IIS 403 error after session Timeout

Tagged: , ,

This topic has 7 replies, 4 voices, and was last updated 6 years, 3 months ago by Daniel Redfern.

  • Author
  • #11331

    Hello All,

    I work with Openam 13 to protect a website on IIS.

    Everything works fine, except when the session Timeout and I try to access the protected url I get a 403 forbidden access.

    If I close the browser and go the protected URL eveyrthing is working fine again.

    Do you have an idea with this issue? Looks like the session timeout but the iplanetcookie is still here, but in invalid state.

    After detroying this cookie I’m redirected to the Openam Login page.

    Thanks !

     Scott Heger

    Are you using a policy agent?


    Hello Scott,

    What do you mean by Policy agent?

    I created a policy (Policy Sets) to protect the resource url from the OPenAM console are you referring to that?

     Peter Major

    Well what exactly is protecting your IIS site?
    Sounds like you are using a Web Policy Agent for IIS.



    In fact I followed the documentation Getting Started With OpenAM to protect my application but instead of using an Apache Agent I use an IIS Agent.

    It’s not the correct way to do it with IIS?


    And yes,to answer your question I use Web a Policy Agent for IIS (Version 4)


    And I see this log on the agent debug log:

    ERROR [11304:5008] validate_policy(): remote session/policy call to validate ‘https://domain.qc.ca:443/aide’ failed (max 3 retries exhausted)

    And that on the agent audit logs:

    When I connect to the protected url:
    AUDIT [4988:5008] user username (x.x.x.x) was allowed access to https://domain.qc.ca:443/aide

    5 minutes later (IDLE timeout is set to 5 minutes)

    AUDIT [4988:5008] user (empty) (x.x.x.x) was denied access to https://domain.qc.ca:443/aide

    • This reply was modified 6 years, 3 months ago by tubezleb.
     Daniel Redfern

    Hi Tubezleb,

    Do you have the Idle Session Timeout Page URL configured? Go to the realm –> select your agent –> advanced — Microsoft IIS sector

    The ‘access denied’ could be misleading as the request is probably being dropped rather than expliclty denied

    It’s hard to tell ‘why’ this is occurring though would it be possible increase the logging and provide the full stack trace of the error? Within the agent property file, I believe there’s a value called ‘com.iplanet.services.debug.level
    ‘. Set it to info


Viewing 8 posts - 1 through 8 (of 8 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?