","Login data exceeds maximum limit."

    Cause:
    If CM finds that the Post data is exceeding its maximum size limit.

Explanation for the error being experienced by customer in agent logs

Following is the snippet from customer s trace logs depicting the errors being experienced at their end:

[SmFcc::getCredentials][Success in collecting credentials.][11/09/2010][11:28:22][9398][42][0000000000000000000000000a3c060a-24b6-4cd976a6-002a-233d42ba]
[SmFcc::doUnauthorized][Displaying error page: '/siteminderagent/forms/login.unauth'.]
[11/09/2010][11:28:22][9398][42][][CSmFormTemplateCache::GetForm][Serving form template '/siteminderagent/forms/login.unauth' from cache.]
[11/09/2010][11:28:22][9398][42][0000000000000000000000000a3c060a-24b6-4cd976a6-002a-233d42ba][ProcessAdvancedAuthCredentials][Plugin interface returned SmFailure.]
[11/09/2010][11:28:22][9398][42][0000000000000000000000000a3c060a-24b6-4cd976a6-002a-233d42ba][ProcessAdvancedAuthentication][CredentialManager returned SmFailure, end new request.]

The code analysis reveals that the above errors can be logged due to one of the following reasons:

  1. If impersonation auth scheme is being used and CM finds that the impersonator is trying to create an additional impersonator session. If there exists a saved Impersonation session, i.e., a privileged user is already logged in as impersonator, and this privileged user tries to again impersonate the same impersonatee user. The agent will not override the existing session as it does not allow multiple push sessions for impersonation auth scheme.

  2. If impersonation auth scheme is being used and when the impersonator ends the impersonation session, it is redirected to its original session which was saved in a SMSESSION cookie. If CM finds a valid SMSESSION no longer exists due to session or idle timeout.

    Note: For details on Impersonation Authentication scheme refer Policy Server Configuration guide.

  3. If CM fails to change the password due to buffer overflow. This error occurs when the length of one of the fields, OldPassword, NewPasssword, TokenValue exceeds the maximum allowed length parameter, i.e. 1024.