IIS 403 error after session Timeout

Tagged: , ,

This topic has 7 replies, 4 voices, and was last updated 6 years, 3 months ago by Daniel Redfern.

  • Author
    Posts
  • #11331
     tubezleb
    Participant

    Hello All,

    I work with Openam 13 to protect a website on IIS.

    Everything works fine, except when the session Timeout and I try to access the protected url I get a 403 forbidden access.

    If I close the browser and go the protected URL eveyrthing is working fine again.

    Do you have an idea with this issue? Looks like the session timeout but the iplanetcookie is still here, but in invalid state.

    After detroying this cookie I’m redirected to the Openam Login page.

    Thanks !

    #11334
     Scott Heger
    Participant

    Are you using a policy agent?

    #11344
     tubezleb
    Participant

    Hello Scott,

    What do you mean by Policy agent?

    I created a policy (Policy Sets) to protect the resource url from the OPenAM console are you referring to that?

    #11366
     Peter Major
    Moderator

    Well what exactly is protecting your IIS site?
    Sounds like you are using a Web Policy Agent for IIS.

    #11475
     tubezleb
    Participant

    Hello,

    In fact I followed the documentation Getting Started With OpenAM to protect my application but instead of using an Apache Agent I use an IIS Agent.

    It’s not the correct way to do it with IIS?

    #11477
     tubezleb
    Participant

    And yes,to answer your question I use Web a Policy Agent for IIS (Version 4)

    #11518
     tubezleb
    Participant

    And I see this log on the agent debug log:

    ERROR [11304:5008] validate_policy(): remote session/policy call to validate ‘https://domain.qc.ca:443/aide’ failed (max 3 retries exhausted)

    And that on the agent audit logs:

    When I connect to the protected url:
    AUDIT [4988:5008] user username (x.x.x.x) was allowed access to https://domain.qc.ca:443/aide

    5 minutes later (IDLE timeout is set to 5 minutes)

    AUDIT [4988:5008] user (empty) (x.x.x.x) was denied access to https://domain.qc.ca:443/aide

    • This reply was modified 6 years, 3 months ago by tubezleb.
    #11530
     Daniel Redfern
    Participant

    Hi Tubezleb,

    Do you have the Idle Session Timeout Page URL configured? Go to the realm –> select your agent –> advanced — Microsoft IIS sector

    The ‘access denied’ could be misleading as the request is probably being dropped rather than expliclty denied

    It’s hard to tell ‘why’ this is occurring though would it be possible increase the logging and provide the full stack trace of the error? Within the agent property file, I believe there’s a value called ‘com.iplanet.services.debug.level
    ‘. Set it to info

    Regards,
    Daniel

Viewing 8 posts - 1 through 8 (of 8 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?