Layer7 Access Management

Expand all | Collapse all

User's security context for Form Based Authentication

  • 1.  User's security context for Form Based Authentication

    Posted 07-23-2015 04:51 AM

    We are using SharePoint Agent-2010 and we have IIS as our backend server where the application is hosted. We have protected this application using form based authentication.

    In this case, backed IIS is expecting the user context from SiteMinder once the Authentication/Authorization process is done.

     

    We are using AD as our user directory and configured the "use authenticated user's security context" option as mentioned in the document but this works fine when I protect the application using Basic Auth scheme in SM and not working for form based auth scheme.

    https://wiki.ca.com/display/sm1252sp1/Windows+User+Security+Context#WindowsUserSecurityContext-WindowsUserSecurityContextRequirements

     

    Anyone faced this issue before?



  • 2.  Re: User's security context for Form Based Authentication

    Posted 07-26-2015 12:17 AM

    Hi Venga,

     

    For the agent to provide a security context for specific resources, enable persistent sessions for all realms that include those resources. The session store maintains persistent sessions. Please confirm if the resources are protected with persistent realm.

     

    As per the doucmentation, please ensure that IIS web server meets the following requirements to use the Windows security context feature:

    • All IIS servers must be trusted in the domain in which the user is authenticating. You can establish trust relationships among servers that provide distributed services for groups of users.
    • Users must have the privileges to log in locally to the web server. If there are multiple servers, users need the right to log in locally to all servers.
    • Consider the following guidelines for accounts that start the World Wide Web Publishing Service:
      • System accounts need no additional configuration.
      • Domain accounts need the privileges of the associated user to act as part of the operating system.

     

    For the product to support seamless Microsoft security context, NetBIOS names must match the DNS domain name as recommended by Microsoft.

     

    When the DNS name of the Active Directory domain differs from its NetBIOS name, the user domain cannot be established. The web server cannot provide the security context when the product is configured to use an LDAP user directory.

     

    Also, if you have webagent on the IIS webserver, please set the following ACO parameter:

    DisableWindowsSecurityContext=No

     

    Best regards,

    Kelly



  • 3.  Re: User's security context for Form Based Authentication

    Posted 07-27-2015 07:21 AM

    Hi Kelly,

     

    I have followed all the steps. Do we have any way to track this user context? I can see the value in the session store but will it be available in the client browser header?

     

    Regards,

    Venga



  • 4.  Re: User's security context for Form Based Authentication

    Posted 08-05-2015 09:11 PM

    Hi Venga,

     

    I tested with R12.52 SP1 release with HTML Form authentication scheme. I see the user session in session store.

     

    You can create Siteminder response -- "Webagent-HTTP-Header-Variable" attribute with "Session Variable" attribute kind. PS retrieves the attribute value from the session store.

    But this is limited to scontextDomain session variable.

     

    Please verify if the AD user store is defined with LDAP namespace and explain how the authentication is not working with HTML Form authentication scheme.

     

    Best regards,

    Kelly



  • 5.  Re: User's security context for Form Based Authentication

    Posted 08-06-2015 01:33 AM

    Hi Kelly,

     

    Thanks for your analysis on this. Now it works fine but seems to be very slow it takes almost 26 seconds to finish the authentication process.

    Slowness happens only if I choose "use authenticated user's security context". DO you have any Idea on this?

     

    Regards,

    Venga



  • 6.  Re: User's security context for Form Based Authentication

    Posted 08-06-2015 01:55 AM

    Hi Venga,

     

    Thanks for the updates.

     

    For performance issue, please check the Policy Server trace (with following PS profiler template) and see which part of the processing is taking time.

     

    =========================================================================================================================================================

    components: AgentFunc, Server/Policy_Object, Server/Policy_Server_General, IsProtected/Resource_Protection, Login_Logout/Authentication, Login_Logout/Policy_Evaluation, Login_Logout/Password_Service, Login_Logout/Certificates, IsAuthorized, LDAP

    data: Pid, Tid, Date, PreciseTime, AgentName, TransactionID, SessionID, SessionSpec, Function, SrcFile, Action, Message, User, UserDN, Data, CallDetail, ErrorString, SearchKey, Query, ObjectOID, Resource, Domain, Realm, Policy, Rule, Directory, AuthReason, AuthScheme, AuthStatus, CertSerial, SubjectDN, IssuerDN, CertDistPt, Threshold, Throughput, ExecutionTime, Returns, Result, ErrorValue, ReturnValue

    version: 1.1

    =========================================================================================================================================================


    Best regards,

    Kelly