I have an instalation of CA Single Sign-ON (v. 12.6.01) with a Policy Server integrated with Ca Access Gateway. I can acces to a resource that is protected by de PS through the Access Gateway with a Basic Authentication Scheme (in this case a web page e.g. www.example.com for test purposes). Now, i want to enable the Windows Authentication Scheme for the same resource but i have a problem.
I understand that the Access Gateway have an Agent embeded and i am using it precisely to avoid to install a web agent on each web server. Reading the documentation i found a topic about this funcionality, however it mencions that i have to set the Target setting to "/siteminderagent/ntlm/smntlm.ntc". My point is: There is not a folder called NTLM in my instalation folder of Access Gateway...How can i to enable the Windows Authentication to the web page without this folder? Is there an instalation error? or i have a conceptual failure?
Thanks in advance.
This is my Access Gateway Server:
The Target URL is not a "real" URL, it's ok, it's not a file or a directory in the server.
There are steps you must follow to enable IWA on CA Access Gateway:
1. SPS part of the domain.
2. SPS should run with a domain user that has SPN defined
3. WindowsNativeAuthentication set to no in SPS's ACO
take a look at this thread
SPS for IWA Authentication
Thanks for your suggestions.
The points 1 and 3 are covered.
Now, can you expand the point 2 please? I think that here is the problem.
Regarding point number 2...
Thank you so much for your explanation. Talor05.
One more question.
I will proceed to implement IWA through Kerberos. Should changes be made to the Workstations that will access the resources?
For kerberos token to be sent to server, you need to set the domain as part of your Intranet.
This should be done from Internet explorer and also effect Chrome (not sure about firefox)
This a step by step I found useful:
Open Internet Explorer and select selectTools, then selectInternet Options. Then, select the Security tab.
In the zones display, select Local intranet and then, click the Sites button.
Select the check boxes that apply to the PeopleSoft site.
If these settings do not meet your needs, then click the Advanced button and add the site specifically. After you add the site, click the Closebutton.
On the Local Intranet dialog box, click the OK button.
On the Internet Options dialog box, select the Advanced tab. Then, scroll down to the Security settings. Select the Enable Integrated Windows Authentication check box.
Click the OK button and then, restart the browser so that the settings take effect.
Firefox, so far as I know, usually have to set at least the network.negotiate-auth.trusted-uris and possibly the network.negotiate-auth.delegation-uris (go to about:config to find them and search explicitly or just type in "uris" to pull them all up).
network.negotiate-auth.delegation-uris = my.domain.com, myother.domain2.com
network.negotiate-auth.trusted-uris = my.domain.com, myother.domain2.com
What one of our groups did was create a simple little Firefox configuration extension. That's deployed by default with all managed workstations; or users can also download as well and install manually. This will set the organization required values for those settings and things like making sure the trusted cert list is proper / download new ones if needed.
can anyone has exact command for setspn to domain account on which Access Gateway will be running. I am new to AD.
Could you please tell me how to configure the SPN? Should I use the alias of the default virtual host of the Access Gateway or the name of the machine hosting it?