Question
I.T. Co.
RU
Last activity: 6 Nov 2018 1:50 EST
Get client IP address in case of failed login
Hello,
I faced an issue with the retrieving information about user IP address in case of failed login. The configuration description and details of issue are described below.
1) The Reverse proxy server configuration is used.( https://community.pega.com/knowledgebase/articles/reverse-proxy-server-configuration )
2) The custom authentication mechanizm is developed - user login and password are checked with Active Directory using LDAP. The authentication activity is used for this.
3) If user login and password pair is incorrent, the authentication activity puts the error message in param.pyFailMessage. This error message appears on the Login page.
4) In case of failed login, Pega automatically saves new Log-SecurityAudit instance in DB - this instance stores information about user login, user IP address, error message = param.pyFailMessage, etc.
The issue is: if proxy(load balancing) is used, then user IP address(the pyRemoteAddr property) is empty in Log-SecurityAudit item. If user directly(without proxy) connects to Pega, then the user IP address is specified correctly.
So could anybody provide me the answers on the following questions:
1) Why the pyRemoteAddr property is empty in case of failed login through proxy?
2) Which mechanizm is used to save Log-SecurityAudit instance in case of failed login? Is it possible to modify it?
3) Is it possible to NOT save Log-SecurityAudit instance in case of failed login and use param.pyFailMessage at the same time?
Hello,
I faced an issue with the retrieving information about user IP address in case of failed login. The configuration description and details of issue are described below.
1) The Reverse proxy server configuration is used.( https://community.pega.com/knowledgebase/articles/reverse-proxy-server-configuration )
2) The custom authentication mechanizm is developed - user login and password are checked with Active Directory using LDAP. The authentication activity is used for this.
3) If user login and password pair is incorrent, the authentication activity puts the error message in param.pyFailMessage. This error message appears on the Login page.
4) In case of failed login, Pega automatically saves new Log-SecurityAudit instance in DB - this instance stores information about user login, user IP address, error message = param.pyFailMessage, etc.
The issue is: if proxy(load balancing) is used, then user IP address(the pyRemoteAddr property) is empty in Log-SecurityAudit item. If user directly(without proxy) connects to Pega, then the user IP address is specified correctly.
So could anybody provide me the answers on the following questions:
1) Why the pyRemoteAddr property is empty in case of failed login through proxy?
2) Which mechanizm is used to save Log-SecurityAudit instance in case of failed login? Is it possible to modify it?
3) Is it possible to NOT save Log-SecurityAudit instance in case of failed login and use param.pyFailMessage at the same time?
***Edited by Moderator: Pallavi to update platform capability tags***
Accepted Solution
Pegasystems Inc.
US
There is no way to modify the content of the audit log message content.
Pegasystems Inc.
US
1. Pega platform does nothing special in this situation (or any other) when behind a LB. So if the remote address is empty it is likely due to something external to Pega platform. Pega simply gets the address from the request object, which is passed to Pega from the application server.
2 & 3 - The logged event cannot be modified.
In 7.4 a new security event logging feature was added that captures, among other events, failed login attempts. This feature also allow the logging of custom events, which you could do from your custom authentication activity. See this for more information.
I.T. Co.
RU
Hello SOLOM,
Thank you for your answer.
I found the support article, which describes the situation when the pyRemoteAddr property is empty in pxRequestor page: https://community.pega.com/support/support-articles/not-able-get-ip-addr-pyremoteaddr-clipboard .
In the resolution I see the following: Perform the following local-change: Add the below DSS settings in the application server prconfig.xml file.<env name="initialization/ContextRewriteEnabled" value="false"/>
But in the instruction( https://community.pega.com/knowledgebase/articles/reverse-proxy-server-configuration ) how to configure the reverse proxy the both approaches require to perform the opposite change: in prconfig.xml file specify <env name="Initialization/ContextRewriteEnabled" value="true" /> .
Based on the statements above and some experiments It seems this setting affects the set of the pyRemoteAddr property in the pxRequestor page. Please let me know is my conclusion right or not?
Also, could you please desribe which source and mechanizm is used to get remote client address in case of failed login? Is it a clipboard page or anything else?
Thank you in advance.
Pegasystems Inc.
US
Pega simply gets the address from the HTTP request object, which is passed to Pega from the application server. This is the mechanism for obtaining the value saved in pyRemoteAddr.
The configuration setting has an impact on the value in the HTTP request object. When set to true, the second setting mentioned in the documentation provides the value. This setting is setBaseHTMLContext.
I.T. Co.
RU
Hello SOLOM,
Thank you for your answer. Based on your messages above, it seems there are no any way to correctly set the IP address of remote user in Log-SecurityAudit object in case of failed login through load balancing proxy. The reason is that the mechanizm can not be modified and reverse proxy settings impact the value of pyRemoteAddr. Actually the use of custom HTTP header to store user IP address can not help here to correctly log a message about failed login.
Am I right?