Niclas Christian Chur1709153140 Posted October 18, 2015 Posted October 18, 2015 Trying to do Form based SSO towards a Web app that is running form based authentication. I am having a LB vServer that does SSL offload of the web server (Port 80 to backend and SSL frontend on NS) accessed via a Content Switch. I have AAA vServer in Form based mode, that is attached to the LB vServer together with the traffic policy. When logging in to the AAA login page, i am being presented with the form based auth and not SSOed to the site. running "nsconmsg -g sso_ -d current" shows: svpn_tot_sso_cache_miss svpn_tot_sso_formextraction_failed svpn_tot_sso_form_fields_notfound The Ns.log shows: SSLVPN Message 3801 0 : "FORMSSO: Could not find form in the response buffer of size 10 " What I don´t understand why the ns.log states the above buffer size of 10 - because the response buffer size in the Form SSO Profile are set to 14202. I have done Wireshark traces, fiddler traces etc. to find the correct Action URL and other fields required. Finding the form fields was a bit tricky, as the form data was hidden. After decoding this, i think i found the correct fields for the form sso profile. Any ideas? Running NS 11.0 build 63.16nc
Andrzej Starmach1709152599 Posted October 28, 2015 Posted October 28, 2015 Niclas- that backend logon page,does it contain standard <form action=....> tag ? Or form post (login credentials) is an AJAX post to server?
Niclas Christian Chur1709153140 Posted October 28, 2015 Author Posted October 28, 2015 Hi Andrzej, I can see it contains a <form method="post"> Br.
Andrzej Starmach1709152599 Posted October 29, 2015 Posted October 29, 2015 Niclas - regarding : "FORMSSO: Could not find form in the response buffer of size 10 " I suspect the trafficPolicy expression configured might be 'too general' and NS is trying to parse other responses from backend which are matching your policy expression - and which do not necessary carry the login form.
Niclas Christian Chur1709153140 Posted October 30, 2015 Author Posted October 30, 2015 So how to proceed in order to accomplish form based sso? :) After making the action url more specfific in the form based sso profile, i see the following: In ns.log: 0 : "FORMSSO: Username 0x0 and/or Password 0x0 not found after matching url" Oct 30 07:36:26 <local0.warn> 127.0.0.2 10/30/2015:06:36:26 GMT ns 0-PPE-0 : default SSLVPN Message 49224 0 : "FORMSSO: Could not find form in the response buffer of size 14202 " In nsconmsg: Index rtime totalcount-val delta rate/sec symbol-name&device-no 0 14005 8832 1 0 svpn_tot_sso_cache_miss 1 0 8815 2 0 svpn_tot_sso_no_triggers 2 0 2 1 0 svpn_tot_sso_formextraction_failed 3 0 2 1 0 svpn_tot_sso_form_fields_notfound For me it here looks like the user name and password field cant be fetched from the form sso profile, as the values might be incorrect, but how could I troubleshoot this further? The user name and password field I extracted from the ViewState encoded string in the form when browsing to the web site in developer mode.These fields are part of the AspNetHidden ViewState in the form post.
Niclas Christian Chur1709153140 Posted October 31, 2015 Author Posted October 31, 2015 Now I only get this: FORMSSO: Could not find form in the response buffer of size 5395 " Trying to find the correct response size / content-lengt of the form data, but no luck so far..... Looking in the Wireshark traces, Web debugger etc. no matter what I change the response size till the above error appears in the ns.log. and sso form extraction failed in the nsconmsg log. And my traffic policy are getting hit. :huh:
Siva Mulpuru1709156805 Posted March 28, 2019 Posted March 28, 2019 Hi, I understand this post is old, I ran into the same issue. fortunately, I was able to get it working. The WebApp I worked on is using heavy JS with AJAX calls. the Dynamic Extraction of the Netscaler form SSO profile was unable to grab discover all the form fields, hence failed the POST submission. I looked closely to the form fields that were submitted in chrome developer view and mimicked the POST with Extraction set to static and added the form fields that contained values under "Name Value Pair" and was successful. I think this is a better way of doing the SSO as it saves some cycles on Netsclaer to discover the form fields and has no dependency on response size value any more :) the screenshot below has response size set to 15, can be anything. Chrome developer view POST. my WebApp only cared about the highlighted static field which was submitted as Name Value Pair in the Form SSO profile. Note: This might not work in all cases eg: when form fields contain dynamic values. Happy profiling...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.