Symantec Access Management

Hi,

How do I make the IWA work with multiple domains? is there a document with the detailed procedure.

Here's the scenario.

Current Setup:

1. A user in the domain abc.com is able to access applications with IWA. 

New Setup:

1. A new domain xyz.com has been introduced to make IWA work for users in xyz.com domain. A network trust has been built between 2 of the domains.

2. When logged in as a xyz.com domain account, I am prompted to enter the credentials (The browser fails to fetch the windows credentials and prompts to enter the credentials.)

I have made sure the xyz.com account with which I am trying to test IWA has read and write permissions  on Siteminderagent folder withing IIS. In addition, the "Enable Integrated Windows Authentication" is enabled.

Let me know if I am missing something to get this to work.

Hi Kevin,

Were you able to authenticate after entering the credentials ?
If so, To authenticate users without the agent challenging them for their credentials, Internet Explorer browser users must configure the Automatic Logon browser security setting.
Follow these steps:
Start the Internet Explorer browser.
Open the Internet Options dialog. (Refer to the Internet Explorer online help to find out how to open the dialog for your version of the browser).
Click the Security tab.
Click the correct security zone.
Click Custom Level.
Scroll down to the User Authentication section. Under the Logon option, click the Automatic Logon with current username and password option.
Apply the changes.
The Security Settings dialog and the Internet Options dialog close. Your settings are saved, and automatic login is configured.

If you were not able to authenticate, Kindly check below points.
1) Is IIS sending the authentication response (NTLM Negotiation) to the Agent ?
2) What is the User Lookup in IWA authentication scheme ?
3) Windows Authentication Enabled (rest are disabled) on NTLM folder under siteminderagent?

Thanks,

Sharan

Hi Sharana,

I am able to authenticate after entering the credentials. Yes, the IE Security settings are in place but I am still prompted to enter my credentials.

IWA is based on the AD forest.

In my company we can reuse samaccountname as we dont have dc=comany,dc=com but dc=group,dc=company,dc=com

we are testing a resolution that is testing really good where we use htmlforms to dump to an aspx.net page which grabs the domain from the windows login as ca does, and then push to the right iwa scheme which sends the client back where they came from.

the abc.dom to xyz.com is a different issue.

do you trust between the domains? or does each do its own IWA?

Josh,

The trust is in place between 2 Domains. IWA servers are under "abc.com" Domain and IWA SSO works fine in the abc.com domain.

I am trying to make the IWA work with the xyz.com domain. I am able to authenticate to SSO application but I am prompted for credentials. Seems like a Basic authentication prompt.

Is there a way to find out what exactly happens when I try to do a IWA SSO with an user from xyz.com domain. The Basic Authentication prompt makes me believe the IIS isn't ready to accept the credentials sent by the browser and throws a basic authentication prompt.

Also, by any chance is there a need to introduce a new IIS server (on xyz.com) just to make the IWA SSO work for xyz.com users?

Sounds like the cookie isn't shared. I would check with CA on that.

Cross Domain SSO is the issue here and they are the experts on that.

Hi,

At IIS manager -> Default Web Site -> siteminderagent -> ntlm, did you enable the Windows authentication?

Given that provide credentials able to login, I think the IIS and AD negotiation is fine. It could be some setting on IIS that prevent the "auto" login.

As for the browser setting, I presume the same browser was used to login to abc.com. If that's the case, less likely browser setting issue.

Another point that I can think of is compare the IIS setting between abc.com and xyz.com.

Fiddler header trace log and IIS failed request tracing (http://www.iis.net/learn/troubleshoot/using-failed-request-tracing/troubleshooting-failed-requests-using-tracing-in-iis) might give some hints on why the xyz.com prompt login.

Regards,

Kar Meng