Troubleshooting SiteMinder on Windows 2008 and IIS 7

Posted on

In IIS 4 and 5, the webagent was an ISAPI filter that sat at the root level of the entire IIS server, and you weren’t supposed to move / manipulate it in any way. This meant the webagent poked its nose into requests to all of your virtual web sites. If you wanted distinct protection on some of your virtual sites, better learn how to use the “AgentName” setting.

Then came IIS 6, where the webagent not only runs as an ISAPI filter, but also runs as a wildcard application map. The ISAPI filter sits at the “Sites” root level of the entire server, but the wildcard application map sits on the individual websites. By default, the wildcard application map is only placed in the default web site, so the webagent only gets involved in requests to the default web site. This means that if you have multiple virtual sites, and you want the webagent to interact on more than just the default web site, you just have to create the wildcard application map on the other virtual sites.

Now, there’s IIS 7, and the webagent is implemented in a similar manner, but the IIS 7 prerequisites and the new IIS 7 console have changed things enough that even the most savvy IIS 6 webagent expert can find it challenging to install, configure, and troubleshoot the IIS 7 webagent.

IIS roles necessary for webagent operation

First, when you install IIS 7 onto your Windows 2008 machine, there are a few options that are required.

You must have:

  • ASP.NET
  • CGI
  • ISAPI Extenstions
  • ISAPI Filters

If you do not, the webagent Configuration Wizard will throw an error message:

Default webagent configuration

When you run the webagent configuration wizard and select to configure the agent into your IIS 7 server, the wizard does the following 3 things (all under Default Web Site):

  • Puts webagent filter under ISAPI filters. Executable points to: <agent install location>webagentbinISAPI6WebAgent.dll. If you click “View Ordered List”, the webagent should be listed first.

  • Creates a Wildcard Script Map under Handler Mappings. Executable points to: <agent install location>webagentbinISAPI6WebAgent.dll

  • Creates a virtual directory named siteminderagent

Troubleshooting

1) I have enablewebagent=YES, but my webagent still isn’t starting.

Under the default website, check for the presence of the webagent filter under ISAPI filters and the webagent Wildcard Script Map under Handler Mappings. If they are both there, then the agent should start. Remember that the website (and the webagent) may not start until someone accesses it via browser. Also remember that the best way to make sure the agent is running is to look for a process called LLAWP in Task Manager. Don’t rely on the lack of agent log creation as a method of determining that the agent is not running.

2) I want the webagent to interact on more virtual sites, not just my default web site.

The webagent configuration wizard will not do this for you. You must do it manually in the IIS console. Under the other site(s) that you want to use the agent on, go into ISAPI Filters, right click in the open space, and select Add. Name it “SiteMinder Agent” and the Executable points to webagentbinISAPI6WebAgent.dll. Then go into Handler Mappings, right click in the open space, and select “Add Wildcard Script Map”. Name it “handler-wa” and the Executable points to: webagentbinISAPI6WebAgent.dll. Restart IIS. If you intend to use this agent to serve up any authentication schemes, or password services forms, you will also need to create the siteminderagent virtual directory.

3) The Default Web Site has been removed, so I cannot use the Agent Config Wizard, how can I manually integrate the webagent into IIS?

Follow the same steps in #2 above to configure the agent into whatever virtual site(s) necessary.

4) The agent is starting, but I am not getting a webagent log.

Check permissions. The webagent installation guide explains that you need to give “Network Service” write permissions to whatever folder you want to write logs to. However, not all application pools run as Network Service. To verify who your application pool is running as, first, click on the virtual website where you are trying to run the webagent. Then, in the right pane, click on “Basic settings”. Check what the Application Pool is set to. Now click on “Application pools” in the left pane, select the application pool that this web site is using, then click “Advanced settings” in the right pane. Check what Identity is set to. This is the account that needs write permissions to the folder where the logs will be written. After that, if you are still not getting a log, check your Agent Configuration Object. Verify the values you have set LogFile=YES and LogFileName= webagent.log. Still no log? Check the WebAgentTrace.conf file in the webagentconfig directory. At the bottom of this file, it should look like this:

# For Apache 2.0, Apache 2.2, IIS 6.0 and SunOne Web Agents

components: AgentFramework, HTTPAgent

data: Date, Time, Pid, Tid, TransactionID, Function, Message

# For all other web agents

#components: WebAgent

#data: Date, Time, Pid, Tid, TransactionID, Function, Message

14 thoughts on “Troubleshooting SiteMinder on Windows 2008 and IIS 7

  1. Thanks, I’ve been circling the drain with CA support on this… no documentation and little knoweledge on both our parts as I usually deal with apache and SunOne. These instructions work like a charm!

  2. Hi,

    I have configuered Siteminder with IIS 7.0 but for some reason I am getting “HTTP Error 500.0 – Internal Server Error

    The page cannot be displayed because an internal server error has occurred.”. The detail error information list below parameters:

    Module IsapiModule

    Notification ExecuteRequestHandler

    Handler handler-wa

    Error Code 0×80004005

    Can you please help me …

    Thanks

    RK

  3. By far the most concise and up to date information I found on this topic. Sure glad that I navigated to your page by accident. I’ll be subscribing to your feed so that I can get the latest updates. Appreciate all the information here

  4. Hi Todd,

    We recently released CA SiteMinder Agent for IIS r12.0 SP3 which supports a range of IIS 7x features including the integrated pipeline, enable 32-bit applications, application request routing, and a new inline credentials feature. We also detect and offer to configure ourselves on available IIS sites and we no longer require the CGI role to be enabled.

    Please take a look at a 5 minute overview of the new agent on http://www.youtube.com/watch?v=dX-fd-MA8Tc or by searching YouTube for “siteminder iis”. This new agent is available at no charge to SiteMinder customers on maintenance.

    Regards,
    Jim Thorstad
    Principal Product Manager, CA SiteMinder

  5. Hi,
    I am trying install and configure Webagent 6QMR6 CR6 64Bit on Windows 2008 64Bit IIS 7.5, Flowed all steps as per documentation .

    I am Getting the error

    HTTP Error 401.2 – Unauthorized
    You are not authorized to view this page due to invalid authentication headers. Detailed Error Information
    Module IIS Web Core
    Notification AuthenticateRequest
    Handler handler-wa
    Error Code 0×80070005
    Requested URL:80/siteminderagent/forms/login.fcc?TYPE=33554433&REALMOID=06-8920b193-ea94-4f70-a96b-5c7b8b0432e6&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-UjEDcBwnEzkIbANqGeB0KnqSu8J9AyEs%2b997OQRdmYcLMHw9YQeAjaEfoVY%2f0%2bJk&TARGET=-SM-http%3a%2f%2fhgh1aptestw01%2fsmtest%2fsmtest%2etxt
    Physical Path C:Program Filesnetegritywebagentsamplesformslogin.fcc
    Logon Method Not yet determined
    Logon User Not yet determined

    at this moment the page is simple text file.

    Thank you,

  6. Hi,
    We are currently looking at a situation where the SiteMinder ISAPI filter (ISAPI6WebAgent) seems to be modifying content of the ASP.Net viewstate when we are sending form data with EncType set to multipart/form.
    Any thoughts on why this might be happening and how we can get more help on the issue?

  7. I am trying to install r12sp3cr0005 webagent on iis7 32 bit on windows 2008 operating system , but am getting the error as
    unable to create new file c://windows/system32/inetsrv/config/application.config,
    can anyone please help with this issue

  8. Using Siteminder 12.5, we needed to escape the directory separator for the LogFileName entree:

    C:\\Program Files\\CA\\webagent\\win64\\log\\agent.log

    We believe this is a bug.

    • I haven’t seen that behavior. All my installs use single slashes for the agent log paths. Are you using a localized OS? You may want to open a case with CA if you’re thinking it’s a bug.

  9. Thank you for this post. However, my issue is not listed. Once I have done all that you advised, all request to root resources like “/TestForm.aspx” are protected properly, I see redirection to SSO login and SM headers are injected when it comes to the server.
    My asp.net app uses hanlder routing. I.e. request for /app/user is routed to /appuser.ashx. All requests to such resources return 404.
    Appreciate any help.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>