Policy agent 2.2 amfilter local authentication with session binding failed

Similar Messages

• Merging local records with device records failed

  Hi,
  I have a macbook with OS X 10.4.11 (Intel procesor)  I did install the latest Pockect mac for blackberry version (the current one in the Blackberry's page), i use to use the old one, since I did the updated I can't get that both, device and Mac SYNC any item, no contacts, no calendar... 
  The message I got last time was: 
  06:06:57:140 merging local records with device records failed. 
  Could some one with me a light on this bug?
  Thanks 

  Hi rguardia,
  Can you try synching one PIM database at a time, e.g. just Contacts by itself, so we can determine which database is experiencing the problem?  The error you are receiving is likely being caused by one specific database.
  Once you have identified the database that is causing problems, can you perform the steps listed below:
  1 - Run Data Purge on the affected database.  Data purge can be found in the following location: 
  Mac HD/users/<Home User>/Library/Application Support/PocketMacSyncManager/Additional Tools. 
  ***Please note this utility will delete all information stored in the selected database on your BlackBerry however once the information has been deleted from your device you can reimport the data to your BlackBerry from the application on your Mac.
  2 - Run Sync Clean, which can be found in the same folder as Data Purge. 
  3 - Disconnect the BB from the Mac, remove the battery from the back of the device, wait 10 seconds then reinsert it
  4 - Reboot the Mac
  5 - Reconnect your BlackBerry to your Mac
  6 - Open PocketMac and select Reset All Devices to First Sync State from the Devices menu
  7 - Configure synchronization settings for the affected PIM database, choosing the option to Overwrite Device.  If the data is successfully transferred to the device, reconfigure PocketMac back to doing a two-way sync.
  If you are still running into the same problem after performing the steps above, try synching one category of the affected database at a time. To do this, click on the tab of the database you are trying to sync, click on Advanced Preferences next to the selected application, and choose the option to sync only selected categories. Try synching with only one category selected at a time, just to see if the issue is related to data within a specific category.
  Let us know how you make out!

• Policy agent error code 21 after authenticating

  Hi,
  I get the following error in my amAgent logs after successfully authenticating to Sun Policy Manager 7.1:
  PolicyEngine: am_policy_evaluate: InternalException in AuthService::submitRequirements() with error message:Error sending client submitted requirements to server. and code:21
  A 500 Internal Server Error page is returned with the message: This server has encountered an internal error which prevents it from fulfilling your request. The most likely cause is a misconfiguration. Please ask the administrator to look for messages in the server's error log.
  The Policy Manager auth access log shows: "Login Success" for the login attempt.
  My configuration:
  Solaris 10
  Apache 2.0.54
  Sun Java System Access Manager Policy Agent 2.2
  Has anyone seen or experienced this error before?
  Thanks
  Edited by: tutro on Aug 7, 2008 7:31 AM

  A control character was being read from the password (even though both the encrypted and unencrypted password did not contain any control characters). A password reset resolved the issue.

• Policy Agent doesn't reset Sun  Access Manager session time idle value

  Hi,
  We have the following setup in our environment:
  - apache web server/web and policy agent 2.2 for apache 2.0.54
  - webmethods portal server (jetty)
  -Sun Access Manager (with Sun Directory Server)
  We use policy agent for authentication purpose only (via Sun Access Manager/LDAP) when the users access the portal. We have custom code that creates session in Sun Access Manager for custom LDAP services. For testing purpose, we configure SAM session to have Max Session Timeout at 120mins and Time Idle at 15mins. I would assume that, after the initial login request, for all subsequent accesses to the portal the policy agent should intercept the request and reset the Time Idle value of SAM session. However, when I monitor time idle value using SAM console, session tab, the time idle value didn't change when the portal user access pages, submit actions, etc. I can see in the debug log of policy agent that requests are being intercepted/processed, but the time idle didn't get reset.
  Does anyone know if this is a bug in configuration or in policy agent itself or am I making the wrong assumption?
  Thanks a lot for the help.

  Thanks for the reply, Shivaram. The issue appears to occur at random time, not accurately at the 3 min interval as you mention. I tested changing this value to 1, theoretically, after one 1 minute of idle time, accessing a link would make the agent reset the time idle value for the user session in SAM, but it didn't even after 3 minutes. This seems to be either a policy agent or system access manager bug.
  We performed a 'vanilla' test using the apache server manual pages (only plain HTML, no POST requests), the pages are protected by the policy agent. At the first login, rwe were prompted to enter credential to be validated by SAM/LDAP, and then a user session is created in SAM session table. We browse around the manual pages, once in a while, certain pages cause the policy agent to reset the time idle. However, revisiting these links after a few minutes doesn't reset the idle value. Caching setting has been disable as well. Could there be or lack of some settings in AMConfig.properties or AMAgent.properties that might have caused this behavior?
  Thanks for all your help,

• Azure AAD Mobile Service Authentication with corporate accounts fails.

  I have been having on-going issue with Authenticating against a Windows Azure mobile service with corporate accounts.
  Here is the complete environment.
  Initially we set up with Office 365 / CRM Online / and Azure for our corporate infrastructure. We have set up single sign on. Everything works well. There is ADFS set up and running to allow us to Authenticate with {username}@{companyDomainName} and everything
  works, including single signon. 
  Along comes Azure Active directory. We have an Automatically created Azure active directory in the corporate azure account. The domain is the default created {accountname}.onmicrosoft.com domain structure. This is set as the Default directory.
  We had a consultant come in, who was organized through Microsoft, to do some work. After everything was set and done we ended up with another active directory created in Azure that is named with the corporate domain name. This second domain has had all of
  the corporate accounts synched to it. 
  I have now created an Azure Mobile Service. The service is a basic service, I haven't updated any of the code yet, except to publish the service. I have followed all of the configuration instructions for setting up the authentication. 
  If configure the Authentication to point at the first active directory, I am able to Authenticate against the service using the credentials for a user that has been created in that domain. The Authentication works correctly, and goes through.
  However if I switch the configuration to use the second Active Directory, the one with the corporate accounts synched to it, the authentication fails. I am able to enter my corporate email address into the web page that is presented. Then the web control
  started to call into the ADFS in order to authenticate the corporate user name and password. At this point the authentication fails with a message about the service not being available.
  The login code is the standard:
  user = await App.MobileService.LoginAsync(MobileServiceAuthenticationProvider.WindowsAzureActiveDirectory);
  The project is a Universal Application as the service needs to be available from both a phone and a desktop. The project was started from the starter project downloaded form the Mobile Service site.
  # Update
  I've just switched the mobile service configuration back to use the AAD with the corporate accounts synchronized. The login through the application fails. However if I log in through IE by browsing to : https://{ServiceName}.azure-mobile.net/login/aad
  The authentication goes through correctly. 

  A few questions on the details:
  What client platform are you using for login. In particular, is this a Windows Store application?
  What do you mean exactly by "authentication fails?" Does an error get thrown, or does the UI just hang?
  Is this being done from a domain-joined machine and/or on a machine connected to a corporate network?
  We have seen an issue where some configurations of ADFS will not play nicely with Windows Store apps since the Web Authentication Broker (WAB) is based on the IE browser, and ADFS will attempt to do SSO in the special IE way instead of presenting a form,
  etc. Unless the WAB is configured to handle this scenario, you will get a non-responsive UI.
  Any details you can provide would be helpful.

• Envorcing authentication with session ejb web service?

  I implemented a web service as a session ejb. Some of the methods exposed by this web service require certain privileges. I modified my ejb-jar.xml file and declaratively specified this by using the <method-permission> element.
  I have a Java client. If I pass credentials (e.g., name, password) into the constructor of the stub for the web service interface, the container properly recognizes this information, authenticates the user and either responds to or rejects the request based on if the user is permitted to call the method.
  I have a non-Java client. If I try to do the same thing, it does not work. Peeking underneath the covers, I've discovered that the credentials are never being used.
  Now I did get something to work. If I manually modify the web.xml for the web-services.war that is generated by servicegen to put a security constraint on the URL for the web service using the <security-constraint> element, when I run the non-Java client again, the credentials are used, properly recognized, etc.
  (1) Does anyone know why the security constraint is necessary for the non-Java client but not the Java client?
  (2) Am I doing something wrong? missing something? Is there a different way to do this?
  (3) Since I implemented the web service as a session EJB but it appears the generated web-services.war content needs to be manually modified, is there a way to generate this security constraint? I've tried various things and cannot seem to do this.
  Thanks for feedback!

  Debu,
  Yes, it successfully deployed.
  Here are the messages from the failed run.
  BUILD SUCCESSFUL
  Total time: 33 seconds
  D:\Oracle_ejb3.0\demo\howtoejb30ws>ant run
  Buildfile: build.xml
  common:
  [echo] BuildName: ejb30ws
  [echo] BuildHome: D:\Oracle_ejb3.0\demo\howtoejb30ws
  [echo] BuildFile: D:\Oracle_ejb3.0\demo\howtoejb30ws\build.xml
  [echo] BuildJVM: 1.5
  oracle-env-check:
  java-env-check:
  init:
  [echo] -----> Initializing project properties
  setup:
  [echo] -----> Creating the required sub-directories
  cli-setup:
  [echo] -----> Setting up the application client module
  [oracle:genProxy] null, WSDLException: faultCode=INVALID_WSDL: The document: http://localhost:8888/ejb
  /ejb30ws?wsdl is not a wsdl file or does not have a root element of "definitions" in the "http://schem
  mlsoap.org/wsdl/" namespace or the "http://www.w3.org/2004/08/wsdl" namespace.
  [oracle:genProxy] WSDLException: faultCode=INVALID_WSDL: The document: http://localhost:8888/ejb30ws/e
  ws?wsdl is not a wsdl file or does not have a root element of "definitions" in the "http://schemas.xml
  .org/wsdl/" namespace or the "http://www.w3.org/2004/08/wsdl" namespace.
  BUILD FAILED
  D:\Oracle_ejb3.0\demo\howtoejb30ws\build.xml:316: oracle.j2ee.ws.common.tools.api.WsdlValidationExcept
  null, WSDLException: faultCode=INVALID_WSDL: The document: http://localhost:8888/ejb30ws/ejb30ws?wsdl
  not a wsdl file or does not have a root element of "definitions" in the "http://schemas.xmlsoap.org/ws
  namespace or the "http://www.w3.org/2004/08/wsdl" namespace.
  Total time: 3 seconds
  D:\Oracle_ejb3.0\demo\howtoejb30ws>

• Disable J2EE Local Auth Task Handler in policy agent 2.2

  Hi,
  Is there a way of disabling the j2ee local authentication handler for a policy agent 2.2 running in filter mode ALL ?
  If not, is there a way to configure local authentication without session-binding? I am specially interested in the agent for WebLogic Server 8.1.
  Thanks,
  Andrei Dumitru

  Hi,
  Is there a way of disabling the j2ee local authentication handler for a policy agent 2.2 running in filter mode ALL ?
  If not, is there a way to configure local authentication without session-binding? I am specially interested in the agent for WebLogic Server 8.1.
  Thanks,
  Andrei Dumitru

• CDSSO, SAML & Policy Agents

  Hi all,
  My client would like to use Policy Agents to provide access control to internal systems. They would also like to use SAML 2.0 to interact with 3rd parties.
  The use case I have in mind is as follows;
  1. User authenticates to a Portal (not secured via Policy Agent)
  2. User accesses protected resource on Portal (Policy Agent intercepts and validates login status)
  3. User clicks a link to access 3rd party site. 3rd party site sends a SAML request back to us. We respond with SAML response. User obtains access to 3rd Party.
  There are a number of issues I see with this Use Case;
  1. The Portal will authenticate the user credentials against Access Manager via a back-end WebService. It will receive an SSOToken. This does not log the user on to the Policy Agent on the site.
  2. The Policy Agent does not have an authenticated session. The SSOToken the portal just obtained cannot be used to authenticate to the Policy Agent. The Policy Agent requires a Liberty Post profile. Is there an alternative to the Liberty profile to automatically obtain a session on the Policy Agent? How can I generate a valid Liberty profile that the Policy Agent will accept?
  3. The incoming SAML request must re-use the identity established when the user authenticated to the portal - I can't challenge the user again for credentials - this must be seamless. I think I need to use the SDK to turn the SSOToken in to a SAML reply. Are there any alternatives?
  Thanks for helping
  Jez

  I don't believe that the agent know anything about SAML.

• JAAS and Policy Agents

  Hello everybody, I'm trying to create a simple JSP that it is protected using the Access Manager Policy Agent. I have configured the URL policy and it is working fine.
  Now in my JSP I want to know what user is logged in but I don't want to use the AM API, instead I want to use the JAAS module. Any ideas on how to do it?
  I thought thar AM will set the session attribute javax.security.auth.subject but I don't think it is doing it.
  I get the Subject object but when calling the getPrincipals, the set is empty.
  Any ideas?
  Thanks a lot.

  Easy way: Configure your agent to set the user ID in HTTP head so you can read it without touching AM API.
  Tough way: Enable form based authentication, install AM J2EE Agent (not web policy agent), you can get user ID with "getPrincipals" or "getRemoteUser" method.
  Keep in mind, Using JAAS module does not mean you can avoid AM API, but do you have other reason to use JAAS? I usually keep myself away from it.

• Policy Agent Install - Tomcat problems

  Hello,
  After trying to install policy agent on many different OS with no success, I had to finally ask here:
  I followed the instructions and did the following on Debian, Fedora, and Win server 2003:
  1.downloaded the policy agent for tomcat
  2.stopped tomcat
  3.decompressed the j2ee agents folder to the root of the system,
  4 run the agentadmin -install
  5. put the agentapp folder in the webapps directory
  6. started tomcat...
  get the same error on three OS about it not finding AMRealm,
  I found someone pointing out that setagentclasspath could fix this,
  but I see all the classpaths there, so I went I start moving some classes to the tomcat/lib dir
  then the AMRealm error went away but many others came in.
  What I'm doing wrong !!

  I'm having the same problem with windows 2003 server Enterprise Edition. (installer complains about web server instance directory, is not 6.0 or 6.1...)
  You said that "Policy Agent 2.1 does *NOT* work with MS Windows 2003 Server Enterprise edition". But does Policy Agent 2.2 work with Windows 2003 Server Enterprise edition?
  Thanks for your help!!!

• WLC 5508 Local Authentication- need guidance

  Hi formers'
  i have the combo of WLC 5508 (ver 7.0) and AP1041n, just want to ask how i can do local authentication.
  The environment don't have ACS, no directory services ( AD or LDAP).
  Requirement:
  say, i have one WLAN name "admin". Where-ever if user want to connect to this SSID, they need to prompt username/password,
  user's entry is store at WLC.
  i create the user at local net user, and map it to appropirate WLAN.
  at the WLAN, i enable local EAP and select the profile that i create.
  PROBLEM STATEMENT:
  The moment i test, it always prompt to input  EAP-TTLS domain\usename. password (token)
  Question
  a. any goes wrong with my setting? how really local authentication work with no ACS and directory services running at the back?
  b. can please post any useful document URL or any supportive info, it will be very helpful
  Thanks
  Noel

  Surendra's document may refer to local authentication with ldap database but you could follow it without doing the LDAP part and the users will be stored in the local net users of the WLC.
  You could also follow the WLC config guide in the "Local eap" chapter.
  The concerning part in your description is that your laptop prompts for EAP-TTLS. That means that you configured your laptop for that method. The WLC is only with peap/eap-fast

• AP1240AG Local authenticator

  Hi, I am facing some problems configuring an AP1240AG as local authenticator with microsoft win200\xp clients. Is it possible to use this that type of authentication also with non-cisco clients? Thanks a lot for ant response.

  I think you need to filter these clients by mac-address.

• Custom Authentication Issue with Policy Agent

  Hi,
  I have a custom authentication module which is hosted on the BEA application server and I am trying to access through the policy agent on apache.
  I have set the following property in AMAgent.properties file
  com.sun.am.policy.am.loginURL= http://host:port/amserver/UI/Login
  So When the user requests a protected resource, the policy agent forwards the user to Identity Server with the module as CustomLoginModule. However, after this, authentication is succeed, user sesion is being created and I get the following error message in the agent log file.
  2004-10-19 16:20:26.908 Error 27620:e1140 PolicyEngine: am_policy_evaluate: InternalException in Service::construct_auth_svc with error message:Application authentication failed during service creation. and code:3
  2004-10-19 16:20:26.908 128 27620:e1140 RemoteLog: User unknown was denied access to http://hostname:port/weblogic/protapp/protected/a.html.
  2004-10-19 16:20:26.908 Error 27620:e1140 LogService: LogService::logMessage() loggedBy SSOTokenID is invalid.
  2004-10-19 16:20:26.909 Error 27620:e1140 all: am_log_vlog() failed with status AM_REMOTE_LOG_FAILURE.
  2004-10-19 16:20:26.909 -1 27620:e1140 PolicyAgent: URL Access Agent: access denied to unknown user
  The necessary policy object is already created in Identity Server. Please send your suggestions to fix this problem.
  Thanks
  Neeraj

  Hi Neeraj,
  I still have not been able to resolve that issue. Let me know If you find a solution for the same.
  Thanks,
  Srinivas

• Authorization issue with J2EE Policy Agent for AS7

  Following the documentaion I have created a simple J2EE application with a servlet and 2 jsp's. The 2 JSP's customer.jsp and admin.jsp are mapped to /customer and /admin. The entire web application is subject to a filter like:
  <filter>
  <filter-name>Agent</filter-name>
  <display-name>Agent</display-name>
  <description>SunTM ONE Idenitity Server Policy Agent for SunTM ONE Application Server 7.0</description>
  <filter-class>com.sun.amagent.as.filter.AgentFilter</filter-class>
  </filter>
  <filter-mapping>
  <filter-name>Agent</filter-name>
  <url-pattern>/*</url-pattern>
  </filter-mapping>
  The two resources /customer and /admin are subjected security constraints like:
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>col2</web-resource-name>
  <url-pattern>/customer</url-pattern>
  <http-method>GET</http-method>
  <http-method>POST</http-method>
  </web-resource-collection>
  <auth-constraint>
  <role-name>customer</role-name>
  </auth-constraint>
  <user-data-constraint>
  <transport-guarantee>NONE</transport-guarantee>
  </user-data-constraint>
  </security-constraint>
  The role-to-principal mapping is done in the sun-web.xml like:
  <security-role-mapping>
  <role-name>customer</role-name>
  <group-name>customer</group-name>
  <principal-name>amAdmin</principal-name>
  </security-role-mapping>
  <security-role-mapping>
  <role-name>admin</role-name>
  <group-name>admin</group-name>
  <principal-name>amAdmin</principal-name>
  </security-role-mapping>
  Two roles 'customer' and admin are created via the identity server console and users are added to these roles.
  The application deploys OK, when the app is accesed the user is redirected to the identity server and is authenticated fine. The user is directed to the main servlet and is allowed to access the the two jsp's. All is good till now, when the user access one these links say /customer, access is denied (403). The server logs prints out:
  [21/May/2003:10:34:24] FINE ( 6036): servletPath = /customer
  [21/May/2003:10:34:24] FINE ( 6036): pathInfo = null
  [21/May/2003:10:34:24] FINE ( 6036): SingleSignOn[ids]: Process request for '/idssample/customer'
  [21/May/2003:10:34:24] FINE ( 6036): SingleSignOn[ids]: Checking for SSO cookie
  [21/May/2003:10:34:24] FINE ( 6036): SingleSignOn[ids]: SSO cookie is not present
  [21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Security checking request GET /idssample/customer
  [21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: We have cached auth type PROGRAMMATIC for principal amAdmin
  [21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Checking constraint 'SecurityConstraint[col2]' against GET /customer --> false
  [21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Checking constraint 'SecurityConstraint[col2]' against GET /customer --> true
  [21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Subject to constraint SecurityConstraint[col2]
  [21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Calling checkUserData()
  [21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: User data constraint has no restrictions
  [21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Calling authenticate()
  [21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: User authentication is not required
  [21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Calling accessControl()
  [21/May/2003:10:34:24] FINEST ( 6036): PRINCIPAL : amAdmin hasRole?: customer
  [21/May/2003:10:34:24] FINEST ( 6036): PRINCIPAL TABLE: {}
  [21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Failed accessControl() test
  [21/May/2003:10:34:24] WARNING ( 6036): CORE3283: stderr: <May 21, 2003 10:34:24 AM CDT> <Agent> <Info> AgentRealm.getGroupNames(amAdmin)
  [21/May/2003:10:34:24] WARNING ( 6036): CORE3283: stderr: <May 21, 2003 10:34:24 AM CDT> <Agent> <Info> AgentRealm.getGroupNames(amAdmin) => java.util.Vector$1@bb60ad
  Now, snooping around I have found that the AgentRealm.getGroupNames(userdn) does
  return the correct grops viz. customer,admin,anyone.
  PLEASE HELP

  -- Second Update --
  After policy installation I got several problems with PeopleSoft configuration. Which finally were solved.
  1. Some URL's has to be defined as not enforced.
  com.sun.am.policy.amFilter.notenforcedList[1]=/ps/images/*
  com.sun.am.policy.amFilter.notenforcedList[2]=*.css
  com.sun.am.policy.amFilter.notenforcedList[3]=*.ico
  2. In versions older than PeopleSoft 8.4.2 the policy agent modified the file
  /opt/fs/webserv/peoplesoft/applications/peoplesoft/PORTAL/WEB-INF/psftdocs/ps/configuration.properties to add the properties:
  byPassSignon=TRUE
  defaultUserid="DEFAULT_USER"
  defaultPWD="your password"
  signon_page=amsignin.html
  signonError_page=amsignin.html
  logout_page=amsignin.html
  expire_page=amsignin.html
  However, in the newer versions of PeopleSoft this properties are controled from the online Peoplesoft console. Which are set on:
  PeopleTools --> WebProfile ---> WebProfileConfiguration --> [PROFILE] --> Security --> In section "Public Users" the parameters that has to be changed are:
  Allow Public Access (cheked)
  User ID : DEFAULT_USER
  Password : your password
  HTTP Session Inactivity : (SSO TIMEOUT)
  and:
  PeopleTools --> WebProfile ---> WebProfileConfiguration --> [PROFILE] --> Look and Feel -->
  In section "SignOn/Logout" set the following values:
  Signon Page : amsignin.html
  Signon Error Page : amerror.html
  Logout Page : amsignout.html
  Note: After making any changes on the console; restart PIA (weblogic instance).
  With this the SSO with PeopleSoft is working Ok.
  Message was edited by:
  LpzYlnd

• Policy Agent 2.2, IIS 6.0, CDSSO and redirects after authentication

  Hi
  I've got a problem where a HTTP/1.1 200 and 302 are returned by the Policy Agent / Application, after the Javascripted POST by the CDCServlet content is performed.
  The expected functionality is that the user is authenticated with the AM, the CDC Servlet serves the JavaScript page that will do a POST to the Policy Agent. The Policy Agent should then do what it needs to do with the POST, and forward request to the Application. The Application then does what it needs to do, and in this case, serves a HTTP/1.1 302 for redirection back to the browser.
  However, it seems that the Policy Agent might be returning a HTTP/1.1 200, and setting the iPlanetDirectoryPro cookie, quickly followed by the HTTP/1.1 302 and the setting of whatever cookies it wants to set.
  The Policy Agent should be respecting the return code of the Application. This problem does not appear when run against the Policy Agent for the Sun ONE Web Server.
  Wondering if anyone has seen this before?
  Here is sanitized output from a trace on the POST and resulting response.
  POST /oslp/?sunwMethod=GET HTTP/1.1
  Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
  Accept-Language: en-au
  Content-Type: application/x-www-form-urlencoded
  Accept-Encoding: gzip, deflate
  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
  Host: sco88342744.corp.qed.qld.gov.au
  Content-Length: 3496
  Connection: Keep-Alive
  Cache-Control: no-cache
  X-ProcessAndThread: IEXPLORE.EXE [904; 2908]
  LARES=<snip>
  HTTP/1.1 200 OK
  Date: Wed, 16 May 2007 22:25:42 GMT
  Server: Microsoft-IIS/6.0
  Set-Cookie: iPlanetDirectoryPro=AQIC5wM2LY4Sfcz8tCfJ96AXxjIgRzuZJDgE7gMeTO0iIS4%3D%40AAJTSQACMDQ%3D%23;Path=/
  HTTP/1.1 302 Found
  Date: Wed, 16 May 2007 22:25:42 GMT
  Server: Microsoft-IIS/6.0
  X-AspNet-Version: 1.1.4322
  Location: /oslp/user/signon.aspx
  Set-Cookie: ASP.NET_SessionId=lh4sus55y1iy2r5514onnjuj; path=/
  Cache-Control: no-cache
  Pragma: no-cache
  Expires: -1
  Content-Type: text/html; charset=utf-8
  Content-Length: 139
  <html><head><title>Object moved</title></head><body>
  <h2>Object moved to <a href='/oslp/user/signon.aspx'>here</a>.</h2>
  </body></html>

  Hi,
  we had the same problem, but we got support
  from readme.txt
  Bug#: 6789020
  Agent type: All Agents
  Description: In CDSSO mode non enforced POST requests cannot be accessed
  Bug#: 6736820
  Agent type: IIS 6 Agent
  Description: IIS 6 agent doesn't work properly with ASP pages in CDSSO mode
  Both bugs should be fixed in this version:
  Sun Java System Web Agents 2.2-02 hotpatch2