| CA |
3.0 System Requirements
3.1 Minimum JDK/JRE Version for SiteMinder 6.0 SP 5/6.x QMR 5
4.0 Installation Considerations
5.0 Defects Fixed in 6.x QMR 1
5.1 Agent on an IIS 6.0 Server Does Not Interoperate with Third-Party Filters (29623)
5.2 Web Agent Not Redirecting to Alternate Forms Credential Collector (28200, 30903)
5.3 Apache 2.0 Agent Adds URL Strings to IgnoreURL Parameter (30584)
5.4 CGI Password Services Sending Clear Text to PWS.fcc (26943)
5.5 IIS 6.0 Web Agent Logs DefaultPassword Value (28462)
5.6 IIS 6.0 Web Agent Restarts Unnecessarily (28527)
5.7 IIS 6.0 Web Agent Incorrectly Returns Error Message for Certain URLs (28539)
5.8 IIS 6.0 Web Agent Does Not Redirect Properly for Passport Authentication (28590)
5.9 Agent Requesting Identity Cookie without User Tracking Enabled (28760)
5.10 Anonymous User Context Being Used for Authenticated Users (28762)
5.11 IIS 5.0 Web Agent Uses SmCredCache.sys for a Proxy Account (28763)
5.12 Users Not Re-prompted for Credentials with Cert and Basic Authentication (28765)
5.13 Sun ONE and Apache Agents on UNIX Are Failing Under Heavy Load (29023)
5.14 Web Agent Not Using Basic Credentials When Certificate Credentials Fail (29277)
5.15 Web Agent Fails When it Cannot Read the trace.conf File (29220)
5.16 Single Sign-on Problems When Domino Web Agent Exists in an Environment with Multiple Agents (29495)
5.17 Domino Web Agent Not passing the Domino UNID (29522)
5.18 Conflict for the Web Agent with WebSphere and ServletExec 5.0 on the Same Web Server (29623)
5.19 IIS 5.0 Server Challenge User When NTLM-protected Realm Accessed (29789)
5.20 Agent Not Encoding ReturnURL for Passport-protected Resource (29809)
5.21 IIS 6.0 Agent Not Preserving Header values (29928)
5.22 Apache/Linux Agent Generating Segment Faults Under Load (30014)
5.23 Web Agent at Producer Site Returns Only 2K of Response Data (30142)
5.24 Web Agent Fails to Notify Cookie Provider with an OnAuthRedirect Reponse Set (29918)
5.25 Agent Reporting Log-in Failure with FCCCompatMode Disabled (30002)
5.26 Agent Error for Virtual Servers in the Same Agent Name (30292)
5.27 Web Agent on IIS 6.0 Has Size Limit for Uploading Files (30391)
5.28 Single Sign-on Fails When Users Change Realms with Different Session Idle Time Values (30472)
5.29 Safeword Authentication Scheme Not Supporting Multiple Authenticators (30299)
5.30 Forms Credential Collector Not Including Domain for Relative URI (30543)
5.31 IIS 6.0 Web Agent Cannot Resolve Agent Name (30943)
5.32 Domino Server Logs Improper Calls to DSAPI setHeader Function (31127)
6.0 Defects Fixed in 6.x QMR 2
6.1 SecurID Mutli-Protection Level Environment Preventing Access to Resources (34327)
6.2 Error Occurs Instead of New Pin Selection Form Being Presented (34328)
6.3 Cookie Provider Redirection Disparity Between 4.x and 6.x Agents (35329)
6.4 Apache Agent on Linux 2.1 Advanced Server Does Not Deliver Perl Resource (31484)
6.5 LogAppend and TraceAppend Not Functioning (33868)
6.6 Resources with .fcc Extension Not Being Delivered (33977)
6.7 Three Dot Cookie Domain Causing Problem (33986)
6.8 Web Agent and Cookie Provider Being Caught in an Infinite Redirection Loop (33784)
6.9 Agent Error Occurring when an Anonymous Authentication Scheme is Configured (33972)
6.10 Web Agent Not Operating in Internationalized Windows Environment (33974)
6.11 Agent Allowing Unchallenged Access in a Virtual Server Environment (34233)
6.12 Web Agent Fails if AgentName Value Contains a Space (34365)
6.13 LLAWP Not Exiting During Web Server Shutdown (34378)
6.14 IIS 6.0 Web Agent Not Passing Configured Proxy Headers (34481)
6.15 Session Cookie is Not Updated When Agent is in Proxy Mode (343648)
6.16 Orphaned Credential Cookies Cause Users to be Reprompted (34802)
6.17 Agent Allowing Unauthenticated Users Access When IP Addresses are used to Resolve Agent Name (34900)
6.18 Single Sign-on Failing with Different Policy Stores Sharing Common Key Store (35281)
6.19 Web Agent Fails Due to Corrupted Memory in Session Cache (35319, 36329)
6.20 Host Config Object Missing from Debug Log (34649)
6.21 TARGET Parameter Divided into Multiple HTTP Headers (35994)
6.22 Web Server Failing During POST if SMENC Has Bad Data (34734)
6.23 Invalid URL Generated if TARGET Includes a Query String (36206)
6.24 Apache 2.0 Agent on Linux Platform Crashing When Session Cache Full (36329)
6.25 SMUSERMSG Cookie is Not Set When the SMUSERMSG Attribute is Sent to a Re-architected Web Agent (36407)
6.26 One View Monitor Displaying Incorrect Version with Apache 2.0 Agent on Linux (36692)
6.27 LogOffURI Functionality Different on IIS 6.0 and Apache 2.0 Agent (36768)
6.28 SMSession Cookie Not Being Cleared During Log Off (36964)
6.29 Responses Are Not Being Logged with Percentages (37008, 37586)
6.30 Web Agents Do Not Log BadUrl Characters Properly (37216)
6.31 Agent Mismatching URL Extensions to Credential Collectors (37335)
6.32 IIS 5.0 Web Agent Becomes Unavailable for Other Filters After Consuming Request POST Data (37464)
6.33 IIS 6.0 Web Agent Interferes with HTTP_HTTPSSECRETKEYSIZE Processing (37506)
6.34 Error Returned When Accessing Logout.fcc after Session Times Out or is Inactive (37576)
6.35 Web Agent Not Performing Exact URL Extension Match Against the Auto-authorize List (37685)
6.36 Web Agent Not Performing Exact URL Extension Match Against the Auto-authorize List (37685)
6.37 Web Agent Installation Does Not Recognize IBM HTTP Server on AIX (37754)
6.38 Web Agent Sets Incorrect Value for SM_AUTHTYPE Header for SAML POST Profile Authentication (38117)
6.39 Traditional Web Agents Do Not Display Page if smnoredirect Value is in Authorization Request (38416)
6.40 Log and Trace Files Do Not Rollover When Append Settings Are Disabled (38516)
6.41 Resources Protected by Forms Authentication May Cause Sun ONE Agent to Crash under Certain Load Conditions (38344)
6.42 Logs Contain Unreadable Timestamps if the OS Language is Japanese (37675)
6.43 Apache 1.x/AIX Child Process Crashes During POST Preservation (37988)
6.44 FCCCompatMode Enabled Causes Double Authentication if Web Server Root is Protected (38174)
7.0 Defects Fixed in 6.x QMR 3
7.1 Reconnection Issue between Agent and Policy Server Behind a Firewall (41742, 40448)
7.2 Web Agent Returns Wrong Error Code (40947, 40897)
7.3 ConformToRFC2047 Parameter Does Not Function Properly (41855, 41601)
7.4 Web Agent Communication Problems with Single Server/Cluster (41881)
7.5 gflags Setting Prevents Web Agent Startup on IIS 5 (41933)
7.6 Existing iPlanet/SunOne Agent(s) Accidentally Uninstalled (41101)
7.7 Web Agent Installer Does Not Prompt for Apache Configuration Path (41257)
7.8 Web Agent Authentication Failure (41399)
7.9 LIBPATH Environment Variable Not Set Properly on AIX (41618)
7.10 Web Agent Not Ignoring Redirect Responses When Session Cookie is Present (41670, 41628)
7.11 Web Agent Ignoring Custom Session Cookie When Authenticating Requests from SAML Affiliate Agent (41728, 41489)
7.12 Web Agent Installer Not Configuring Apache Web Server Instance (41817)
7.13 SiteMinder Not Updating lasttouch column of Session Server Database (41905, 41192)
7.14 "failed forms authentication retry limit" Response from Web Agent (40510)
7.15 Web Agent Handling of NULL Active Response Values from Policy Server (41105, 41050)
7.16 Web Agent Returns a 500 Error (40308, 40874)
7.17 Initialization Failure of iPlanet/SunOne Web Agents (40813, 40439)
7.18 NTLM Authentication or Authorization Failure Returns Incorrect Error Code (41331, 41261)
7.19 NTLM-based Authentication Schemes and IIS 6.0 Web Agents (41361)
7.20 Web Agent Support Affiliate Agent Allows Redirects to URLs in Other Domains (40548, 40851)
7.21 Agent Directing Requests to Target URLs Outside a Valid Cookie Domain
7.22 Web Agent Cookie Provider and Invalid Query Parameter Values (40847, 41103)
7.23 IIS 5.0 Web Agent NTLM Authentication Scheme Failures (40959)
7.24 Web Agent Not Redirecting Users Based on the onReject-Redirect Response (41014)
7.25 POST Data Not Preserved by IIS 5.0 Web Agents (39360, 39074)
7.26 Web Agent Not Displaying Resources When Policy Server Stopped (40028, 39375)
7.27 Web Agent Not Following AllowLocalConfig Settings to Obtain the Agent Identity (40203, 40112)
7.28 Web Agent May Not Process @smheaders During Forms Based Authentication (40287, 40105)
7.29 "failed forms authentication retry limit" Response from Web Agent (40435, 40659)
7.30 Web Agent Fails While Searching Resource and/or Session Caches (40624, 40439)
7.31 Web Agent Exceeds Configured Policy Server Connection Limit (40668, 40297)
7.32 Web Agent Does Not Apply RFC-2047 Wrapping (40346, 40150)
7.33 Web Agent Hosting TARGET URL Substitutes Characters (40561, 40292)
7.34 Web Agent Configured to Logout Will Not Logout (40233)
7.35 Web Agents Using a Custom Forms Authentication Page Incorrectly Redirect Failed Logins (40639, 40442)
7.36 FCC Uses Incorrect Value for IsProtected Call when TARGET Contains an Embedded URL (40110, 39990)
7.37 Web Agent with FCCCompatMode Enabled Allows Redirects to URLs in Other Domains (40504)
7.38 Web Agent Trace File Not Generated When AgentFunc Used (39216)
7.39 NULL Header Value in the Header Response (39389, 39346)
7.40 Domino Web Server Expects User Names as LMBCS Data Types (39721, 39362)
7.41 "Require Cookies" Error Presented Instead of User Challenge After Log Off (39742, 37749)
7.42 logout.fcc Not Logging Out or Redirecting to Target (39743, 39263)
7.43 Domino Agent Not Returning Translated URL Friendly Name (39878, 39790)
7.44 Administrator with Timed-out Session is Not Re-authenticated When Agent is Configured for Impersonation (43095)
7.45 IIS Web Agents Failed on Multi-CPU Systems Running Under Heavy Load (41176)
8.0 Defects Fixed in 6.x QMR 4
8.1 Values Preceding Percent Signs Not Retained in URL String Conversion (39267)
8.2 Cookies with Potentially Harmful Characters (43201)
8.3 LLAWP Process Did Not Restart (44020)
8.4 Agent Logged Local Time Incorrectly (44204)
8.5 Non-standard Port Dropped During Redirect Processing (45490, 45079)
8.6 Exception Thrown During Certificate Authentication (45765, 45688)
8.7 Session Cache Cleared (46048, 45990)
8.8 Password Services Potentially Vulnerable (46107)
8.9 Failure at Startup if LogFileName Parameter Was Not Set (40850)
8.10 User Not Challenged When the OverrideIgnoreExtFilter Parameter Set to a Substring (43106)
8.11 Messages Not Audited (43682)
8.12 Errors When EncryptAgentName Parameter Not Set (44016)
8.13 Idle Session Timeout Limits Not Honored with Unprotected Resources (44046)
8.14 SSO with Reverse Proxy Not Performed (44050)
8.15 Configuration Incorrect in Reverse Proxy Mode (44280)
8.16 Column Not Updated in the Session Server Database (42500)
8.17 Arbitrary HTTP Headers Allowed During Redirect (44923, 44800)
8.18 Failure on Startup When the Session Cache Was Disabled (45009)
8.19 Port Numbers Parsed Correctly (45193)
8.20 Web Agents Did Not Remove Agent Query Data Items (45263)
8.21 Password Services CGI Processing Did Not Handle Requests with Large Password POST Data (45276)
8.22 The Web Agent Appended a Slash Character to the @smerrorpage Directive (45364)
8.23 The Windows-based Installation Kit Supplied Ambiguous Error Messages (45483)
8.24 Domino Web Agent Terminated When a Third-Party Filter Was Loaded (45730)
8.25 POST Preservation Did Not Function with the NTLM Authentication Scheme (46022)
8.26 Two Fields Were Not Shown in the Web Agent Trace Logs (46391)
8.27 Web Agent IPC Communications Are Now More Stable (46608)
8.28 Web Agent Terminated When Processing SMSESSION Cookies (46743)
8.29 POST Preservation Failed (46878, 45495)
8.30 Failures that Resulted from Interaction between Agents (46981, 46834)
8.31 Web Agent Logoff Did Not Function Properly with TransactionMinder (46984, 46213)
8.32 Web Agent Added an Extra Character During Federation Processing (47019)
8.33 Web Agent Did Not Remove SiteMinder Aplication Data from the URL (46904, 47411)
8.34 The String in a Target URL Was Truncated (46915)
8.35 Domino Web Agent Failed to Access View Resources Redirected by FCC (46961)
8.36 Web Agent Failed to Start Up (47418)
8.37 Web Agent Failed to Handle Custom Anonymous Authentication Schemes (47460)
9.0 Defects Fixed in 6.x QMR 5
9.1 Apache Agent Goes Into Endless Loop When NTML Authentication Fails (41685)
9.2 Web Agent Extracts the First 15 characters from the CustomIpHeader, Opening a Security Risk (42848)
9.3 Cookie Provider Allows Unauthorized Access (44103)
9.4 Problems with User Initiated Password Change When SecureUrls Are Enabled (46054)
9.5 Web Agent Gives Cookie Error After Session Timeout Occurs (46239)
9.6 Provide SSO Support for Non-browser Clients (46779)
9.7 Customer Requests That the Agent Not Update the SMSESSION Cookie for Certain URLs (47064)
9.8 Errors Occur Due to Attempts to Backup Non-existent Directories (47175)
9.9 Cookie Provider and Credential Collector Cannot Be in the Same Domain (47225)
9.10 User Not Authenticated When Providing Valid Credentials on the SMRETRIES + 1 Attempt (47301)
9.11 Memory Leak Related to Post Data (47363)
9.12 Compatibility Issues Between Web Agent and Secure Proxy Server Component of TransactionMinder (47492)
9.13 OnAuthAttempt Rules Do Not Fire When Directly Accessing a Protected Resource (47513)
9.14 Web Agent Does Not Log username with Invalid Login Attempt and fcccompatmode=NO (47572)
9.15 User Re-Challenged with login.fcc Rather Than Custom Forms login.html (47935)
9.16 Users Not Authenticated Properly When Web Agent Installed on Same Machine as Windows Domain Controller (48057)
9.17 Web Agent Configuration Wizard Shows the Incorrect Domino Version (48085)
9.18 Domino Web Agent Not Properly Stripping SiteMinder Query Parameters (48113)
9.19 Cannot Resolve Agent Name When Default Ports Are Added to the Hostname (48258)
9.20 Web Agent Not Displaying Password Change Confirmation Page (48313)
9.21 Domino Web Agent Not Handling Accented Characters in Usernames Properly (48364)
9.22 Domino Web Agent Returning a URL Resolution Error (48560)
9.23 Agent Framework Response Manager Does Not Always Allow All Configured Plug-ins to Process Policy Server Responses (48706)
9.24 Memory Growth/Leak HTTPD Child Process, Which Will Result in Crash When VM Size Gets Over 3.1 GB (48844)
9.25 SAML 2.0/1.1 Not Working with Win2K3/IIS 6.0 Web Agent (48858)
9.26 Erroneous Apache Error Log Message "CSmSem::getSem - Path is empty or not defined" (48897)
9.27 "500 Internal Server" Error Encountered When User Accesses Protected Resource (51508)
9.28 Web Agent Seg Faults When Request Is Made for File with .ccc Extension (51518)
9.29 nete_wa_env.sh Contains Two Invalid Paths: ${NETE_WA_ROOT}/lib and ${NETA_WA_ROOT}/bin/thirdparty (51532)
9.30 Agent Trace Logs Display Incorrect URL in Cookie Provider Logs (51621)
9.31 x509 Certificate Step Up Authentication Does Not Redirect Properly (51664)
9.32 Request to Redirect to the Cookie Provider When Accessing an Unprotected Resource (51826)
9.33 Web Agent Configuration Tool Flaw When Attempting to Configure Web Instances (51872)
9.34 On Refreshing a Session, Authorization of User Comes from Policy Server Instead of Cache (51939)
9.35 Failure To Get High Performance Counter (52001)
9.36 Framework Web Agent on Windows Crashes Due to Stack Overflow (52028)
9.37 Framework Web Agent Should Not Allow A Re-direct to Cookie Provider on POST (52208)
9.38 IIS 6.0 Agent Not Always Setting the P3P Header When P3PCompactPolicy is set to YES in the ACO (52222, 51736)
9.39 Issue with Retrieval of SSL Certificates (52341)
9.40 Framework Agents Do Not "URL encode" SMSESSION Query Parameter (52342)
9.41 User Is Not Presented with Change Password Screen (52351)
9.42 SiteMinder Agent API Function Failure Results in Error Message (52812)
9.43 Issue with Apache Handling of % Character (52884)
9.44 Validation Failure Causes 'UseSessionForAnonymous' Flag to Become Enabled (52890)
9.45 Value of SaveCredsTimeout Parameter Does Not Display Properly in the Log File (52906)
9.46 Forms Authentication Post to an HTML Does Not Work When LegacyEncoding=no (53131)
9.47 FCCCompatMode=YES Causes SMTRYNO Cookie To Not Be Set Correctly (53260)
9.48 When an IIS 6.0 Web Agent on Windows 2003 Does a Reverse DNS Lookup of IP Address, It Gets a NetBIOS Server Name Back (52944)
9.49 Password Services Does Not Recognize PasswordServicesZH-CN.properties and PasswordServicesZH-TW.properties Files (53007)
9.50 Ensure isProtected Uses ServerErrorFile in the Event the Agent is Not Able to Communicate with Policy Server (53017)
9.51 Customer Requests That IIS 6.0 Web Agent Enter Information into IIS Web Server Log (53205, 46164)
9.52 Agent Installation Fails When X11 Is Not Installed on SUSE 8 (53281)
9.53 Web Agent Trace Log Message Are Not Being Written to the Log FIle (53393)
9.54 Re-architected IIS 6.0 Web Agents Are Missing @loginonget (53529)
9.55 IPlanet Web Server Crashes When EnableWebAgent=NO (53541)
9.56 IIS 6.0 Web Agent Starts Processing Transactions Before It Has Received Its Keys (53618, 52972)
9.57 "Unknown SiteMinder Web Agent" is Displayed When SPS Agent is Being Run (53729)
9.58 IBM HTTP Server 1.3.28.1 on AIX 5.2 Is Not Able to Startup When EnableWebAgent=NO (53883)
9.59 Web Server Throwing "500" Error On APS "OnAccessAccept" Rule (53964)
9.60 Trace Delimiter Parameter in the Web Agent Configuration Is Spelled Incorrectly in the Default ACO (53974)
9.61 Federation Logging Incomplete after Upgrade (54040)
9.62 Web Agents Crash on Shutdown in Some Situations (54064)
9.63 SPS Creates SMSESSION Cookie for 36 Years When PersistentCookies=YES in the AgentConfigObject (54071)
9.64 Missing ServerPath in WebAgent.conf Causes 500 Error for IIS 6.0 Agent on the First Request (54126)
9.65 OverlookSessionForUrls is Misspelled as OverlookSessionForUrl in Agent Log File (54128)
9.66 Requested Resource Is Not Displayed When TargetAsRelativeURI and FccCompatMode are Both Set to YES (54157)
9.67 Redirecting to Cookie Provider Causes Authentication Failure (54158, 52785)
9.68 When Using DynamicRetries.fcc, the Password Policy Templates Do Not Display (54232)
9.69 RECURRING Cookie Not Set Properly When Using the @SMSAVE Directive in the login.fcc (54250)
9.70 Web Agent Fails to Process StepUp CertOrForm Correctly (54313)
9.71 RedHat 3.0 Advanced Server Web Agent Fails to Install (54535)
9.72 SunOne 6.1 SP4 Fails to Start with Web Agent 6 QMR 4 on AIX 5.3 Platform (54650)
9.73 Choosing "Abort the UPGRADE" While Doing Console Mode Installation on UNIX Continues to Install Instead of Aborting (54651)
9.74 Logon_User Failed for Specified User on IIS 6.0 Framework Agent (54675)
9.75 SMDOMINODATA Cookie Is Not Set Securely When UseSecureCookies = "YES" (54703)
9.76 When Resources Protected by Domino Web Server Are Accessed, Server Rechallenges for User Credentials (54917)
9.77 Expiry Time for SMIDENTITY Cookie Created Shows Wrong Value (54968)
9.78 Popsession.fcc Does Not Pop the Session When Accessed Directly from URL (55013)
9.79 IIS 6.0 Agent Strips First "?" from URI on 'IsProtected' Call by .FCC or .NTC (55306, 54794)
9.80 Form-based Authentication Scheme Is Not Working on Domino Web Server (55599)
9.81 Web Agent Deletes the SMSESSION Cookie Once the Idle Timeout Has Been Deleted (56299)
9.82 Web Agents Are Leaking Memory (56338)
9.83 Dynamic Web Agent Configuration Changes Do Not Occur (56559)
10.0 Known Issues for Web Agent 6.x QMR 5
10.1 Agent Installation Does Not Terminate When there is Insufficient Disk Space (26152)
10.2 When Accessing Protected Resources, the Domino Server Crashes and Generates an NSD (43913)
10.3 Oracle HTTP 10.1.3.0.0 (Apache 2.x) on AIX 5.3 - WebServer Fails to Stop Using opmnctl stopall (54628)
10.4 Oracle 10.1.3.0.0 (Apache 2.x) on AIX 5.3 - On Accessing Protected Resource, an Error Encountered (54654)
10.5 Red Hat Apache 2.0.52 Installed on Linux 4.0 Fails to Load Agent Module (55914)
10.6 Multiple obj.conf Files and nete-wa-config (18615, 56424)
Welcome to CA eTrust SiteMinder Web Agent. This file contains product installation considerations, operating system support, known issues, and information about contacting CA Technical Support.
For a list of supported platforms:
Note: Some platforms supported in previous releases may no longer be supported.
For a list of system requirements, see the CA eTrust SiteMinder Web Agent Installation Guide.
SiteMinder requires the use of JDK/JRE 1.5.0_01 or later, but note the following caveats:
This issue is a result of a Sun Microsystems bug. Refer to Sun bug number 6399321.
JDK 1.5.0_05 causes ServletExec to crash on dual processor machines.
When you run the Web Agent Configuration Wizard on an Apache Web Server running HPUX 11i, the Wizard checks for the linker and loader cumulative patch PHSS_26560. For loader versions higher than B.11.32, the Wizard displays an error message that the patch is missing; however, the patch is not required. This patch is only required when the ld and libdld versions are less than B.11.32.
More information about patch PHSS_26560 can be found at the HP web site.
Problem: The IIS 6.0 Agent does not protect requests handled by third-party ISAPI filters installed on the same Web server.
If third-party filters are listed before the SiteMinder Web Agent ISAPI filter in the ISAPI filters list, the third-party may alter the URL before it is passed to the Web Agent, causing the Web Agent to consider the URL unprotected. The Agent will then not perform processing on the resource.
Resolution: Place the siteminderagent ISAPI filter before any third-party filter so that the Web Agent can perform any processing on the request before a third-party does any processing.
To change the filter order:
Problem: If a certificate or forms authentication scheme is configured with an alternate FCC URL, the Web Agent does not redirect to the alternate FCC for log-in if a certificate is not presented.
Resolution: The Web Agent now checks for an alternate FCC.
Problem: When the Apache 2.0 Web Agent is configured to have full URLs (not URIs) for the CSSErrorPage and ServerErrorPage parameters, it takes the URIs from these URLs and adds them to the IgnoreUrl parameter.
Resolution: The Web Agent is working as designed. The CSSErrorFile, ServerErrorFile, and ReqCookieErrorFile parameter values get added to the IgnoreUrl list purposely because if one of these errors occurs, the requested URL can be accessed without the Web Agent making authentication and authorization calls for these error URLs.
Problem: If the configured authentication scheme invokes CGI password Services, the password is sent in clear text to the pws.fcc file.
Resolution: The PWLogin.template file has been updated.
Problem: The value of the DefaultPassword parameter is being written to the log file for Web Agents installed on IIS 6.0 Web Server platforms.
Resolution: The password is no longer being logged.
Problem: The IIS 6.0 Web Agent may cause the IIS 6.0 worker process to crash during a LogonUser attempt. This typically occurs when the SiteMinder WinNT directory used to authenticate the user has the Run in Authenticated User's Security Context option checked.
Resolution: This is no longer a problem.
Problem: The Web Agent installed on an IIS 6.0 Web Server platform was displaying the message, "The page cannot be displayed" if the URL had a space or was encoded with the character %20:
Resolution: This is no longer a problem. The page displays.
Problem: When Passport Authentication is configured for a Web Agent on an IIS 6.0 Web server, the Agent does not redirect users to the Passport challenge URL.
Resolution: Users are now redirected correctly to the Passport challenge URL.
Problem: The Web Agent requests an SMIDENTITY cookie from the SiteMinder cookie provider even though user tracking is disabled in the global settings of the Policy Server User Interface.
Resolution: When user tracking is disabled, the Web Agent no longer requests the SMIDENTITY cookie.
Problem: If the UseSessionForAnonymous parameter is set to yes and the Web Agent fails to validate a session for an authenticated user, the anonymous user context is used for that user's request to access anonymous realms and for subsequent requests.
Resolution: The proper user context is now being used for authenticated users when accessing anonymous realms.
Problem: IIS 5.0 Web Agent requires the SmCredCache.sys driver when the Web Agent is configured to use proxy user account.
Resolution: SmCredCache.sys is no longer needed.
Problem: If a user enters an incorrect ID or password when accessing a resource protected by the Cert and Basic authentication scheme, the Web Agent returns a 403 error instead of re-prompting user to enter basic credentials.
Resolution: The Web Agent now reprompts the user if incorrect credentials are entered.
Problem: For Sun ONE or Apache Web Servers on UNIX platforms, Web Agent child processes are intermittently crashing under heavy concurrent traffic loads.
Resolution: This is no longer a problem.
Problem: If a resource is protected with the Cert or Basic authentication scheme, the Web Agent does not authenticate the user with the basic credentials after the certificate credentials fail.
Resolution: The Web Agent is now accepting username and password to authenticate a user if certificate credentials fail.
Problem: The Web Agent fails when it cannot read the trace.conf file.
Resolution: This is no longer a problem.
Problem: The Domino Web Agent corrupts the userDN and causes single sign-on failures when multiple Web Agents are installed in one environment.
Resolution: The Domino Web Agent can process single sign-on requests in a configuration of multiple Web Agents.
Problem: If the Web Agent parameter ForceFQHost is set to yes, and a user requests a Notes document, the Domino Web Agent passes a standard URL to the Notes server instead of passing the URL containing the document's Domino UNID unique identifier (UNID).
Resolution: The Domino Web Agent now passes the Domino UNID for a Notes resource request when the ForceFQHost parameter is enabled.
Problem: The IIS 6.0 Web Agent does not protect requests handled by WebSphere 5.0 or ServletExec 5.0 plug-ins installed on the same Web server.
Resolution: This is no longer a problem, but there are some restrictions regarding this issue.
The IIS 6.0 Web Agent consists of an ISAPI filter and an ISAPI extension. The majority of Web Agent processing occurs in the extension, following Microsoft IIS development guidelines.
These guidelines specify that for the IIS 6.0 Web server, the ISAPI filters should be used for filtering requests and the ISAPI extensions should be used to process and/or redirect requests.
When the Web Agent is installed on an IIS 6.0 Web Server, the Agent has the following restrictions:
Problem: The IIS 5.0 Web server challenges users when the Agent parameter SetRemoteuser is enabled and users try accessing a realm protected by the NTLM authentication scheme.
Resolution: The IIS 5.0 no longer challenges users in this scenario.
Problem: If a user is accessing a resource protected by the Passport authentication scheme, the IIS Web Agent is not URL-encoding the ReturnURL parameter before redirecting the user to the Microsoft Passport site.
Resolution: The Web Agent is now properly encoding the ReturnURL parameter.
Problem: The IIS 6.0 Web Agent does not preserve header values when the PreserveHeaders parameter is set to yes.
Resolution: The Agent is now preserving headers when configured to do so.
Problem: The Apache Web Agent on a Linux system produces child process segment faults under load.
Resolution: The Apache Web Agent is no longer generating segment faults when there is a heavy traffic load.
Problem: A Web Agent installed at a producer site in a SiteMinder federated network does not return more than 2K of response data to the 4.x Affiliate Agent at a consumer site.
Resolution: This response data limitation is no longer an issue.
Problem: The Web Agent fails to notify the cookie provider if an OnAuthRedirect response is configured. This issue affects Web Agents on all Web server platforms except IIS 6.0.
Resolution: The Web Agent now notifies the cookie provider when the OnAuthRedirect response is set.
Problem: For Sun ONE and Apache Agents on UNIX systems, setting the FCCCompatMode parameter to no causes the Web Agent to return log-in failures with the message "failed to resolve realm."
Resolution: The Agent no longer returns log-in failure messages.
Problem: For Agents on all Web servers except IIS 6.0, the Agent returns an error with the following configuration:
Resolution: This configuration no longer generates errors.
Problem: The Web Agent installed on an IIS 6.0 Web server has a size limit of 2.5 MB for uploading files.
Resolution: To upload files that are larger than this limit, do the following:
The value of this key overrides the default limit. If the value of this key is less than or equal to 0, then the default of 2.5 MB will be used.
Note: The IIS 6.0 Web server has its own size limit. Changing the Web Agent's limit will not affect the IIS 6.0 limit. If you want to change the IIS 6.0 server's limit, refer to Microsoft IIS 6.0 documentation.
Problem: The Web Agent fails to provide single sign-on if a user goes from a realm with a session idle time greater than 0 to a realm with a session idle time equal to 0. This affects Agents for all Web servers except 6.0.
Resolution: Single sign-on is now maintained as the user travels across realms with different session idle times.
Problem: The Safeword authentication scheme does not work with multiple Safeword authenticators.
Resolution: This is no longer a problem.
Problem: The forms credential collector (FCC) does not include the domain if the TARGET value is a relative URI. This issue affects Web Agents on all Web servers except IIS 6.0
Resolution: The FCC now includes the domain for relative URIs.
Problem: The IIS 6.0 Web Agent is unable to resolve the Agent name.
Resolution: The IIS 6.0 Web Agent can now resolve the Agent name.
Problem: The Domino Web server logs improper calls to DSAPI setHeader function when the Web Agent is installed.
Resolution: The Domino Web server is no longer logging improper calls.
Problem: When resources are protected with multi-protection level SecurID authentication schemes, a higher level resource cannot be accessed in the same browser session in which a lower-level resource has been previously accessed.
Resolution: Resources at the higher protection level can now be accessed.
Problem: When a user tries to access a resource for the first time and the resource is protected by the SecurID authentication scheme, the Web Agent fails to return a new PIN selection form when the user is in Password Enabled, Change required mode or Passcode Enabled, new PIN mode.
Resolution: The Web Agent now presents the new PIN selection form.
Problem: 6.x Web Agents redirect to the cookie provider on GET and POST actions, whereas 4.x Web Agents redirect the cookie provider only on GET actions. This functional difference causes upgrade issues when applications that require cookie provider support for GET actions and Web services responding to POST actions are installed on IIS virtual servers.
Resolution: All 6.x Web Agents, except IIS 6.0 and Apache 2.0, have been modified to redirect to the cookie provider only for GET actions. New and rearchitected Agents, such as the IIS 6.0 and Apache 2.0 continue to redirect to the cookie provider for GET and POST actions so Web Agents can support POST preservation when a cookie provider is enabled.
Note: In order for POST preservation to work when a cookie provider is enabled on a Framework Agent, the cookie provider must also be a framework agent. When a Framework Agent redirects to a cookie provider configured on a traditional Agent (such as iPlanet), the redirected request will become a GET and fail.
Web service applications or any custom application that cannot interpret 302 redirects should be configured separately from applications requiring multi-cookie domain single sign-on. Clients using Web services should consider moving these applications to servers separate from their other applications that require multi-cookie domain single sign-on.
Problem: The Web Agent does not deliver Perl resources when configured on an Apache 2.0.49 (Prefork) Web server/Linux 2.1 Advanced Server platform.
Resolution: This is no longer a problem.
Problem: The LogAppend and TraceAppend parameters function incorrectly.
Resolution: The LogAppend and TraceAppend functionality has been restored. If the LogAppend or TraceAppend is set to no, the existing log file will be rolled over instead of being overwritten. Ordinal numbers are used instead of timestamps.
Problem: The Web Agent is not serving resources with an .fcc extension.
Resolution: Resources with an .fcc extension are now being presented.
Problem: Web Agent may get into a perpetual loop with the cookie provider if the target Web Agent is configured with a three dot cookie domain.
Resolution: This is no longer an issue.
Problem: The Web Agent and cookie provider enter an infinite redirection loop if the user accesses a resource after the Session Update period expires but before the Session Grace period expires.
The problem affects all Agents except the IIS 6.0 and Apache 2.0 Agents
Resolution: This is no longer an issue.
Problem: When the UseSessionForAnonymous parameter is set to yes, the Agent returns an 00-0010 error when the user visits a resource protected by an anonymous authentication scheme after accessing an unprotected resource.
This problem affects all Agents except the IIS 6.0 and Apache 2.0 Agents.
Resolution: This configuration no longer causes an error.
Problem: The IIS 6.0 Web Agent does not function correctly in an internationalized Windows 2003 environment.
Resolution: The Web Agent can now operate in this environment.
Problem: The Web Agent may allow unchallenged access to a protected resource in a virtual server environment.
Resolution: The Web Agent is now challenging the user due to the addition of the new parameter UseServerRequestIP.
Problem: The IIS 6.0 Web Agent fails if the string in the AgentName parameter contains a space.
Resolution: A space in the AgentName parameter value no longer causes the Web Agent to fail.
Problem: The LLAWP does not exit during Web server shutdown when the Policy Server is not available.
Resolution: This LLAWP now shuts down as it should.
Problem: When the ExpireForProxy parameter is set to yes, the IIS 6.0 Web Agent does not pass the following configured proxy headers to the client:
Resolution: The configured proxy headers are now being passed to the client.
Problem: When an Apache 2.x Web Agent is operating in proxy mode and the ProxyAgent parameter is set to yes, the session cookie is not updated after the first login attempt.
Resolution: The session cookie is now updated.
Problem: Orphaned credential cookies are causing the Web Agent to reprompt users.
Resolution: Users are no longer being reprompted.
Problem: The Web Agent may allow unauthenticated users access to protected resources on virtual Web servers when IP addresses in addition to host names are used to resolve the Agent name.
Resolution: Unauthenticated users are no longer gaining access to protected resources in this configuration due to the addition of the new parameter UseServerRequestIP.
Problem: Single sign-on fails when two disparate policy stores share a common key store.
Resolution: Single sign-on is no longer failing.
Problem: The Web Agent crashes due to corrupted memory in the session cache under certain cache-full conditions.
Resolution: This is no longer a problem.
Problem: The Host Config Object data is missing from debug logs for the IIS 6.0 and Apache 2.0 Web Agents.
Resolution: Host Config Object data is now in the logs.
Problem: Under certain conditions, the value for the TARGET parameter passed to a FCC form or to a Cookie Provider can be broken up into multiple HTTP headers that are returned to the browser.
Resolution: The TARGET parameter is no longer being divided.
Resolution: Host Config Object data is now in the logs.
Problem: The Web server crashes during a POST to the FCC if the SMENC directive in the form contains invalid data.
Resolution: The Web server is no longer failing if the SMENC data is invalid.
Problem: If a resource is protected with forms authentication and the login URL contains a query string, for example, http://machine.domain.com/login.fcc?A=1, there was a problem with the redirect URL if the initial login attempt failed. This affects all Web Agents except IIS 6.0 and Apache 2.0.
Resolution: This is no longer a problem.
Problem: The Apache 2.0 Web Agent on Linux platforms crash under certain session cache full conditions.
Resolution: The Web Agent is no longer crashing.
Problem: The SMUSERMSG cookie is not being set when the SMUSERMSG attribute is sent to a re-architected Web Agent from the Policy Server via the Sm_AgentApi_Login() API call during authentication.
Resolution: The SMUSERMSG cookie is now being set.
Problem: One View Monitor displays version information correctly as "bAg" when using an Apache 2.0 Web Agent on the Linux platform.
Resolution: Version information is now being displayed correctly.
Problem: LogoffURI functionality is not the same as prior Web Agent versions on the IIS 6.0 and the Apache 2.0 Web Agent.
Resolution: LogoffURI is now functioning properly.
Problem: The SMSESSION cookie for the Cookie Provider is not cleared when an IIS 6.0 or Apache 2.0 Web Agent processes the LogoffURI in a different domain than the cookie provider domain.
Resolution: The SMSESSION cookie is now being removed.
Problem: The WebAgentTrace.log file is not showing responses with a percentage (%) in the response value. This affects all Web Agents except the IIS 6.0 and Apache 2.0 Agents.
Resolution: Percentages are now being logged for responses.
Problem: Web Agents do not log the BadUrl characters properly. This affects IIS 6.0 and Apache 2.0 Web Agents.
Resolution: BadUrl characters are now being logged correctly.
Problem: The Web Agent is mismatching URL extensions to FCC, NTC, CCC, SFCC, and SCC lists when parsing a URL.
Resolution: Mismatches are no longer a problem.
Problem: The Web Agent on an IIS 5.0 server consumes Request POST data, making it unavailable for other filters. This affects the IIS 5.0 Web Agent only.
Resolution: There is a new registry setting, ReadPostData, that allows you to modify the default Agent behavior.
To add an ISAPI filter to an IIS 5.0 Web server that needs to access POST data, you need to prevent the Web Agent from consuming the POST data and making it unavailable for other applications.
Note: This filter would be in addition to the Web Agent filter.
To ensure that POST data will be available:
HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder Web Agent\Microsoft IIS\
Problem: The IIS 6.0 Web Agent interferes with HTTP_HTTPSSECRETKEYSIZE header variable processing.
Resolution: The IIS 6.0 Agent no longer interferes with the header processing.
Problem: The Web Agent returns a 500 error when accessing the logout.fcc after a user session has timed out or if a user does not have an active session. This affects IIS 6.0 and Apache 2.0 Web Agents.
Resolution: An error is no longer being returned.
Problem: The Web Agent returns a 500 error when accessing the logout.fcc after a user session has timed out or if a user does not have an active session. This affects IIS 6.0 and Apache 2.0 Web Agents.
Resolution: An error is no longer being returned.
Problem: The IIS 6.0 and Apache 2.0 Web Agents fail to perform an exact URL extension match against values in the auto authorize list.
Resolution: These Web Agents now perform an exact URL match.
Problem: The Web Agent installation program was unable to recognize IBM HTTP Server on an AIX platform, causing the installation to fail.
Resolution: The installation can now recognize this platform.
Problem: Upon authenticating a user with the SAML POST profile authentication scheme, the HTTP_SM_AUTHTYPE default header was being set to SAML Artifact.
Resolution: The string for this header has been changed to SAML Assertion to fit either artifact or POST profile authentication.
Problem: The Web Agent will attempt to redirect the request instead of serving the requested page if the Authorization On-Accept-Redirect response contains the value smnoredirect.
Resolution: The Web Agent now ignores the redirect response and serves the requested page.
Note: IIS 6.0 and Apache 2.0 Web Agents do not support the fixed functionality; the requested page is still not displayed.
Problem: The Web Agent fails to rollover log and trace files when the LogApend and TraceAppend parameters are set to No. Instead, the Agent appends data to the existing files. This affects all Web Agents except IIS 6.0 and Apache 2.0.
Resolution: The Agent now rolls over the log and trace files.
Problem: On Sun ONE Web servers, Web Agents configured with the FCCCompatMode parameter set to yes may crash under certain load conditions when a user tries accessing resources protected by forms-based authentication. This affects all Web Agents except IIS 6.0 and Apache 2.0.
Resolution: The Web Agent no longer crashes under these conditions.
Problem: Web Agent logs contain timestamps with unreadable characters if the operating system language is set to Japanese.
Resolution: The timestamp now displays correctly.
Problem: On an Apache 1.x Web server on an AIX platform, the Web server child process crashes during POST preservation if the server is configured with a Web Agent.
Resolution: Do one of the following:
Problem: If the Web Agent is configured with the FCCCompatMode parameter is set to yes, the Agent sends two authentication requests to the Policy Server if the Web server root is protected. This affects all Agents except IIS 6.0 and Apache 2.0.
Resolution: The Agent no longer sends two authentication requests.
Problem: The Web Agent does not reconnect to a Policy Server that has recovered from a failure if that server is behind a proxy firewall. This affects all Web Agents.
Resolution: The Agent now reconnects.
Problem: Under certain conditions, the Web Agent returns the wrong error code due to communication failures and errors with the Policy Server. This affects only the IIS 6.0 and re-architected Apache 2.0 Web Agents.
Resolution: The correct error code is now being returned.
Problem: The "ConformToRFC2047" parameter does not function correctly in the Web Agent. This affects IIS 6.0 and re-architected Apache 2.0 Web Agents.
Resolution: This is no longer a problem.
Problem: The Web Agent does not handle communication failures/errors with a Policy server in single server/cluster configuration. This affects all Web Agents.
Resolution: This is no longer a problem.
Problem: Web Agent on IIS 5 fails to start up with gflags setting enabled with the "/full" flag. This affects the IIS 5.0 Web Agent only.
Resolution: This is no longer a problem.
Problem: On a system with multiple Web server instances configured with Web Agents, when installing a new Agent on a new Web server instance in GUI or console mode, the existing Agent(s) are uninstalled if instances are unchecked. This affects the IPlanet/SunOne Web Agents only.
Resolution: This is no longer a problem.
Problem: The Web Agent installer does not indicate properly that it is necessary to enter a specific configuration path when the version of the Apache Web Server being configured is undetectable. This affects the re-architected Apache 2.0 Web Agents only.
Resolution: This is no longer a problem.
Problem: A Web Agent fails authentication for Basic for SSL, Cert or Basic, Cert and Basic, Cert or Basic over SSL authentication schemes. This affects IIS 6.0 and re-architected Apache 2.0 Web Agents.
Resolution: This is no longer a problem.
Problem: The Web Agent installer does not set the LIBPATH environment variable correctly during installation on the AIX platform. This affects the iPlanet/SunOne Web Agents on the AIX platform only.
Resolution: This is no longer a problem.
Problem: The Web Agent does not ignore redirect responses in the presence of a session cookie. This affects IIS 6.0 and re-architected Apache 2.0 Web Agents.
Resolution: This is no longer a problem.
Problem: The Web Agent ignores custom session cookie when authenticating requests from the SAML Affiliate Agent. This affects all the Agents except IIS 6.0 and re-architected Apache 2.0 Agents.
Resolution: This is no longer a problem.
Problem: The Web Agent installer does not fully configure an Apache Web Server instance during installation. This affects the re-architected Apache 2.0 Web Agents only.
Resolution: This is no longer a problem.
Problem: SireMinder does not update the lasttouch column in the ss_sessionspec4 table of the Session Server database on second access of resources through a Web Agent. This affects all of the Agents except IIS 6.0 and re-architected Apache 2.0 Agents.
Resolution: This is no longer a problem.
Problem: The Web Agent "failed forms authentication retry limit" that is, @smretries was off by one if the Web Agent was configured to be compatible with 4.x Web Agents. This affects all the Agents except IIS 6.0 and re-architected Apache 2.0 Agents.
Resolution: This is no longer a problem.
Problem: The Web Agent does not handle NULL active response values from the Policy Server correctly. This affects IIS 6.0 and re-architected Apache 2.0 Web Agents only.
Resolution: This is no longer a problem.
Problem: Under certain conditions, a failed login attempt using forms authentication leads to the Web Agent returning a 500 error. This affects all Agents except the IIS 6.0 and re-architected Apache 2.0 Web Agents.
Resolution: This is no longer a problem.
Problem: Under certain conditions, the Web Agent fails to initialize correctly under load. This affects the iPlanet/SunOne Web Agents only.
Resolution: This is no longer a problem.
Problem: Failed NTLM authentications or authorizations causes the Web Agent to return error code 403 instead of 401. This affects all Agents except the IIS 6.0 and re-architected Apache 2.0 Web Agents.
Resolution: This is no longer a problem.
Problem: NTLM-based authentication schemes do not function correctly in IIS 6.0 Web Agents.
Resolution: This is no longer a problem.
Problem: Web Agent providing portal support for the Affiliate Agent allows redirects to target URLs in other domains. This affects all Web Agents on all platforms.
Resolution: This is no longer a problem.
Problem: Cookie credential collector (CCC) redirecting to target URLs in other domains.
Resolution: A Web Agent configuration parameter named ValidTargetDomain has been added to the Web Agent configuration. If you configure this parameter with one or more domains, the target domain is compared against each of the configured values to ensure valid redirection. If you do not configure this parameter, then the cookie credential collector redirects to target URLs in other domains.
Problem: The Web Agent cookie provider does not function correctly with invalid query parameter values. This affects all Agents except the IIS 6.0 and re-architected Apache 2.0 Web Agents.
Resolution: This is no longer a problem.
Problem: The Web Agent fails authentication for an NTLM Authentication Scheme with TransientIDCookies and TransientIPCheck set to "YES".
Resolution: This is no longer a problem.
Problem: The Web Agent does not redirect user-based on the onReject-Redirect response. This affects IIS 6.0 and re-architected Apache 2.0 Web Agents only.
Resolution: This is no longer a problem.
Problem: POST data is not preserved by IIS 5.0 Web Agents when the NTLM Authentication Scheme is used when the Web Agent is not configured to be compatible with 4.x Web Agents. This affects the IIS 5.0 Web Agents only.
Resolution: This is no longer a problem.
Problem: The Web Agent was unable to display the resource specified in the ServerErrorFile when the Policy Server was stopped if that resource is handled by policies on the stopped Policy Server. This affects the IIS 6.0 and re-architected Apache 2.0 Agents only.
Resolution: This is no longer a problem.
Problem: The Web Agent is obtaining the Agent Identity from both the Agent configuration object on the Policy Server as well as the WebAgent.conf file regardless of whether the attribute AllowLocalConfig is set to "YES" or "NO". This affects all the Agents except IIS 6.0 and re-architected Apache 2.0 Agents.
Resolution: This is no longer a problem.
Problem: The Web Agent may fail to process @smheaders during forms based authentication due to inconsistency of HTTP Header names used by different browsers and Web servers. This problem occurs when using a browser that uses HTTP Headers containing underscore or hyphens (i.e., USER_AGENT or USER-AGENT) and the Web Server uses the other. This affects all Web Agents on all platforms.
Problem: The Web Agent "failed forms authentication retry limit" (i.e., @smretries) was off by one if the Web Agent was not configured to be compatible with 4.x Web Agents. This affects all the Agents except IIS 6.0 and re-architected Apache 2.0 Agents.
Resolution: This is no longer a problem.
Problem: Under certain conditions the Web Agent fails during searches in the resource and/or session cache(s). This affects all the Agents except IIS 6.0 and re-architected Apache 2.0 Agents.
Resolution: This is no longer a problem.
Problem: Under certain conditions the Web Agent attempts to open a greater number of connections to the policy server than the quantity configured. This affects all the Agents except IIS 6.0 and re-architected Apache 2.0 Agents.
Resolution: This is no longer a problem.
Problem: The Web Agent would fail to apply RFC-2047 wrapping when the HTTP Header value being encoded was only a single character long. Values longer than a single character were encoded correctly in the HTTP Header. This affects the IIS 6.0 and re-architected Apache 2.0 Agents only.
Resolution: This is no longer a problem.
Problem: A Web Agent hosting TARGET URL incorrectly substitutes the first ampersand (&) with a question mark (?) on returning from the cookie provider. This affects all the Agents except IIS 6.0 and re-architected Apache 2.0 Agents.
Resolution: This is no longer a problem.
Problem: Under certain conditions, the Web Agent configured to use logout.fcc will not log out the user and may cause the Web server to crash. This affects all the Agents except IIS 6.0 and re-architected Apache 2.0 Agents.
Resolution: This is no longer a problem.
Problem: Web Agents configured to use a custom forms authentication page (for example, login.asp) redirect failed logins to the default form (such as login.fcc) instead of the custom form configured in the policy server authentication scheme). This affects all the Agents except IIS 6.0 and re-architected Apache 2.0 Agents.
Resolution: This is no longer a problem.
Problem: When accessing a protected resource where the URL contains a query string that also contains an embedded URL, forms-based authentication may fail. The Agent tries to determine if the embedded URL is protected instead of trying to determine if the actual target URL is protected. This affects all Web Agents on all platforms.
Resolution: This is no longer a problem.
Problem: A Web Agent configured with the FCCCompatMode parameter enabled (and configured to be compatible with 4.x Web Agents) allows redirects to target URLs in other domains. This affects all Web Agents on all platforms.
Resolution: This is no longer a problem.
Problem: Web Agent trace file does not get generated if "AgentFunc" is used as a trace file configuration component. This change affects all Web Agents.
Resolution: This is no longer a problem.
Problem: Web Agent cannot handle a null header value in the header response. This change affects all Web Agents except the IIS 6.0 and re-architected Apache 2.0 Agents.
Resolution: This is no longer a problem.
Problem: The Domino Web server expects the user name passed by the Web Agent for server authentication to be in LMBCS (Lotus Multi Byte Character Set) data type. With this fix, the Agent now converts the username to the LMBCS data type. This change affects the Domino Web Agents only.
Resolution: This is no longer a problem.
Note: Due to known issues with the Domino Web server on the AIX platform, it is not recommended to upgrade the Domino Web Agent on the AIX platform with this CR.
Problem: If a resource is re-accessed after the session has been logged off, the Web Agent presents "Require Cookies" error instead of re-challenging the user with a basic authentication challenge. This affects IIS 6.0 and re-architected Apache 2.0 Agents only.
Resolution: This is no longer a problem.
Problem: Web Agent logout.fcc is not logging session out or redirecting to the target. If a resource is accessed after logging out using logout.fcc the same resource will get served without a challenge. This affects IIS 6.0 and re-architected Apache 2.0 Agents only.
Resolution: This is no longer a problem.
Problem: A Web Agent would use the Domino server convention, using server aliases to identify objects in the Agent Target parameter instead of actual mapped object name. This change affects the Domino Web Agents only.
Resolution: This is no longer a problem.
Problem: Web Agent configured for Agent impersonation does not re-authenticate an administrator with a timed-out session. Users see an unauthorized page, which states that credentials are not valid.
Resolution: This is no longer a problem.
Problem: For Windows 2000 and 2003 Web Agents running on multi-CPU systems under high concurrent load, an intermittent stability issue caused the IIS Web Server to fail. This issue was caused by the Microsoft compiler libraries used to create the Web Agent software.
Resolution: Installing 6.x QMR 3 fixes this issue, as it upgrades the Microsoft compiler libraries from 6.0 to 7.1.
Important! We recommend that you do not run the Web Agent and Policy Server on the same machine.
Problem: The Web Agent cookie provider did not retain all values preceding a percent sign (%) in URL string conversions.
Note: This defect affected all Web Agents.
Resolution: The Web Agent is now converting correctly.
Problem: Web Agent generated cookies, such as SMSESSION, contained harmful characters, such as "=", that were blocked during IIS 6.0 URL validation.
Note: This defect affected Apache 2.0 Agents.
Resolution: This is no longer an issue.
Problem: When the Web Agent entered a state where the LLAWP process shut down, the LLAWP could not be restarted. If the Web server worker process existed, but no LLAWP process was running to service requests, Agent management events and log messages were blocked. The Web server worker process failed to roll keys and entered a deadlock.
Note: This issue occurred by a LLAWP failure in the IIS 6.0 and Apache 2.0 Agents.
Resolution: The LLAWP process is now restarting as expected.
Problem: The Web Agent incorrectly logged local time even if the LogLocalTime parameter was set to No in the AgentConfig Object.
Note: This issue affected the IIS 6.0 and Apache 2.0 Agents.
Resolution: The Web Agent now logs local time correctly.
Problem: When the Web server was running on a non-standard port, the Web Agent dropped the port when constructing the target on the redirect to the cookie provider. In addition, the Web Agent had the TargetAsRelativeUri parameter enabled.
Note: This issue affected all Agents except IIS 6.0 and Apache 2.0 Agents.
Resolution: This is no longer an issue.
Problem: A Web Agent performing certificate authentication with POST data threw a second-chance exception and failed.
Note: This issue affected the IIS 6.0 and Apache 2.0 Agents.
Resolution: This is no longer an issue.
Problem: A Web Agent was improperly flushing the user cache for all realms when the Agent received the flush specific realm command from the Policy Server.
Note: The issue affected Apache 1.x and Sun Java System (IPlanet/SunOne) Web Agents on UNIX platforms.
Resolution: This issue is fixed so that only the specified realm's user cache is flushed.
Problem: Web Agent password services CGI processing (smpwservicescgi) was potentially vulnerable to a CSS attack on POST.
Note: This issue affected all Web Agents.
Resolution: This is no longer an issue.
Problem: The Web Agent failed to start if you did not specify the LogFileName configuration parameter.
Note: This issue affected all Web Agents except IIS 6.0 and Apache 2.0 Agents.
Resolution: The Web Agent starts successfully if you leave the LogFileName parameter blank.
Problem: The Web Agent did not challenge a user for credentials when the OverrideIgnoreExtFilter configuration parameter was set to a substring of the URL used to access the resource.
Note: This issue affected IIS 6.0 and Apache 2.0 Agents only.
Resolution: This issue is fixed and the user is now challenged for credentials.
Problem: SiteMinder did not audit any Agent authentication or authorization messages if you set EnableAuditing to YES and enabled Web Agent caching.
Note: This issue affected IIS 6.0 and Apache 2.0 Agents only.
Resolution: This is no longer an issue.
Problem: A Web Agent configured with the EncryptAgentName parameter set to No produced Web server HTTP 500 errors.
Note: This issue affected all Web Agents except IIS 6.0 Agent and Apache 2.0 Agents.
Resolution: This is no longer an issue and the Web server starts successfully.
Problem: The Web Agent did not update the SMSESSION cookie or create a Proxy Session cookie when requesting a non-protected page. The Agent also did not honor idle session timeout limits with unprotected resources.
Note: This issue affected IIS 6.0 and Apache 2.0 Agents only.
Resolution: This is no longer an issue.
Problem: A Web Agent configured in conjunction with a secure proxy or a reverse proxy Web Agent did not perform SSO.
Note: This issue affected IIS 6.0 and Apache 2.0 Agents only.
Resolution: This is no longer an issue.
Problem: The Web Agent attached multiple Identity/Session cookies to an inbound request. Also, the Web Agent incorrectly handled the SMSESSION cookie when it was configured in reverse proxy mode with ProxyAgent=YES.
Note: This issue affected IIS 6.0 and Apache 2.0 Agents only.
Resolution: This is no longer an issue.
Problem: SiteMinder did not update the ss_sessionspec4 table's lasttouch column in the Session Server database on second access of a resource through a Web Agent.
Note: This issue affected Sun Java Systems and Apache 1.x Agents on all UNIX platforms.
Resolution: This is no longer an issue.
Problem: The Web Agent allowed users to insert arbitrary HTTP headers during redirect processing.
Note: This issue affected all Web Agents.
Resolution: Users can no longer insert HTTP headers.
Problem: The Web Agent failed to start when the session cache was disabled.
Note: This issue affected Sun Java System and Apache 1.x Web Agents on all UNIX platforms.
Resolution: This is no longer an issue.
Problem: The Agent would not parse the specified port number correctly if you set the Web Agent's HttpPorts parameter.
Note: This issue affected IIS 6.0 and Apache 2.0 Agents only.
Resolution: This is no longer an issue.
Problem: Web Agents did not remove Agent query data items from protected URLs when performing redirects.
Note: This issue affected IIS 6.0 and Apache Agents only.
Resolution: This issue is fixed and data items now removed.
Problem: The Web Agent password services CGI processing did not handle requests with large amounts of POST data (for example 150,000 bytes).
Note: This issue affected all Web Agents.
Resolution: This is no longer an issue and password services can handle such requests.
Problem: The Web Agent appended a slash character to the @smerrorpage directive during redirect processing, which caused an error.
Note: This issue affected IIS 6.0 and Apache 2.0 Agents only.
Resolution: This is no longer an issue.
Problem: The Windows Web Agent installation kit issued ambiguous metabase error messages during an installation failure.
Note: This issue affected the IIS 5.0 and the IIS 6.0 Web Agent installation kits.
Resolution: This issue is fixed. Ambiguous error messages are no longer displayed on installation failure.
Problem: The Web Agent terminated when a third-party filter (libuploaderfilter.dll) was loaded into a Domino Web Server.
Note: This issue affected Domino Web Agents only.
Resolution: This is no longer an issue.
Problem: When the NTLM Authentication Scheme was enabled, POST preservation did not work.
Note: This issue affected IIS 6.0 and Apache 2.0 Agents only.
Resolution: This is no longer an issue.
Problem: The User and UserDN fields were not available in the Web Agent Trace logs when trace logging was enabled.
Note: This issue affected IIS 6.0 and Apache 2.0 Agents only.
Resolution: The missing fields are now in the log.
Problem: Several fixes were required to increase the stability of the Web Agent IPC communications.
Note: This issue affected IIS 6.0 and Apache 2.0 Agents only.
Resolution: This is no longer an issue.
Problem: When processing SMSESSION cookies generated by a custom application, the Web Agent terminated unexpectedly.
Note: This issue affected Apache 2.0 Agents only.
Resolution: The Web Agent now accepts and decrypts the SMSESSION cookies successfully.
Problem: POST preservation failed when the user was re-challenged for credentials (for any reason) and the Web Agent was configured with the FCCCompatMode parameter disabled.
Note: This issue affected all agents except IIS 6.0 and Apache 2.0 Agents.
Resolution: This is no longer an issue.
Problem: When using Forms-based authentication, failures resulting from the interaction between Web Agents with differing clocks were not reported properly.
Note: This issue affected IIS 6.0 and Apache 2.0 Agents only.
Resolution: This is no longer an issue.
Problem: In configurations containing TransactionMinder 5.6, the Web Agent logoff functionality did not perform as expected. The user session was incorrectly validated after logout. This created a problem for configurations using a persistent session store.
Note: This issue affected IIS 6.0 and Apache 2.0 Agents only.
Resolution: This is no longer an issue.
Problem: The Web Agent added an extra "/" character to the beginning of the SMPORTALURL query parameter during federation processing.
Note: This issue affected IIS 6.0 and Apache 2.0 Agents only.
Resolution: This is no longer an issue.
Problem: CSmHttpPlugin::ProcessResource did not properly strip off SiteMinder data from the URL. This applied to the SMSESSION, SMIDENTIFY, and SMLOCALE query parameters.
Note: This issue affected IIS 6.0 and Apache 2.0 Agents only.
Resolution: This is no longer an issue.
Problem: Value-pair parameters following an ampersand (&) were truncated by SiteMinder Password Services (/pwcgi/smpwservices.cgi.exe).
Note: This issue affected all agents.
Resolution: This is no longer an issue.
Problem: The Domino Web Agent translates a view resource to a URL-friendly name. When the request got redirected by FCC, the view name was changed back to the Domino view ID instead of retaining the URL name.
Note: This issue affected Domino agents only.
Resolution: This is no longer an issue. See the CA eTrust SiteMinder Guide for additional information.
Problem: The event viewer application saw a "Failed to initialize the message bus" error when AgentWaitTime was set to a value greater than 20 seconds.
Note: This issue affected IIS 6.0 and Apache 2.0 Agents only.
Resolution: This is no longer an issue.
Problem: The SMSESSION cookie was not being properly created, and the user was not properly redirected.
Note: This issue affected IIS 6.0 and Apache 2.0 Agents only.
Resolution: This is no longer an issue.
Problem: The Apache Web Agent goes into an endless loop when NTML authentication fails and fcccompatmode is set to YES.
Note: This issue affected the re-architected Apache 2.0 agents only.
Resolution: This is no longer an issue.
Problem: A Web Agent extracts the first 15 characters from the CustomIpHeader, opening a security risk in the customer's proxy environment.
Note: This issue affected all Web Agents.
Resolution: This is no longer an issue.
Problem: When a Web Agent is using a cookie provider, if you take the URL of the redirect from the Web Agent log and paste it into a new browser, you will gain access. If you use SecureUrls and paste the URL from the Web server access log into the browser, you will gain access. Windows and Solaris are vulnerable.
Note: This issue affected all Web Agents.
Resolution: This is no longer an issue.
Problem: With the design of user-initiated password change, the functionality does not create an encrypted target / query string, and thus is incompatible with a SecureURLs setting.
Note: This issue affected all Web Agents.
Resolution: This is no longer an issue.
Problem: After session timeout occurs (idle or max timeout is over), on trying to access the resource in same browser session, the Web Agent gives a cookie error instead of challenging the user for credentials.
Note: This issue affected re-architected Apache agents only.
Resolution: This is no longer an issue.
Problem: A request was made to provide SSO support for non-browser clients.
Note: This affects all Web Agents.
Resolution: HTML Form schemes that collect Basic (username and password) credentials can now be configured to authenticate non-browser HTTP clients. These clients can be in the form of Perl scripts, C++, Java programs that have the ability to communicate using the HTTP protocol. This functionality is enabled through the Administration user interface. When enabled, Siteminder will attempt to authenticate using Basic credentials only if they are sent with the initial request as part of the Authorization header. If they are absent, Siteminder will redirect to Forms as normal. If the Basic credentials are present but invalid, Siteminder will return 401 Unauthorized.
Problem: A customer requests that the Agent not update the SMSESSION cookie for certain URLs but that these resources still be protected.
Resolution: Two new agent configuration parameters are introduced: overlooksessionformethods and overlooksessionforurls. By default these parameters will not exist, and there is no default for these parameters. For all requests, the agent will compare the request method (case insensitive compare) to the methods listed in the agent configuration parameter overlooksessionformethods and the request URL (case sensitive compare) to the URLs listed in the agent configuration parameter overlooksessionforurls. This URL should be relative (i.e. /MyDocuments/index.html) as opposed to absolute (i.e. http://fqdn.host/MyDocuments/index.html). If a match is found, the agent will not create a new SESSION cookie or update an existing SESSION cookie nor will it update the cookie provider for that request.
Note: This applies to all web agents.
Problem: During the Web Agent install of SiteMinder 6.0 QMR 3, errors are logged in the installer log file. The errors are the result of the agent installer trying to make a backup of directories which do not exist.
Note: This issue affected all Web Agents.
Resolution: This is no longer an issue.
Problem: Cookie Provider and Form/NTLM Credential Collector cannot be in the same domain.
Note: This issue affected Domino agents only.
Resolution: This is no longer an issue.
Problem: The user is not authenticated when providing valid credentials on the SMRETRIES +1 attempt.
Note: This issue affected all Web Agents.
Resolution: This is no longer an issue.
Problem: iPlanet on Solaris 2.8 and 2.9 are leaking quite heavily when doing DCC Auth with no response.
Note: This issue affected Domino, SunOne, IIS 5.0, and Apache agents only.
Resolution: This is no longer an issue.
Problem: There are compatibility issues between the Web Agent and Secure Proxy Server (SPS) component of TransactionMinder.
Note: This issue affected Framework Agents only.
Resolution: This is no longer an issue.
Problem: OnAuthAttempt Rules do not fire when directly accessing a resource protected with a SAML Auth Scheme on IIS 6.0 (framework agent).
Note: This issue affected all Web Agents.
Resolution: This is no longer an issue.
Problem: The 5x Web Agents do not log the same information for invalid login attempts with fcccompatmode set to NO vs. YES.
Note: This issue affected Framework Agents only.
Resolution: This is no longer an issue.
Problem: When an HTML page posts to an FCC with invalid credentials, the Web Agent re-challenges the user using login.fcc instead of custom forms login.html.
Note: This issue affected Framework Agents only.
Resolution: This is no longer an issue.
Problem: Users are not authenticated properly when a Web Agent is installed on the same machine as the Windows domain controller.
Note: This issue affected IIS 6.0 agents only.
Resolution: This is no longer an issue.
Problem: On trying to configure a Domino 7 Web server with Web Agent 6.x QMR 3, the Web Agent Config Wizard shows the version of Domino as "Lotus Domino 6.0" rather than "Lotus Domino 7.0".
Note: This issue affected Domino agents only.
Resolution: This is no longer an issue.
Problem: Domino Web Agent not properly stripping SiteMinder added query parameters for NTC (NTLM) and SFCC redirects.
Note: This issue affected Domino agents only.
Resolution: This is no longer an issue.
Problem: When a 6.x Web Agent is configured with any Web server that is running on default ports and the Agent Name is listed in the Agent Configuration Object with the default port appended to the hostname, the agent could not resolve the Agent Name.
Note: This issue affected Framework Agents only.
Resolution: This is no longer an issue.
Problem: With a cookie provider, and constructfullpwsvcurl set to YES, the Web Agent does not properly display the password change confirmation page when a password change is required.
Note: This issue affected IIS 6.0 agents only.
Resolution: This is no longer an issue.
Problem: Domino Web Agents are not handling accented characters in usernames properly.
Note: This issue affected Domino agents only.
Resolution: This is no longer an issue.
Problem: Domino Web Agents are returning a URL resolution error when the .nsf file has URLs that contain a '/0' in the URL.
Note: This issue affected Domino agents only.
Resolution: This is no longer an issue.
Problem: The Agent Framework Response manager does not always allow configured plug-ins to process policy server responses.
Note: This issue affected Framework Agents only.
Resolution: This is no longer an issue.
Problem: Memory growth/leak HTTPD child process, which will result in a crash when VM size gets over 3.1 GB.
Note: This issue affected re-architected Apache agents only.
Resolution: This is no longer an issue.
Problem: SAML 2.0/1.1 is not working with Win2K3/IIS 6.0 Web Agent.
Note: This issue affected IIS 6.0 agents only.
Resolution: This is no longer an issue.
Problem: During LLAWP startup, eroneous Apache error log message occurs: CSmSem::getSem - Path is empty or not defined. Attempting to use PWD =
Note: This issue affected re-architected Apache 2.0 agents only.
Resolution: This is no longer an issue.
Problem: Traditional Web Agent gives a "500 Internal Server" error when a user accesses a protected resource using forms authentication and gives the wrong credentials the first time followed either by correct or incorrect credentials the second time with SecureUrls="yes" and EncryptAgentName="yes".
Note: This issue affected IIS 5.0, Domino, Apache 1.3, and IPlanet Web Agents.
Resolution: This is no longer an issue.
Problem: Web Agent abnormally terminates when a request is made for a file with a .ccc extension and information necessary to process a .ccc request is not present and logging or tracing is enabled.
Note: This issue affected Framework Agents only.
Resolution: This is no longer an issue.
Problem: nete_wa_env.sh contains two invalid paths: ${NETE_WA_ROOT}/lib and ${NETA_WA_ROOT}/bin/thirdparty, which are appended to LD_LIBRARY_PATH.
Resolution: This is no longer an issue.
Problem: The agent trace logs now display the correct URL in the cookie provider logs for both SecureURLS=YES and SecureURLS=NO.
Note: This issue affected all Web Agents.
Resolution: This is no longer an issue.
Problem: x509 certificate Step Up Authentication redirects properly when using an onAccess OnReject-Redirect Response.
Note: This issue affected Framework Agents only.
Resolution: This is no longer an issue.
Problem: A request was made to be able to configure IIS 6.0 and re-architected Apache 2.0 agents to redirect the cookie provider when accessing an unprotected resource.
Note: This issue affected Framework Agents only.
Resolution: The configuration parameter "ignorecpfornotprotected" has been added. The default value for this parameter will be "YES". If this parameter is set to "YES", the agent will not redirect to the cookie provider for unprotected resources. If this parameter is set to "NO", the agent will redirect to the cookie provider for unprotected resources.
Problem: The Web Agent configuration tool does not allow you to de-select a Web instance.
Note: This issue affected SunOne and IPlanet Web agents only.
Resolution: This is no longer an issue.
Problem: On refreshing a valid user session, user authorization comes from the Policy Server instead of the cache.
Note: This issue affected the IIS 5.0, Domino, Apache 1.3, and IPlanet Web Agents.
Resolution: This is no longer an issue.
Problem: An error is encountered when trying to get the high performance counter: "[ERROR] Failed to get high performance counter, switching to a regular performance counter."
Note: This issue affected all UNIX Web Agents.
Resolution: This is no longer an issue.
Problem: Due to enhancements made in the common/smerrlog module in the Policy Server, the Web Agent crashes with stack overflow.
Resolution: This is no longer an issue.
Problem: It was suggested that the Framework Web Agent disallow re-directs to the cookie provider on POST.
Note: This issue affected Framework Agents only.
Resolution: A new agent configuration parameter called LegacyCookieProvider has been introduced to control re-direction. It is disabled by default. This parameter should be enabled if the cookie provider is a traditional agent.
If this configuration parameter is set to 'YES', the agent will not go to the cookie provider in case of a POST request even if the cookie needs to be revalidated.
If this configuration parameter does not exist, or is set to 'NO', the agent will redirect to the cookie provider if necessary to revalidate cookie.
Problem: When the ACO parameter P3PCompactPolicy is set to YES, the agent does not always properly return the P3P header. It is returned on requests that result in a 200 response from the Web Server, with exception to the rendering of an fcc file, and does not set the header when a 302 redirect is returned to the client.
Note: This issue affected IIS 6.0 agents only.
Resolution: This is no longer an issue.
Problem: There was an issue with the retrieval of SSL certificates. Third-party SSL accelerators were not working properly in the SiteMinder environment.
Note: This issue affected re-architected Apache agents only.
Resolution: This is no longer an issue.
Problem: When functioning as a cookie provider, the IIS 6.0 Web Agent does not "URL encode" the SMSESSION parameter in URL for the returning redirect.
Note: This issue affected Framework Agents only.
Resolution: This is no longer an issue.
Problem: When Using DynamicRetry with SiteMinder 6.0 QMR 4, the user was never presented with a change password screen.
Note: This issue affected Framework Agents only.
Resolution: This is no longer an issue.
Problem: SiteMinder Agent API function failure results in error message 'Sm_AgentApi_IsProtectedEx returned -1'.
Note: This issue affected Framework Agents only.
Resolution: This is no longer an issue.
Problem: There is an issue with Apache's handling of the % character when Apache is used as a reverse proxy for Outlook Web Access.
Note: This issue affected the re-architected Apache agents only.
Resolution: This is no longer an issue.
Problem: Validation failure causes 'UseSessionForAnonymous' flag to become enabled.
Note: This issue affected the IIS 5.0, Domino, Apache 1.3, and IPlanet agents only.
Resolution: This is no longer an issue.
Problem: The value of the SaveCredsTimeout parameter does not display properly in the log file.
Note: This issue affected the IIS 5.0, Domino, Apache 1.3, and IPlanet agents only.
Resolution: This is no longer an issue.
Problem: URLs are improperly encoded in some circumstances when redirecting to an FCC if LegacyEncoding is not set, resulting in a 500 error.
Note: This issue affected Framework Agents only.
Resolution: This is no longer an issue.
Problem: When FCCCompatMode is set to YES, the SMTRYNO cookie is not set correctly.
Note: This issue affected Framework Agents only.
Resolution: This is no longer an issue.
Problem: During a reverse DNS lookup of IP address of the Win2K3 machine the agent is running on, the gethostbyaddr() call returned the NetBIOS name instead of the host name from DNS when there is no corresponding entry in the hosts file.
Resolution: This is no longer an issue.
Problem: PasswordServicesZH-CN.properties and PasswordServicesZH-TW.properties files are not recognized by Password Services.
Note: This issue affected Domino, Apache 1.3 and IPlanet Web agents running on UNIX.
Resolution: This is no longer an issue.
Problem: Ensure isProtected uses ServerErrorFile in the event the agent is not able to communicate with the Policy Server.
Note: This issue affected Framework Agents only.
Resolution: This change was made.
Problem: A customer is requesting that the IIS 6.0 Web Agent enter the following information into the IIS Web Server log:
Resolution: A new agent configuration parameter "AppendIISServerLog" has been added. By default this parameter is not present. If this parameter is set to "Yes" the agent will log the SiteMinder Transaction ID and the authenticated user name to the IIS Web server log. These code changes also require that Users configure (set) the agent configuration parameter SetRemoteUSer to "Yes"
Note: This applies to the IIS 6.0 agent only.
Problem: When installing the 6qmr4-cr001 Web Agent on a SuSe 8.0 Linux box where X11 (Windows Emulator) was not installed, using the "-i console" option for text mode install, the Installation fails with the error in the agent-install-debug.txt file indicating that the libXp.so.6 shared library could not be found.
Note: This issue applied to all UNIX systems including ZLinux.
Resolution: This is no longer an issue.
Problem: Web agent trace log messages are not being written to the log file, even though the file was properly created.
Note: This issue affected the IIS 6.0 agents only.
Resolution: This is no longer an issue.
Problem: The re-architected IIS 6.0 Web Agents are missing the @loginonget feature.
Note: This issue affected Framework Agents only.
Resolution: This is no longer an issue.
Problem: IPlanet Web server crashes when the Web agent is installed but EnableWebAgent="No".
Note: This issue affected IPlanet agents only.
Resolution: This is no longer an issue.
Problem: The IIS 6.0 Web Agent starts processing transactions before it has received its keys.
Note: This issue affected IIS 6.0 agents only.
Resolution: This is no longer an issue.
Problem: "Unknown SiteMinder Web Agent" is displayed when Secure Proxy Server (SPS) is being run.
Note: This issue affected Secure Proxy Server agents only.
Resolution: This is no longer an issue.
Problem: IBM HTTP Server 1.3.28.1 on AIX 5.2 is not able to startup when EnableWebAgent=NO.
Note: This issue affected Apache 1.3 agents only.
Resolution: This is no longer an issue.
Problem: A problem exists where a Web Server throws a "500" error when an "OnAccessAccept" rule with an Advanced Password Services (APS) active response is set to cache attribute and the user is in "Force Change Password" state.
Note: This issue affected IIS 5.0, Domino, Apache 1.3, and IPlanet Web Agents.
Resolution: This is no longer an issue.
Problem: The smpolicy.smdif files contains a misspelled configuration parameter "TraceDelimeter".
Resolution: This has been changed to "TraceDelimiter."
Problem: The FWS trace log is not logging anything after a certain point on each line. The federation logs are showing only a portion of the SAML Assertion generated or consumed.
Note: This issue affected all Web Agents.
Resolution: This is no longer an issue.
Problem: Web Agents are crashing on shutdown in some situations.
Note: This issue potentially affected all Web agents but was only seen on Apache 2.0 running in prefork (MultiProcess) mode.
Resolution: This is no longer an issue.
Problem: SPS creates a SMSESSION cookie for 36 years when PersistentCookies=YES in the AgentConfigObject. The SMSESSION cookie should be set to expire after 7 days when PersistentCookies is set to YES.
Note: This issue affected Framework Agents only.
Resolution: This is no longer an issue.
Problem: Problems occur during startup and with logging on IIS 6.0 when ServerPath is not specified, such as after an upgrade to 6.0 QMR 4.
Note: This issue affected IIS 6.0 agents only.
Resolution: This is no longer an issue.
Problem: The spelling of OverlookSessionForURLs is incorrect. Should be OverlookSessionForURL.
Note: This issue affected IIS 5.0, Domino, Apache 1.3, and IPlanet agents only.
Resolution: This is no longer an issue.
Problem: The requested resource is not displayed when both TargetAsRelativeURI and FccCompatMode are set to Yes and the FCC-based password policy is enabled for a user.
Note: This issue affected Framework Agents only.
Resolution: This is no longer an issue.
Problem: Authentication fails when users are redirected to the cookie provider.
Note: This issue affected Domino agents only.
Resolution: This is no longer an issue.
Problem: When using DynamicRetries.fcc, the Web agent does not properly display password policy templates.
Note: This issue affected Framework Agents only.
Resolution: This is no longer an issue.
Problem: The @SAVE and @SMSAVE .fcc directives in the login.fcc do not create cookies with the cookie domain properly set.
Note: This issue affected Framework Agents only.
Resolution: This is no longer an issue.
Problem: Web Agent fails to process StepUp CertOrForm correctly.
Note: This issue affected Framework Agents only.
Resolution: This is no longer an issue
Problem: For a legacy binary (which does not have PT_GNU_STACK program header and assumes READ implies EXEC behaviour), the kernel is mapping the data segment as not executable. Because of this issue, Java does not run on a processor which supports 'execute disable' feature
Resolution: The 2.6 kernels have solved this issue by using READ_IMPLIES_EXEC.
Problem: SunOne 6.1 SP4 fails to start with Web Agent 6 QMR 4 CR006 312 build on the AIX 5.3 platform.
Note: This issue affected SunOne agents on AIX 5.3 only.
Resolution: This is no longer an issue.
Problem: While performing console mode installation on UNIX, if the user chooses "Abort the UPGRADE", the installation continues rather than aborting.
Note: This issue affected all UNIX systems including ZLinux.
Resolution: This is no longer an issue.
Problem: Logon_User failed for a specified user on an IIS 6.0 Framework Web Agent.
Note: This issue affected IIS 6.0 Web Agents only.
Resolution: This is no longer an issue.
Problem: The SMDOMINODATA cookie was not set securely when UseSecureCookies was set to "YES".
Note: This issue affected Domino Web Agents only.
Resolution: This is no longer an issue.
Problem: When a resource is protected by Domino Webserver is accessed, the server rechallenges for user credencials even after providing valid user credentials whereas the requested resource should be displayed.
Note: This issue affected Domino Web Agents only.
Resolution: This is no longer an issue.
Problem: The expiry time for SMIDENTITY cookie created shows the wrong value. The expiration time sets to 39 years.
Note: This issue affected Framework and re-architected SunOne Agents only
Resolution: The Max-Age time for the SMIDENTITY, SMSAVE, SMDATA cookies is now explicitly set to 2 years.
Problem: Popsession.fcc does not pop the session when it is accessed directly from URL.
Note: This issue affected Framework Agents only.
Resolution: This is no longer an issue.
Problem: IIS 6.0 Web Agents are stripping the first "?" from the URI on 'IsProtected' call by .FCC or .NTC.
Note: This issue affected Framework Agents only.
Resolution: This is no longer an issue.
Problem: On accessing any protected resource with form-based authentication scheme using Domino Web Server, the user is not challenged.
Note: This issue affected Domino Web Agents on all platforms.
Resolution: An enhancement has been made so that the Domino Web Agent will return kFilterNotHandled for unprotected resources (a return code which indicates to Domino that the filter did not handle the authentication and Domino should attempt its own authentication.
Problem: The Web Agent is deleting the SMSESSION cookie when a non-protected resource is accessed once the Session Idle Timeout has been exceeded.
Note: This issue affected IIS 5.0, Domino, Apache 1.3, and IPlanet Web Agents.
Resolution: This is no longer an issue.
Problem: Web Agents are leaking memory when redirecting to the cookie provider.
Note: This issue affected Framework Agents only.
Resolution: This is no longer an issue.
Problem: Changes made to Web Agent configuration objects in the Policy Server do not occur.
Note: This issue affected Framework Agents only.
Resolution: This is no longer an issue. Dynamic Web Agent configuration now works properly in all circumstances.
Problem: If the InstallAnywhere program encounters an insufficient disk space warning when you try to install a Web Agent on a UNIX or Windows platform, the InstallAnywhere proceeds with the installation instead of exiting.
Resolution: To resolve this issue, make sure the installer has enough room to extract the installation files. Customers running InstallAnywhere installers may export IATEMPDIR=/my/spacious/filesystem to avoid temp space issues. In other words, create an environment variable named IATEMPDIR and set the value to a folder/directory that has plenty of space into which the installer can extract files.
Note: This issue affects Web Agents installed on UNIX or Windows.
Problem: When accessing resource protected with any X.590-based Authentication Schemes on Domino 6.5.3/SuSe8 Linux, the Domino Server Crashes and
generates an NSD.
Resolution: To resolve this issue, set the following environment variable before starting the Domino Web Server:
export LD_PRELOAD=/usr/lib/libstdc++-libc6.2-2.so.3
Problem: Oracle HTTP 10.1.3.0.0 (Apache 2.x) on AIX 5.3 - WebServer fails to stop using opmnctl stopall when configured with the Web Agent.
Resolution: To run the Web Agent successfully on Oracle HTTP Server, set LIBPATH and PATH variables to <webagent bin folder> in the apachectl script. When the PATH environment variable is set to the WebAgent path in the apachectl file, then the server fails to stop with opmnctl. This issue is due to an issue with Oracle HTTP Server. On setting PATH to <webagent bin folder> and the path of the cat utility (for example, /usr/bin), Oracle HTTP Server stops properly.
Note: This issue is only specific to the AIX platform. On other platforms, PATH is passed properly.
Problem: Oracle 10.1.3.0.0 (Apache 2.x) on AIX 5.3 - On accessing the protected resource with client Cert-based SSL authentication schemes, the Cannot Find Server error is displayed on Cancelling the Cert challenge. The behavior is the same irrespective of the Cert-based SSL authentication scheme used to protect the resource.
Resolution: This issue can be resolved by modifying a setting in ssl.conf. The default entry in ssl.conf file is as follows:
SetEnvIf User-Agent "MSIE"\
Changing this entry to the following resolves the problem:
SetEnvIf User-Agent ".*MSIE.*"\
Note: This issue is only specific to the AIX platform. On other platforms, by default, the correct entry appears.
Problem: Red Hat Apache 2.0.52 installed on Linux 4.0 fails to load the agent module libmod_sm20.so when 6.x QMR5 Web Agent is configured with the server, and the environment variables are set.
Resolution: This is an issue with the SELinux policy settings. These settings need to be disabled for the HTTPD deamon process as follows:
Prior to Sun ONE/Sun Java System v6.0, all configuration information went into a single obj.conf file. For Sun ONE/Sun Java System v6.0, the mechanism to configure virtual servers changed. You can configure one or more new classes, and virtual classes in the instance.
By default, a new server instance has one virtual server class, named default class, whose configuration file is obj.conf.
Each additional class in the instance has an administrator-assigned name. The process of creating a new class and a virtual server within the class in the instance creates an associated configuration file, named <newclass>.obj.conf, by default. Normally, <newclass> is the name of the virtual server class, but you can configure the server to use a different name. The mappings between the configuration files and virtual server classes is done in the server.xml file.
Running the Web Agent configuration script, nete-wa-config, updates the obj.conf file; however, the AuthTrans, NameTrans, and PathCheck directives, and Service lines, are not written into <newclass>.obj.conf files. Therefore, you must update a <newclass>.obj.conf file manually, by copying the AuthTrans, NameTrans, and PathCheck directives, and Service lines, from obj.conf to the top section of <newclass>.obj.conf.
Note: To find these lines easily, you can run a "diff" program on the obj.conf and newclass.obj.conf files after running the Agent configuration script.
An internationalized product is an English product that runs correctly on local language versions of the required operating system and required third-party products, and supports local language data for input and output. Internationalized products also support the ability to specify local language conventions for date, time, currency and number formats.
A translated product (sometimes referred to as a localized product) is an internationalized product that includes local language support for the product's user interface, online help and other documentation, as well as local language default settings for date, time, currency, and number formats.
In addition to the English release of this product, CA eTrust SiteMinder supports only those languages listed in the following table.
| Language | Internationalized | Translated |
|---|---|---|
| Brazilian-Portuguese | Yes | No |
| Chinese (Simplified) | Yes | No |
| Chinese (Traditional) | Yes | No |
| Czech | Yes | No |
| Danish | Yes | No |
| Dutch | Yes | No |
| Finnish | Yes | No |
| French | Yes | No |
| German | Yes | No |
| Greek | Yes | No |
| Hungarian | Yes | No |
| Italian | Yes | No |
| Japanese | Yes | No |
| Korean | Yes | No |
| Norwegian | Yes | No |
| Polish | Yes | No |
| Russian | Yes | No |
| Spanish | Yes | No |
| Swedish | Yes | No |
| Turkish | Yes | No |
Note: If you run the product in a language environment not listed in the table, you may experience problems.
The file names for the SiteMinder 6.0 SP 5/6.x QMR 5 guides are as follows:
| Guide Name | File Name |
|---|---|
| SiteMinder Release Summary | siteminder_release_enu.pdf |
| Developer's Reference for Java | siteminder_java_dev_enu.zip |
| Developer's Guide for Java | siteminder_java_dev_enu.pdf |
| Developer's Guide for C | siteminder_c_dev_enu.pdf |
| Federation Security Services Guide | siteminder_fs_config_enu.pdf |
| Policy Server Installation Guide | siteminder_ps_install_enu.pdf |
| Policy Design Guide | siteminder_ps_config_enu.pdf |
| Policy Server Management | siteminder_ps_sysmgmt_enu.pdf |
| Policy Server Readme | readme-policy-server.html |
| Policy Server, Web Agent Option Pack Readme | readme-option-packs.html |
| Scripting Guide for Perl | siteminder_perl_scripting_enu.pdf |
| SDK Overview | siteminder_sdk_overview_enu.pdf |
| SDK Readme | readme-sdk.html |
| SAML Affiliate Agent Guide | siteminder_saa_config_enu.pdf |
| SAML Affiliate Agent Readme | readme-saml-affiliate-agent.html |
| SiteMinder Upgrade Guide | siteminder_upgrade_enu.pdf |
| SiteMinder Integrated Documents | siteminder_integdocs_ref.enu.zip |
| Tier II Directory Configuration Guide | siteminder_dir_config_enu.pdf |
| Web Agent Guide | siteminder_wa_config_enu.pdf |
| Web Agent Installation Guide | siteminder_wa_install_enu.pdf |
| Web Agent Readme | readme-web-agent.html |
To view PDF files, you must download and install the Adobe Reader from the Adobe website if it is not already installed on your computer.
Updated guides will be available at the CA Technical Support site.
For online technical assistance and a complete list of locations, primary service hours, and telephone numbers, contact Technical Support at http://ca.com/support.