Application Your Not a Authorised User

Document ID : KB000117269
Last Modified Date : 10/10/2018
Show Technical Document Details
Issue:
We're running a CA Access Gateway (SPS), and when a user successfully login in 
the SPS, then the backend server application return error message : 

Your Not a Authorised User, Please Contact System Admin 

User log in by Windows Authentication Scheme. The SM_USER header has
the value with the domain with it as :

  DOMAIN\myuser

We have configured a response to produce the header HTTP_SM_USER for
which the user hasn't the DOMAIN prefixed

But we cannot modify the application code to look at HTTP_SM_USER 
variable that has the user id without the preceeding Domain name. The 
application can only read the default header SM_USER. 

How can we get the SM_USER value without the DOMAIN\ as prefix ?
Environment:
Policy server 12.7SP0CR00 on windows 2012; 
Access Gateway Server 12.7SP0CR00 on Windows 2012; 
 
Resolution:
You can :

1 - Use a CA Access Gateway (SPS) post filter. 

You might work around this out of the box behavior by setting a filter 
on the CA Access Gateway (SPS) to modify the Header name and its value : 

ProxyResponse Interface 

setHeader(java.lang.String name, java.lang.String value) 

Sets a header with the specified name and value. If a header with 
the same name exists it will be overwritten. 

Parameters: 
name - a String specifying the header name 
value - a String specifying the header value 

https://docops.ca.com/ca-single-sign-on/12-7/en/programming/ca-access-gateway-apis#CAAccessGatewayAPIs-ImplementaFilter 

2 - Use the GD SmOverrideAuth module to modify the value of the 
SM_USER value. 

The out of the box SM_USER value may be also overriden by using the GD 
module "SmOverrideAuth" as described here : 

Remove <domain>\ from user name when using IWA 

There is another option. If you really need the value stored in the 
SiteMinder SMSESSION cookie modifed to be just the loginID, without 
the domain prefix, there is a CA Services, Global Deployment 
Pre-built PWP (aka module) called SmOverrideAuth that will meet this 
requirement. It actually allows you to set SM_USER to the value of 
any attribute in the user's record, although normally the loginID is 
used. Note however that this is a separately priced item, it is not 
part of core SiteMinder. You can contact Sid Mautte 
(Sid.MautteIII@ca.com) if you would like to find out more about this 
module, or you can contact your CA Sales Representative and ask them 
to open a Service Request for SmOverrideAuth. 

https://communities.ca.com/thread/241754143 

CA Global Delivery Packaged Work Product Download Index 

Override Authentication Login for CA Single Sign-On 

https://support.ca.com/us/product-content/recommended-reading/technical-document-index/ca-global-delivery-packaged-work-product-module-index.html?id=%7B3B2E2905-11AF-4479-B309-63F113CA5D57%7D?id=%7B3B2E2905-11AF-4479-B309-63F113CA5D57%7D