Symptom:
SharePoint stores a persistent FedAuth cookie on the hard drives of authenticated users. I do not want the SharePoint server to use these persistent cookies.
Solution:
You can configure SharePoint so a persistent FedAuth cookie is not stored. However, disabling the persistent FedAuth cookie also disables the single-sign on function of Office Client Integration. Users who try to open files on the SharePoint server are challenged for their credentials.
Note: For more information about how to disable FedAuth cookies in SharePoint 2010, go to the technet blogs website, and then search for the following phrase:
"Setting the Login Token Expiration Correctly for SharePoint 2010 SAML Claims Users"
Symptom:
I received an error message regarding a duplicate port after running the Configuration Wizard for the Agent for SharePoint.
Solution:
Do the following:
Agent-for-SharePoint_home\httpd\conf\httpd.conf
Listen port
ServerName url:port
Agent-for-SharePoint_home\httpd\conf\extra\httpd-ssl.conf
Listen port
ServerName url:port
<VirtualHost url:port>
Symptom:
I can access a protected SharePoint resource with the SiteMinder X.509 authentication scheme after logging out by clicking the back button in the browser. If I click the Sign In as different user button on a SharePoint site protected with the CA SiteMinder® X.509 Authentication scheme, the home page appears.
Solution:
This behavior is a known issue. The problem occurs when the client certificate remains in the browser cache. Close the browser after logging out.
An inconsistency occurs between an access policy and the people picker when CA SiteMinder® Forms protection is configured for a SharePoint web application or zone.
User access to a SharePoint site is governed first by the CA SiteMinder® user policy and then by the SharePoint permissions.
The behavior changes when SharePoint permissions are configured through the People and Groups dialog (people picker) and the CA SiteMinder® protection is configured using ASP.NET Forms authentication. The CA SiteMinder® user directory connection object governs the list of users and groups returned. The CA SiteMinder® user access policy does not affect the results.
This behavior means that while a SharePoint site administrator can select users using People and Groups dialog (people picker) and grant them access to a SharePoint resource, CA SiteMinder® denies them access to the resource at runtime.
As a workaround, do the following steps:
Symptom:
I cannot access a protected SharePoint web application using the CA SiteMinder® Impersonation Authentication scheme, and a page cannot be displayed error appears.
Solution:
The CA SiteMinder® Agent for SharePoint does not currently support the Impersonation Authentication scheme.
Symptom:
I cannot access a protected SharePoint web application using the CA SiteMinder® Anonymous Authentication scheme, and a page cannot be displayed error appears.
Solution:
This error message appears because the SMIDENTITY cookie is created with the anonymous login instead of the SMSESSION cookie. The CA SiteMinder® Agent for SharePoint does not currently support the Anonymous Authentication scheme.
Symptom:
If I set up a traditional web agent as a cookie provider, the traditional web agent does not operate well with the CA SiteMinder® Agent for SharePoint.
Solution:
This scenario is not supported. Use a framework-based web agent as a cookie provider in this situation.
Symptom:
I see a SAML 2.0 Auto-post on the browser tab while logging on to the CA SiteMinder® Agent for SharePoint.
Solution:
This behavior is a known issue. SiteMinder CA SiteMinder® Agent for SharePoint does not consume SAML 2.0 but uses WS-Federation 1.1 Token protocol. The message which appears in the tab is defined in the FWS constants class as SAML2_AUTO_POST_FORM_TITLE. This class is the base class for all federation protocols.
Symptom:
The SharePoint redirect fails and a 500 error appears in my browser when the following occurs:
I perform a POST action on a page in SharePoint, and the SharePoint Fed-Auth cookie expires.
Solution:
This behavior is a known issue with the SharePoint Claims-based authentication model. SharePoint Claims Authentication fires a 302 redirect to the account partner to re issue a WS-FED Token instead of allowing SharePoint to acknowledge the POST. Using the WS-FED Token SharePoint re-creates a new Fed-Auth Cookie. SharePoint then tries to redo the same POST action and the HTTP 500 error is displayed.
Symptom:
When multiple claims are configured for a Trusted Identity Provider, I can search for claims at certain key areas in SharePoint only with the claim that is designated as the IdentifierClaim.
Solution:
This behavior is a known limitation with SharePoint. At certain areas, search works only with the IdentifierClaims and not the other claims. Some of the areas where configured claims cannot be searched include the following:
Symptom:
In the previous SiteMinder Agent for SharePoint version, I had to set the ProxyTrust parameter when the agent operated behind a proxy server. How do I set it for this release?
Solution:
This version of the Agent for SharePoint is implemented as part of a proxy-based authentication solution. Setting the ProxyTrust parameter in your agent configuration is no longer necessary.
Symptom:
I tried to configure CA SiteMinder® forms-based authentication (FCC), but when I use the following default value shown in the Administrative UI, it does not work:
/siteminderagent/forms/login.fcc
Solution:
The Agent for SharePoint uses a different directory for forms-based authentication. Do the following:
Agent-for-SharePoint_home/proxy-engine/examples/siteminderagent
Agent-for-SharePoint_home/proxy-engine/examples
To the following directory:
Agent-for-SharePoint_home/proxy-engine/examples/siteminderagent
The forms are copied to Agent-for-SharePoint_home/proxy-engine/examples/siteminderagent/forms.
Symptom:
The Policy Server Profiler contains a SharePoint component which is included in the trace file.
Solution:
The SharePoint component in the Profiler is for the CA SiteMinder® Agent for SharePoint 2007 solution. Because the CA SiteMinder® Agent for SharePoint 2010 solution is based on SAML federation, this component does not function as designed.
To trace internal Policy Server diagnostics and the communication with the CA SiteMinder® Agent for SharePoint, use the profiler settings based on SAML IDP profiler trace template (samlidp_trace.template).
Symptom:
The LoggerConfig.properties file shows the Trace.conf configuration file location as TraceConfig=/CA/Agent-for-SharePoint/conf/defaultagent/FederationTrace.conf
Solution:
The location of the Trace.conf file is incorrect in the LoggerConfig.properties file. The proxy-engine subdirectory is missing. Set the correct path to /CA/Agent-for-SharePoint/proxy-engine/conf/defaultagent/FederationTrace.conf.
Symptom:
The SharePoint people picker stops responding during searches.
Solution:
This behavior is normal. This condition occurs when the FedAuth cookie expires.
As a workaround, close the SharePoint people picker. Wait a moment and open the SharePoint people picker again.
Symptom:
I want to run the configuration wizard for the CA SiteMinder® Agent for SharePoint again. What happens to my configuration settings?
Solution:
Back up your existing proxy rules file in the following location before running the configuration wizard again:
Agent-for-SharePoint_home\proxy-engine\conf\proxyrules.xml
After you run the wizard, delete the new proxyrules.xml file and rename your backup copy accordingly.
Symptom:
The following message appears in my federationtrace.log file:
No Assertion Consumer URL found for RP
What does it mean?
Solution:
This message is informational only. No problem exists.
|
Copyright © 2014 CA.
All rights reserved.
|
|