Symantec Access Management

Expand all | Collapse all

Windows Authentication on CA Access Gateway 

  • 1.  Windows Authentication on CA Access Gateway 

    Posted 05-24-2017 01:35 PM

    Hi everyone

     

    I have an instalation  of CA Single Sign-ON (v. 12.6.01) with a Policy Server  integrated with Ca Access Gateway. I can acces to a resource that is protected by de PS through the Access Gateway with a Basic Authentication Scheme (in this case a web page e.g. www.example.com for test purposes). Now, i want to enable the Windows Authentication Scheme for the same resource but i have a problem.

     

    I understand that the Access Gateway have an Agent embeded and i am using it precisely to avoid to install a web agent on each web server. Reading the documentation i found a topic about this funcionality, however it mencions that i have to set the Target setting to "/siteminderagent/ntlm/smntlm.ntc". My point is: There is not a folder called NTLM in my instalation folder of Access Gateway...How can i to enable the Windows Authentication to the web page without this folder? Is there an instalation error? or i have a conceptual failure?

     

    Thanks in advance.

     

     

    This is my Access Gateway Server:



  • 2.  Re: Windows Authentication on CA Access Gateway 

    Broadcom Employee
    Posted 05-24-2017 04:07 PM

    Hi, 

    The Target URL is not a "real" URL, it's ok, it's not a file or a directory in the server.

    There are steps you must follow to enable IWA on CA Access Gateway:

    1. SPS part of the domain.

    2. SPS should run with a domain user that has SPN defined 

    3. WindowsNativeAuthentication set to no in SPS's ACO

    take a look at this thread

    SPS for IWA Authentication

     

    Oren



  • 3.  Re: Windows Authentication on CA Access Gateway 

    Posted 05-25-2017 12:18 PM

    Hello Talor05

     

    Thanks for your suggestions.

    The points 1 and 3 are covered.

     

    Now, can you expand the point 2 please? I think that here is the problem.

     

    Thanks.



  • 4.  Re: Windows Authentication on CA Access Gateway 

    Broadcom Employee
    Posted 05-26-2017 12:19 PM

    Regarding point number 2...

    1) create a domain account and set SPN for that account using setspn command.
    2) on the Secure Proxy Server, go to "services" console, right click on the Secure Proxy Server service, under Log On tab, change the account to the account you created on the first step.
    3) restart Secure Proxy Server


  • 5.  Re: Windows Authentication on CA Access Gateway 

    Posted 05-30-2017 09:27 AM

    Thank you so much for your explanation. Talor05.

     

    One more question. 

    I will proceed to implement IWA through Kerberos. Should changes be made to the Workstations that will access the resources?



  • 6.  Re: Windows Authentication on CA Access Gateway 

    Broadcom Employee
    Posted 06-01-2017 10:56 AM

    Hi,

     

    For kerberos token to be sent to server, you need to set the domain as part of your Intranet. 

    This should be done from Internet explorer and also effect Chrome (not sure about firefox)

    This a step by step I found useful: 

     

    1. Open Internet Explorer and select selectTools, then selectInternet Options. Then, select the Security tab.

    2. In the zones display, select Local intranet and then, click the Sites button.

    3. Select the check boxes that apply to the PeopleSoft site.

    4. If these settings do not meet your needs, then click the Advanced button and add the site specifically. After you add the site, click the Closebutton.

    5. On the Local Intranet dialog box, click the OK button.

    6. On the Internet Options dialog box, select the Advanced tab. Then, scroll down to the Security settings. Select the Enable Integrated Windows Authentication check box.

    7. Click the OK button and then, restart the browser so that the settings take effect.

     

    Regards,

    Oren



  • 7.  Re: Windows Authentication on CA Access Gateway 

    Posted 06-01-2017 02:29 PM

    Firefox, so far as I know, usually have to set at least the  network.negotiate-auth.trusted-uris and possibly the network.negotiate-auth.delegation-uris   (go to about:config to find them and search explicitly or just type in "uris" to pull them all up).

     

    E.g.,

    network.negotiate-auth.delegation-uris = my.domain.com, myother.domain2.com

    network.negotiate-auth.trusted-uris = my.domain.com, myother.domain2.com

     

    What one of our groups did was create a simple little Firefox configuration extension. That's deployed by default with all managed workstations; or users can also download as well and install manually. This will set the organization required values for those settings and things like making sure the trusted cert list is proper / download new ones if needed.



  • 8.  Re: Windows Authentication on CA Access Gateway 

    Posted 12-08-2018 08:34 AM

    Hi,

     

    can anyone has exact command for setspn to domain account on which Access Gateway will be running. I am new to AD.

     

    Regards

    Rikash