Web Agent Guides › Web Agent Configuration Guide › Forms Authentication › How to Configure a CA SiteMinder® Agent to Support HTML Forms Authentication › How to Set Log Files, and Command-line Help to Another Language › How to Allow the NTC to Encode URLs During Redirects to Protected Resources

How to Allow the NTC to Encode URLs During Redirects to Protected Resources

CA SiteMinder® can protect resources using Windows credential collectors (NTCs). Users submit their credentials to the NTC, then the NTC logs the user in to the IIS web server. The IIS web server authenticates the user. The NTC redirects the user to the protected (TARGET) resource after authentication.

The NTC normally encodes the characters in the TARGET portion of the URL during the request, but not during the redirect after authentication. You can change your agent configuration so that the TARGET portion of the URL is encoded during the redirect. The following illustration describes this behavior:

The following illustration shows the process of allowing the NTC to encode URLs during requests for protected resources:

To allow the NTC to encode URLs during re–directs to protected resources, follow these steps:

1. Choose the procedure that matches your agent configuration method from the following list:
   • For agents using an Agent Configuration object (ACO) on a Policy Server, follow these steps:
     1. Open the Administrative UI.
     2. Open your Agent configuration object (ACO), and then change the value of the DisableI18N parameter.
   • For agents using a local configuration file on a web server, follow these steps:
     1. Open the LocalConfig.conf file on your web server with a text editor, and then change the value of the DisableI18N parameter.
2. For agents using local configuration, repeat Step 1c for each web server.

   The NTC uses encoded URLs during redirects to protected resources.

Open the Administrative UI to Change Policy Server Objects

Change the objects on your Policy Server by opening the Administrative UI.

Follow these steps:

1. Open the following URL in a browser.

   https://host_name:8443/iam/siteminder/adminui
   

   host_name

   Specifies the fully qualified Administrative UI host system name.

2. Enter your CA SiteMinder® superuser name in the User Name field.
3. Enter the CA SiteMinder® superuser account password in the Password field.

   Note: If your superuser account password contains dollar‑sign ($) characters, replace each instance of the dollar-sign character with $DOLLAR$. For example, if the CA SiteMinder® superuser account password is $password, enter $DOLLAR$password in the Password field.

4. Verify that the proper server name or IP address appears in the Server drop-down list.
5. Select Log In.

Change the Value of the DisableI18N parameter in your Agent Configuration Object

You can configure Windows credential collectors to process HTTP encoded characters in target URLs for centrally configured web agents. Centrally–configured web agents use parameter settings stored in an Agent Configuration object on the Policy Server.

Follow these steps:

1. Click the Infrastructure, Agent Configuration Objects.

   A list of Agent Configuration objects appears.

   Click the edit icon in the line Agent Configuration Object you want.

   The Modify Agent Configuration dialog appears.

2. Click the edit icon to the left of the following parameter:

   DisableI18N

   Specifies how the Windows credential collector (NTC) processes the TARGET URL during authentication when the characters of the TARGET URL use HTTP encoding. When the value of this parameter is no, any characters in the URL are decoded during authentication. The decoded characters are used in the redirect to the TARGET resource. When the value of this parameter is yes, characters in the TARGET URL are not decoded during authentication. Any characters using HTTP encoding remain encoded before and after authentication.

   Default: No.

   The Edit Parameter dialog appears.

3. Change the text in the Value field to yes.
4. Click OK.

   The Edit Parameter dialog closes, and the Modify Agent Configuration dialog appears.

5. Click the edit icon to the left of the following parameter:

   BadUrlChars

   Specifies the character sequences that cannot be used in URL requests. The Web Agent checks the characters in the URL that occur before the "?" character against the list in this parameter. If any of the specified characters are found, the Web Agent rejects the request.

   You can specify the following characters:

   • a backward slash (\)
   • Two forward slashes (//)
   • Period and a forward slash (./)
   • Forward slash and a period (/.)
   • Forward slash and an asterisk (/*)
   • An asterisk and a period (*.)
   • A tilde (~)
   • %2d
   • %20
   • %00-%1f
   • %7f-%ff
   • %25

   Separate multiple characters with commas. Do not use spaces.

   You can use the bad URL characters in CGI parameters if the question mark (?) precedes the bad URL characters.

   Default: Disabled (all characters are allowed).

   Limits:

   • The default hexadecimal numbers apply to English characters. For other languages, remove any hexadecimal values that correspond to the characters of the language that you want to allow. Examples of such languages include (but are not limited to), Brazilian Portuguese, French, Japanese, and Chinese.
   • You can specify characters literally. You can also enter the URL-encoded form of that character. For example, you can enter the letter a, or you can enter the encoded equivalent of %61.
   • You can specify a maximum number of 4096 characters (including commas that are used for separating characters).
   • You can specify ranges of characters that are separated with hyphens. The syntax is: starting_character-ending_character. For example, you can enter a-z as a range of characters.
   • Specify any quotation marks (") with the URL-encoded equivalent of %22. Do not use ASCII.

   The Edit Parameter dialog appears.

6. Remove the following text from the Value field:

   ,%25
   

7. Click OK.

   The Edit Parameter dialog closes, and the Modify Agent Configuration dialog appears.

8. Click Submit.

   The Modify Agent Configuration dialog closes, and a confirmation message appears.

9. (Optional) Enter any remarks about the change in the Comment field for future reference.
10. Click Yes.

    Your changes will be applied the next time the Web Agent polls the Policy Server.

Change the Value of the DisableI18N parameter in your LocalConfig.conf File

You can configure Windows credential collectors to process HTTP encoded characters in target URLs. Locally–configured web agents use parameter settings stored in a configuration file on each web server.

Follow these steps:

Locate the LocalConfig.conf file on your web server. Use the examples in the following list to locate the file on your type of web server:

IIS web server

web_agent_home\bin\IIS

Oracle iPlanet web server

Oracle_iPlanet_home/https-hostname/config

Apache web server

Apache_home/conf

1. Open your LocalConfig.conf file with a text editor, and then locate the following parameter:

   DisableI18N

   Specifies how the Windows credential collector (NTC) processes the TARGET URL during authentication when the characters of the TARGET URL use HTTP encoding. When the value of this parameter is no, any characters in the URL are decoded during authentication. The decoded characters are used in the redirect to the TARGET resource. When the value of this parameter is yes, characters in the TARGET URL are not decoded during authentication. Any characters using HTTP encoding remain encoded before and after authentication.

   Default: No.

2. Change the value of the DisableI18n parameter to yes.
3. Locate the following parameter:

   BadUrlChars

   Specifies the character sequences that cannot be used in URL requests. The Web Agent checks the characters in the URL that occur before the "?" character against the list in this parameter. If any of the specified characters are found, the Web Agent rejects the request.

   You can specify the following characters:

   • a backward slash (\)
   • Two forward slashes (//)
   • Period and a forward slash (./)
   • Forward slash and a period (/.)
   • Forward slash and an asterisk (/*)
   • An asterisk and a period (*.)
   • A tilde (~)
   • %2d
   • %20
   • %00-%1f
   • %7f-%ff
   • %25

   Separate multiple characters with commas. Do not use spaces.

   You can use the bad URL characters in CGI parameters if the question mark (?) precedes the bad URL characters.

   Default: Disabled (all characters are allowed).

   Limits:

   • The default hexadecimal numbers apply to English characters. For other languages, remove any hexadecimal values that correspond to the characters of the language that you want to allow. Examples of such languages include (but are not limited to), Brazilian Portuguese, French, Japanese, and Chinese.
   • You can specify characters literally. You can also enter the URL-encoded form of that character. For example, you can enter the letter a, or you can enter the encoded equivalent of %61.
   • You can specify a maximum number of 4096 characters (including commas that are used for separating characters).
   • You can specify ranges of characters that are separated with hyphens. The syntax is: starting_character-ending_character. For example, you can enter a-z as a range of characters.

   Specify any quotation marks (") with the URL-encoded equivalent of %22. Do not use ASCII.

4. Remove the following values from the BadURLChars list:

   ,%25
   

5. Save the changes to your LocalConfig.conf file, and then close the text editor.
6. Repeat Steps 1 through 5 on all web servers which you want to change.

   Windows credential collectors are allowed to process HTTP encoded characters in TARGET URLs.

Tune the Performance of the FCC

You can configure any of the following settings to help improve the performance of your credential collectors:

• Disable the FCC realm context confirmation to improve performance.
• Use the forms cache.

Disable FCC Realm Context Confirmation to Improve Performance

During forms authentication, the Web Agent makes an IsProtected call to the Policy Server to determine if the requested resource is protected. After this first call, the Web Agent typically makes an additional IsProtected call to the Policy Server. This second call establishes a realm context so that the Web Agent can log a user in with an FCC to access a protected resource. You can control whether the Web Agent makes this additional call using the following parameter:

FCCForceIsProtected

Specifies whether the Web Agent makes an additional IsProtected call to the Policy Server to establish a realm context so that the Web Agent can log a user in to access a protected resource.

When this parameter is set to no, the Web Agent uses the realm information obtained from its initial IsProtected call to the Policy Server instead.

Default: Yes

To improve performance by disabling the FCC realm context confirmation, set the value of the FCCForceIsProtected parameter to no.