Symantec Access Management

 View Only
  • 1.  Windows Authentication on CA Access Gateway 

    Posted May 24, 2017 01:35 PM

    Hi everyone


    I have an instalation  of CA Single Sign-ON (v. 12.6.01) with a Policy Server  integrated with Ca Access Gateway. I can acces to a resource that is protected by de PS through the Access Gateway with a Basic Authentication Scheme (in this case a web page e.g. for test purposes). Now, i want to enable the Windows Authentication Scheme for the same resource but i have a problem.


    I understand that the Access Gateway have an Agent embeded and i am using it precisely to avoid to install a web agent on each web server. Reading the documentation i found a topic about this funcionality, however it mencions that i have to set the Target setting to "/siteminderagent/ntlm/smntlm.ntc". My point is: There is not a folder called NTLM in my instalation folder of Access Gateway...How can i to enable the Windows Authentication to the web page without this folder? Is there an instalation error? or i have a conceptual failure?


    Thanks in advance.



    This is my Access Gateway Server:

  • 2.  Re: Windows Authentication on CA Access Gateway 

    Broadcom Employee
    Posted May 24, 2017 04:07 PM


    The Target URL is not a "real" URL, it's ok, it's not a file or a directory in the server.

    There are steps you must follow to enable IWA on CA Access Gateway:

    1. SPS part of the domain.

    2. SPS should run with a domain user that has SPN defined 

    3. WindowsNativeAuthentication set to no in SPS's ACO

    take a look at this thread

    SPS for IWA Authentication



  • 3.  Re: Windows Authentication on CA Access Gateway 

    Posted May 25, 2017 12:18 PM

    Hello Talor05


    Thanks for your suggestions.

    The points 1 and 3 are covered.


    Now, can you expand the point 2 please? I think that here is the problem.



  • 4.  Re: Windows Authentication on CA Access Gateway 

    Broadcom Employee
    Posted May 26, 2017 12:19 PM

    Regarding point number 2...

    1) create a domain account and set SPN for that account using setspn command.
    2) on the Secure Proxy Server, go to "services" console, right click on the Secure Proxy Server service, under Log On tab, change the account to the account you created on the first step.
    3) restart Secure Proxy Server

  • 5.  Re: Windows Authentication on CA Access Gateway 

    Posted May 30, 2017 09:27 AM

    Thank you so much for your explanation. Talor05.


    One more question. 

    I will proceed to implement IWA through Kerberos. Should changes be made to the Workstations that will access the resources?

  • 6.  Re: Windows Authentication on CA Access Gateway 

    Broadcom Employee
    Posted Jun 01, 2017 10:56 AM



    For kerberos token to be sent to server, you need to set the domain as part of your Intranet. 

    This should be done from Internet explorer and also effect Chrome (not sure about firefox)

    This a step by step I found useful: 


    1. Open Internet Explorer and select selectTools, then selectInternet Options. Then, select the Security tab.

    2. In the zones display, select Local intranet and then, click the Sites button.

    3. Select the check boxes that apply to the PeopleSoft site.

    4. If these settings do not meet your needs, then click the Advanced button and add the site specifically. After you add the site, click the Closebutton.

    5. On the Local Intranet dialog box, click the OK button.

    6. On the Internet Options dialog box, select the Advanced tab. Then, scroll down to the Security settings. Select the Enable Integrated Windows Authentication check box.

    7. Click the OK button and then, restart the browser so that the settings take effect.




  • 7.  Re: Windows Authentication on CA Access Gateway 

    Posted Jun 01, 2017 02:29 PM

    Firefox, so far as I know, usually have to set at least the  network.negotiate-auth.trusted-uris and possibly the network.negotiate-auth.delegation-uris   (go to about:config to find them and search explicitly or just type in "uris" to pull them all up).



    network.negotiate-auth.delegation-uris =,

    network.negotiate-auth.trusted-uris =,


    What one of our groups did was create a simple little Firefox configuration extension. That's deployed by default with all managed workstations; or users can also download as well and install manually. This will set the organization required values for those settings and things like making sure the trusted cert list is proper / download new ones if needed.

  • 8.  Re: Windows Authentication on CA Access Gateway 

    Posted Dec 08, 2018 08:34 AM



    can anyone has exact command for setspn to domain account on which Access Gateway will be running. I am new to AD.




  • 9.  RE: Re: Windows Authentication on CA Access Gateway

    Posted Sep 13, 2023 06:48 AM


    Could you please tell me how to configure the SPN? Should I use the alias of the default virtual host of the Access Gateway or the name of the machine hosting it?