1 Reply Latest reply on Sep 22, 2011 10:54 AM by Andy49

    Policy Agent 3.0 on IIS7.5 with Access Manager 7.1

    Andy49
      We are trying to make the Policy Agent 3.0 work on IIS7.5 (Windows 2008) with Access Manager 7.1.

      Perhaps someone else has had the same problems?

      The problems we have is that the Agent, according to the logs, does not seem to initialize correctly.

      The logs on server side say everything is ok and that the agent is authenticated.

      This is the debug logs from the agent:

      2011-09-21 12:12:03.035 -1 2352:1e94870 all: Validating naming URL [http://acm.example.com:80/amserver/namingservice]...
      2011-09-21 12:12:03.035 -1 2352:1e94870 all: URL values:
      protocol: http
      host: acm.example.com
      port 80
      path: /amserver/namingservice
      query:
      URL: http://acm.example.com:80/amserver/namingservice
      2011-09-21 12:12:03.113 Error 2352:1e94870 all: URL [http://acm.example.com:80/amserver/namingservice] validation failed with error [-1]
      2011-09-21 12:31:30.750 Error 2352:1e94870 all: ProcessRequest -- Starting

      Here is the Event Viewer log for this event:

      Sun OpenSSO Policy Agent 3.0 for Microsoft IIS 7.0: Initialization of the agent failed: status = failure (1)

      I have checked and rechecked the agent name and the password. They are correct. However, at one point we needed to change the password using cryptit.exe and we believe we did that correctly.

      The sniffing logs gives two interesting things:

      1) When the ACM server sends this to the policy agent:
      [Full request URI: http://agent.example.com/UpdateAgentCacheServlet?shortcircuit=false]
      <?xml
      version="1.0"
      encoding="UTF-8"
      standalone="yes"
      ?>
      <NotificationSet
      vers="1.0"
      svcid="session"
      notid="3114">
      <Notification>
      <![CDATA[<SessionNotification vers="1.0" notid="4241">
                  <Session
                      sid="AQIC5wM2LY9SfcyM98V/ARNvX4LhKLFfqe4elqqaIKTEvik=@AAJTSwAKMjAzNjY4HTIwOAACU0kDAjEwAAJTMQACMDE=#"
                      stype="user"
                      cid="iisAgent"
                      cdomain="o=com"
                      maxtime="153722867280912930"
                      maxidle="153722867280912930"
                      maxcaching="153722867280912930"
                      timeidle="0"
                      timeleft="153722867280912930"
                      state="destroyed">
                      <Property
                          name="CharSet"
                          value="UTF-8">
                          </Property>
                      <Property
                          name="UserId"
                          value="iisAgent">
                          </Property>
                      <Property
                          name="successURL"
                          value="/amserver/console">
                          </Property>
                      <Property
                          name="cookieSupport"
                          value="true">
                          </Property>
                      <Property
                          name="AuthLevel"
                          value="0">
                          </Property>
                      <Property
                          name="SessionHandle"
                          value="shandle:AQIC5wM2LY4Sfcw4nkwDA41/mFctj/z2y62v8eIdhTWJUpU=@AAJTSwAKMjAzNjY4OTIwOAACU0kAAjEwAAJTMQACMDE=#">
                          </Property>
                      <Property
                          name="UserToken"
                          value="iisAgent">
                          </Property>
                      <Property
                          name="IndexType"
                          value="module_instance">
                          </Property>
                      <Property
                          name="Principals"
                          value="uid=iisAgent,ou=agents,o=com">
                          </Property>
                      <Property
                          name="sun.am.UniversalIdentifier"
                          value="id=iisagent,ou=agent,o=com">
                          </Property>
                      <Property
                          name="Organization"
                          value="o=com">
                          </Property>
                      <Property
                          name="Locale"
                          value="en_US">
                          </Property>
                      <Property
                          name="HostName"
                          value="xxx.yyy.14.197">
                          </Property>
                      <Property
                          name="AuthType"
                          value="Application">
                          </Property>
                      <Property
                          name="Host"
                          value="xxx.yyy.14.197">
                          </Property>
                      <Property
                          name="UserProfile"
                          value="Required">
                          </Property>
                      <Property
                          name="AMCtxId"
                          value="344a5a431e07eec501">
                          </Property>
                      <Property
                          name="clientType"
                          value="genericHTML">
                          </Property>
                      <Property
                          name="authInstant"
                          value="2011-09-21T05:50:53Z">
                          </Property>
                      <Property
                          name="Principal"
                          value="uid=iisAgent,ou=agents,o=com">
                          </Property>
                      </Session>
                  <Type>
                      5
                      </Type>
                  <Time>
                      1316585473197
                      </Time>
                  </SessionNotification>
              ]]>
      </Notification>
      </NotificationSet>
      [ ERROR: Closing an unopened tag ]

      The response from the Policy Agent server is this:

      <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">\r\n
      <HTML><HEAD><TITLE>Service Unavailable</TITLE>\r\n
      <META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>\r\n
      <BODY><h2>Service Unavailable</h2>\r\n
      <hr><p>HTTP Error 503. The service is unavailable.</p>\r\n
      </BODY></HTML>

      2) When the policy agent sends this

      [Full request URI: http://acm.example.com/amserver/policyservice]

      <?xml
      version="1.0"
      encoding="UTF-8"
      standalone="yes"
      ?>
      <RequestSet
      vers="1.0"
      svcid="Policy"
      reqid="14">
      <Request>
      <![CDATA[\n<PolicyService version="1.0">
                  <PolicyRequest
                      requestId="4"
                      appSSOToken="AQIC5wM2LY4SfcyM98V/ARNvX4LhNuFfqe4elqqaIKTEvik=@AAJTSwAKMjAzNjY4OTIwOAACU0kAAjEwAAJTMQACMDE=#">
                      <RemovePolicyListener
                          notificationURL="http://agent.example.com:80/UpdateAgentCacheServlet?shortcircuit=false"
                          serviceName="iPlanetAMWebAgentService"/>
                      </PolicyRequest>
                  </PolicyService>
              ]]>\n
      </Request>
      </RequestSet>

      The reply from the Access Manager is:

      HTTP/1.1 200 OK\r\n
      [Expert Info (Chat/Sequence): HTTP/1.1 200 OK\r\n]
      [Message: HTTP/1.1 200 OK\r\n]
      [Severity level: Chat]
      [Group: Sequence]
      Request Version: HTTP/1.1
      Status Code: 200
      Response Phrase: OK
      X-Powered-By: Servlet/2.5\r\n
      Server: Sun GlassFish Enterprise Server v2.x,x\r\n
      Content-Type: text/html; charset=iso-8859-1\r\n
      Date: Wed, 21 Sep 2011 06:11:13 GMT\r\n
      Connection: close\r\n
      \r\n
      Line-based text data: text/html
      <?xml version="1.0" encoding="UTF-8" standalone="yes"?>\n
      <ResponseSet vers="1.0" svcid="policy" reqid="14">\n
      <Response><![CDATA[<PolicyService version="1.0" revisionNumber="40">\r\n
          <PolicyResponse requestId="4" issueInstant="1316585473429">\r\n
          <Exception>\r\n
          *Application sso token is invalid*\r\n
          </Exception>\r\n
          </PolicyResponse>\r\n
          </PolicyService>\r\n
          ]]></Response>\n
      </ResponseSet>

      Users that try to log in is getting a 403 when they are redirected back to the server after the login at the Access Manager.