Symantec Access Management

Hi All,

We have a requirement where we want to use the Integrated Windows Authentication scheme using kerberos tokens but not the NTLM which comes default in the Windows Authentication Scheme template of siteminder.

Can we do this using siteminder? i was following the below link which says

Kerberos setup Questions

"Avoid mixing NTML and Kerberos. Both are different. If you want to use Kerberos authentication by SiteMinder, then disable Windows Authentication."

Thanks,

Ravi.

What version are you on? With 12.52 there's a "Kerberos Authentication Template".

In vanilla 12.51 version we used "custom template" and applied the necessary configuration changes. For example:

Auth Scheme = KerbAuth

Server Name = myidp.domain.com

Target = /siteminderagent/Kerberos/creds.kcc

library = smauthkerberos

parameter list = https://myidp.domain.com/siteminderagent/Kerberos/creds.kcc;HTTP/myidp.domain.com@DOMAIN.COM;(sAMAccountName=%HTTP/myidp.domain.com@DOMAIN.COM;(sAMAccountName=%{UID})

ACO = myaco

HttpServicePrincipal = HTTP/myidp.domain.com/DOMAIN.COM

SmpsServicePrincipal = HTTP@myidp.domain.com

One thing to note is that CA documentation likes to tell you to have an SPN per 'service' but depending on how your setup is you can use just one SPN. If there's a centralized credential collector that's easiest to deal with and don't need an SPN + service account on Policy Server and Web Agent; just set one SPN + service account + key tab file.

Ravi RaviSapare

I doubt we could use the Integrated Windows Authentication Scheme Template to work with Kerberos.The older versions of SiteMinder if I am remembering this correctly used a custom authentication template for Kerberos. The latest version of SiteMinder have a Kerberos Authentication Scheme Template. Hence to make things easier, it would really depend on what version of siteminder is being used.

Regards

Hubert

Hi Hubert, Bert,

Thanks for your suggestions, the Policy Server which i am going to use is R12.52 SP1, in the documentation guide i see the following in Windows Authentication Scheme

https://wiki.ca.com/display/sm1252sp1/Windows+Authentication+Schemes

"The Windows authentication scheme provides access control in deployments with Active Directories running in native mode. The scheme also supports Active Directories that are configured to support NTLM authentication".

So Windows Authentication Scheme supports Active Directories running in native and mixed mode, and here native is kerberos, does the guide misleading?

Thanks,

Ravi

Words can be misleading,

We have never used Windows Authentication Template for Kerberos. We have only used the Kerberos Template in R12.52 OR Custom Template before R12.52.

If there is still a doubt feel free to raise a Support Ticket to have it confirmed from CA.

Regards

Hubert

Mixed/Native doesn't imply Kerberos or not Kerberos. To do Kerberos should be able to just follow Kerb guide - https://wiki.ca.com/display/sm1252sp1/Configure+Kerberos+Authentication .

If you're using a centralized credential collector (i.e., using one set of web agents for it instead of every application) it's really quite simple to setup. Just make sure all the SPNs and keytab etc are proper. Even if each application is doing its own, the process is basically the same you'll just have multiple SPNs / keytabs depending on how you setup the service accounts.

One thing we did find though is that the SPN with SiteMinder are case sensitive. Most are case-insensitive but in this case it's not, so make sure anything you set you match exactly; this includes DNS so if SPN is myidp.domain.com but DNS returns myIdp.domain.com SiteMinder may throw errors.