Layer7 Access Management

Expand all | Collapse all

Integrated Windows Authentication

  • 1.  Integrated Windows Authentication

    Posted 10-21-2013 05:37 AM
    Hi,

    I would like to setup IWA in existing environment.

    In current scenario, I am having number of applications protected using SiteMinder policy server and they all are using same Form based auth scheme to enforce Centralized Login page hosted on server managed by us. Some applications are using Active Directory Auth directory while others using OID.

    As per my understanding, below things needs to be setup in order to achieve IWA:
    - IIS Webserver hosting some dummy pages
    - Windows Authentication Scheme
    - Browser with IWA enabled settings

    I have IIS server build and protected by SiteMinder agent with directories havign Anonymous Access and SiteMinder Agent/NTLM directory using Windows Authentication. Windows Authentication Scheme having same protection level as of existing form based auth scheme getting used across and with FQDN of the IIS Webserver.

    Whenever user logged into PC with his credentials and opens a IWA enabled brower to access SM protected applications, he put some application specific URL. As this application is protected by SM, it enforces SM Policy and when it sees no SMSESSION, it redirect user to Login.fcc hosted on centralized server. My questions are as below :-
    1. Do I need to put some redirection in Login.fcc to some dummy page which is protected using Windows Authentication Scheme to make communication with IIS for NTLM based authentication/user validation?
    2. As mentioned some applications are using OID as auth directory, so what should be done in such scenario as all PC's are part of the AD domain and using AD credentials to log in.
    3. Not sure when the IWAABLE cookie is set and what role does it play in IWA?
    4. Any other customization required ?

    Would appreciate to know more in this context.

    Thanks in advance.

    Regards,
    Vishal


  • 2.  RE: Integrated Windows Authentication

    Posted 10-21-2013 12:37 PM
    Vishal,

    undersrtand there are 4 pieces for this to work

    1: Microsoft Internet Explorer - this needs to be set to send credentials

    2: IIS - this should be anonymous access so that it gets the id from SiteMinder, with ONE exception, which is the SiteMinder Agent's NTLM directory, which should be integrated Windows Login, so that SIteMinder can get information from IIS

    3: Active Directory

    4: Your SM authentication scheme; it needs to be the windows template based. use the samaccountname={UID%} to start. as you get more complicated it is harder to make things work, so start witht he basic that works for 90% or so of the use cases.

    note: {} content are case sensitive, so UID must be UID, not uid, Uid, UId, uID, uId, UiD, ....

    more information is contained in the site minder documentation and help pages

    -josh


  • 3.  RE: Integrated Windows Authentication

    Posted 10-21-2013 11:53 PM
    Hi Josh,

    Thanks for the details.

    However, my questions are still unanswered

    My questions are as below :-
    1. Do I need to put some redirection in Login.fcc to some dummy page which is protected using Windows Authentication Scheme to make communication with IIS for NTLM based authentication/user validation?
    2. As mentioned some applications are using OID as auth directory, so what should be done in such scenario as all PC's are part of the AD domain and using AD credentials to log in.
    3. Not sure when the IWAABLE cookie is set and what role does it play in IWA?
    4. Any other customization required ?

    Thanks,
    Vishal


  • 4.  RE: Integrated Windows Authentication

    Posted 10-22-2013 06:43 AM
    Hi Vishal,

    Request you have a look at the documentation for configuring windows Authentication.

    look for below part of the documentation, it talks for IIS 6.0 but its applicable for IIS 7.x also.

    https://support.ca.com/cadocs/0/CA%20SiteMinder%20r12%20SP3-ENU/Bookshelf_Files/HTML/idocs/index.htm?toc.htm?sm-impl.html

    Installation and Upgrade Guides › Web Agent Installation Guide for IIS › Configure an SiteMinder Web Agent on an IIS 6.0 Web Server › How to Configure a SiteMinder Web Agent on IIS 6.0 › Configure the Virtual Directory for Windows Authentication Schemes (IIS 6.0)

    There is no customization required for IWA Authentication.
    If user's desktop is connecting to AD for example then you should use the same AD for configuring them in policies. As stated by Josh in previous update you need to create authentication scheme in that format.

    Regards
    Vikas Tiwari


  • 5.  RE: Integrated Windows Authentication

    Posted 10-27-2013 07:16 PM
    vishal-nord:
    1. Do I need to put some redirection in Login.fcc to some dummy page which is protected using Windows Authentication Scheme to make communication with IIS for NTLM based authentication/user validation?


    When you configure Windows Authentication  Scheme from SiteMinder AdminUI, you will see the TARGET being different from the HTML Authentication Scheme.

    Every authentication scheme has its own credential collector and for that reason the target will be different.

    You just need to create a Windows Authentication Scheme and you do not need to create any dummy page.

     



  • 6.  RE: Integrated Windows Authentication

    Posted 11-05-2013 04:29 AM

    Hi Kim,

    Thanks for your response.

    Well, here is the detailed description what exactly I would like to implement.
     

    Current Setup:
    Policy Server Version - R12 SP3
    No Cross Domain SSO in place

    In current scenario, we are having number of applications(Intranet) protected using SiteMinder policy servers and they all are using the same Form based Auth scheme to enforce Centralized Login page hosted on server managed by us.
    Some applications are using Active Directory as a Authentication directory while others using OID. Flow is something like, user access a protected resource and redirected to login.jsp page hosted on centralized server that we have. Then user enters credentials and submits it. The credentials then posted to login.fcc page on centralized server and user is authenticated & authorized. After which user is redirected to the initially requested application page.

    Requirement:
    Whenever user logged into PC with his AD credentials and opens a IWA enabled browser, he accesses SM protected applications(With Form based authentication). User should not be asked for login again with the help of IWA. Now here, I don’t want to change the Form based authentication scheme with Windows Authentication for any of the protected application and still wants to achieve IWA. Simply, what I want is to keep the current setup as it is (application
    resources protected with Form Based Authentication) and achieve the IWA. I don’t want applications resource to be protected using the IWA Windows Authentication scheme.

    Can you please let me know the OOB solution for this?

    I was thinking of doing it in following way although not sure whether it will work
    - Deploy some dummy pages protected with Windows Authentication Scheme
    - Browser with IWA enabled settings
    - Put redirection in Login.fcc to dummy page which is protected using Windows Authentication Scheme to make communication with IIS for NTLM based authentication/user validation
    - Once IWA is achieved, dummy page should redirect user to initially requested page.[Still not sure, how this can be done]


    Clarification Required on below points:
    1. All users currently logs in with 4 digit ID(Say login ID) and password which AD stores, while the form based authentication scheme protecting all the applications prompts user for Employee ID/samaccountname which is stored in either AD Or OID. Will there be any issue likely to occur in this case ?

    2. As mentioned some applications are using OID as Auth directory and some are using AD, so what should be done in such scenario as all PC's are part of the AD domain and using AD credentials to log in. How the applications
    protected by Form Based Authentication scheme with OID as authentication directory will behave when we have IWA in place which talks with AD?

    3. User should be redirected to Form Based Login page in case of Kerberos Ticket/NTLM Authentication fails. How this can be achieved ?


    Appreciate your earliest help in this

    Regards,
    Vishal



  • 7.  RE: Integrated Windows Authentication

    Posted 11-29-2013 01:26 AM

    Hi,

    Can anyone help here ?

    Regards,

    Vishal



  • 8.  RE: Integrated Windows Authentication

    Posted 12-02-2013 09:47 AM

    Hi Vishal,

     

    there's a few IWA with Forms Fall Back methods.

     

    "WinForms Select Auth"
     
    "SmNTLM_IWA_FailoverToHTMLForms"
     
     
    I don't beleive either is officially supported though.
     
    I would look into them as they are likely your best bet.,


  • 9.  RE: Integrated Windows Authentication

    Posted 12-02-2013 10:14 AM
    Hi Vishal, An important detail would be whether or not all your users will be using Internet Explorer.  I described our experience on this subject in the following message : https://communities.ca.com/web/ca-identity-and-access-mgmt-distributed-global-user-community/message-board/-/message_boards/view_message/99214506#_19_message_99944466


  • 10.  Re: Integrated Windows Authentication

    Posted 08-20-2014 12:40 PM

    Hi Vishal,

     

     

    I am not sure whether you are able to solve this issue or not.

     

     

    I had worked for solution for similar setup. AD and LDAP as user directories
    and most of applications use form authentication.

     

     

    For seamless authentication with IWA and applications with LDAP user
    directories.

     

     

    You need to protect new IIS resource with IWA authentication and configure
    LDAP as user directroy (instead of AD).

     

     

    But catch here is you need synch user id and password between AD and LDAP. So
    SAMaccountname in AD is same as uid in LDAP.

     

     

    So that IWA authentication scheme can search user in LDAP also by using
    credentials passed from windows machine.

     

     

    Regarding no change to Authentication scheme for most of your applications
    which are using form based.

     

     

    You may have to put redirection in your login page code(form html URL) and redirect
    to IWA authentication scheme URL with target as IWA resource.

     

     

    In IWA resource again have logic to redirect to origin TARGET URls.

     

     

    This would be lot of customization. But feasible. And also you would be
    using IWA auth scheme against LDAP.

     

    LDAP and AD users are synched in such way that user id and passwords match..

     

     

    Regards,

     

     

    Srinivas Meganath, CISSP.



  • 11.  Re: Integrated Windows Authentication

    Posted 08-26-2014 08:22 AM

    Srinivas,

     

    are you talking about splitting Authentication to AD and Authorization to LDAP via a common unique Identifier?

     

    Just want to be sure as it seems that is what you are talking about.

     

    -Josh



  • 12.  Re: Integrated Windows Authentication

    Posted 08-26-2014 10:56 AM

    Hi Josh,

     

    No, I have not splitted Authentication to AD and Authorization to LDAP.

      In our case AD and LDAP user id and passwords are synched.

    So i used LDAP expression in IWA NTLM authentication scheme.

     

    (&(objectclass=***)(uid=%{UID}))

     

    Now Authentication and authorization is against LDAP and seamless SSO works
    fro this IWA enabled application to other LDAP user directory and form based authentication
    scheme application. As long as protection level is same.

     

    I hope i answered your question.

     

     

    Regards,

    Srinivas.



  • 13.  Re: Integrated Windows Authentication

    Posted 08-26-2014 01:47 PM

    Srinivas,

     

    thank you for the answer. that's an interesting approach.

    I'll have to remember it for the future.

     

    -Josh



  • 14.  Re: Integrated Windows Authentication

    Posted 08-25-2014 02:45 PM

    Vishal,

     

    Are you still looking for assistance with the SiteMinder IWA auth scheme and/or implementation?

     

    I have been customizing our IWA implementation for 7 years and may be able to help.

     

    Mike



  • 15.  Re: Integrated Windows Authentication

    Posted 03-23-2015 01:32 PM

    Mike,

     

    I have been working with the IWA/forms authentication solution that CA services provided. It works great for standard agents, but leave a lot to be desired for federation. Have you done any customization for working with federation requests? I have done some, but new scenarios keep cropping up (SP initiated, IDP initiated, RelayState in URL, Encrypted assertions, hypens and spaces in unexpected places from some SPs, etc...), and it has turned into a hefty amount of Java script. I was wondering if you have worked on this, and maybe have a more elegent solution. If I could get the federation service to input a referer header (internal only of course, and only do a specific resource if possible) this task would be very simple.

     

    Also, this feature really needs to be included in a CA release.

     

    Thanks,

    Brian



  • 16.  Re: Integrated Windows Authentication

    Posted 03-23-2015 02:59 PM

    IWA really only works when the end user is logged into Active Directory.  For us, that means intranet use.  Federation for us is internet, so IWA really doesn't apply.

     

    The only use case I can think of is an intranet user accessing Federation as a IDP.  The user can IWA auth, access Federation, then Federate to an outside SP.

     

    If the cookie domains for intranet and internet are different, then somewhere along the line, Cookie Provider (CP)  will be needed.  CP can be enabled on the IWA web agent or the Federation web agent.



  • 17.  Re: Integrated Windows Authentication

    Posted 03-23-2015 03:11 PM

    Thanks for the info. Your architecture prevents you from running into the same scenario that I am facing. Sounds like you are using a portal model for federartion where we are usingdirect links.

     

    The issue i'm running into is not cookie related. It has to do with how the federation service manipulates the URLs; it's a combination of URI encoding and delimiting with "-". The difficult part is that it selectively applies these changes to each individual section of the query string. Everything they CA puts in, I have to parse out.