Symantec Access Management

 View Only
Expand all | Collapse all

Kerberos fallback to form

Legacy User

Legacy UserOct 24, 2018 08:40 AM

Wellington Ferraz Adami

Wellington Ferraz AdamiOct 25, 2018 10:59 AM

  • 1.  Kerberos fallback to form

    Posted Sep 08, 2017 02:55 PM

    Requirement is to do a kerberos login when user is on network and domain joined machine and fallback to form based authentication otherwise.


    We are able to achieve the kerberos login without any issues and in case of fallback we are getting windows pop-up which we want to remove , Any help is appreciated.


    Below is the snippet of code:



    String auth = request.getHeader("Authorization");
    if (auth == null){

    response.setHeader("WWW-Authenticate", "NEGOTIATE");
    if (auth != null && auth.startsWith("Negotiate")){
    redirectURL = kerberosRedirectURL;
    else {
    if (orginalTarget != null) {
    orginalTarget = orginalTarget.replaceAll("-SM-", "");
    orginalTarget = orginalTarget.replaceAll("--", "-");

    formProtectURL = formProtectURL + "?&ORIGINALTARGET=" + orginalTarget;
    redirectURL = formProtectURL;


  • 2.  Re: Kerberos fallback to form

    Posted Sep 28, 2017 05:07 PM

    You can stay "in listen" using (if any) loadbalancer and handle at the beginning the request. Based on IP, Domain or other machine/session info you can send user/request to a resource protected by kerberos or instead send through a standard auth schema (form).




  • 3.  Re: Kerberos fallback to form

    Posted Oct 23, 2018 06:00 AM



    I am starting Kerberos authentication for O365 and fall back to form based authentication from scratch. Is there any document that you could help with. I have very little to none knowledge in coding. Please let me know, if you could assist with any samples.

    And I have a similar use case as the original poster of this thread.

  • 4.  Re: Kerberos fallback to form

    Posted Oct 23, 2018 08:27 AM

    I created an Ajax page to handle that. In this case, even if there is an error the popup will not show and user is redirected to a specific page:




    <meta http-equiv="X-UA-Compatible" content="IE=edge">

    <script src="jquery-3.3.1.min.js"></script>




            type: 'GET',

            xhrFields: {

                    'withCredentials': true


            crossDomain: true,

            url: '', //Protected context with Kerberos Auth Scheme

            success: function () {

                   function getUrlParameter(name) { //Function to get the TARGET from URI
    name = name.replace(/[\[]/, '\\[').replace(/[\]]/, '\\]');
                      var regex = new RegExp('[\\?&]' + name + '=([^&#]*)');
                      var results = regex.exec(;
                      return results === null ? '' : decodeURIComponent(results[1].replace(/\+/g, ' ').replace('-SM-','').replace('$SM$',''));
                   var target = getUrlParameter('TARGET');


                    window.location = target; //URL to redirect if authentication is successfull



            error: function(XMLHttpRequest, textStatus, errorThrown) {

                    console.log("some error " + textStatus + " " + errorThrown);


                    window.location = ""; //URL to redirect if authentication failed


            async: false







  • 5.  Re: Kerberos fallback to form

    Posted Oct 23, 2018 09:01 AM

    Thank you Wellington,



    But from the code, i see that it uses only Kerberos. If the user is logging in from external network, then it doesn't know how to redirect to form based.


    scenario here is to redirect to form based authentication if the user is logging in from external network. if he is in internal network, the user will be authenticated using kerberos, And i am using CA Access Gateway to do the proxy and redirect.


    any help is much appreciated.




  • 6.  Re: Kerberos fallback to form

    Posted Oct 24, 2018 08:36 AM

    From your first post I understood that if a user is on network and domain it should achieve Kerberos authentication. If not, it should fall back to another form.

    This is what the code does, if the Kerberos authentication is achieved, fine and user is granted access. If Kerberos authentication fails (user not on network or domain), user is redirected to whatever page you want.


  • 7.  Re: Kerberos fallback to form

    Posted Oct 24, 2018 08:40 AM

    Thank you wadami

  • 8.  Re: Kerberos fallback to form

    Posted Oct 24, 2018 03:47 PM

    Can you please let me know the implementation of it ? Should we include this page in auth scheme and once application is accessed than it can redirect to this page which redirect to creds.kcc and if authentication fails than redirect to form based login.

  • 9.  Re: Kerberos fallback to form

    Posted Oct 25, 2018 10:17 AM

    Yes, this page should be set as an auth scheme. It's just a html page with the code, you may configure it as a form auth scheme.

    First you need a context protected with the default Kerberos Auth Scheme, let's say

    1. Access
    2. /app/* is protected with above custom form auth scheme
    3. Auth scheme first do a GET to
    4. If return is success, you're redirected to the application
    5. If return is failure, you're redirected to another page, let's say
    6. /fail/* is protected with your default form auth scheme
    7. After authentication is successful on /fail/, page may redirect the user to /app/ if needed.

  • 10.  Re: Kerberos fallback to form

    Posted Oct 25, 2018 10:26 AM

    Will this work for chrome and IE both? I will try this today and see if it works.




  • 11.  Re: Kerberos fallback to form

    Posted Oct 25, 2018 10:59 AM

    Works fine with chrome and IE9 and above.

  • 12.  Re: Kerberos fallback to form

    Posted Oct 25, 2018 05:42 PM

    Here is the problem:


    it redirects to the context protected by default Kerberos auth scheme but it did not redirects to that auth scheme of creds.kcc and just fallsback to form based.


    When i try to access that context protected with kerberos directly it works fine and redirects to creds.kcc. So in this case i am always getting redirected to form based login.



  • 13.  Re: Kerberos fallback to form

    Posted Oct 25, 2018 10:40 PM

    Issue might be coming as context protected by Kerberos auth scheme is xmlhttp type and does not redirect to creds.kcc? Have you tested it?

  • 14.  Re: Kerberos fallback to form

    Posted Oct 25, 2018 10:55 PM



    Just out of curiosity,


    • what version of CA SSO are you currently on ?
    • is this work still in development stage ?


    The reason I ask this is because, it is good we are trying to get this to work. I built a custom solution for Kerberos failover to forms for a customer. We then stalled the entire custom work because Kerberos failover to forms is likely to be released in next version of CA SSO. I do not intend to promise (nor reveal) as Product Management would be in a better position to confirm on when and which version of CA SSO will have this OOB. So if I were in your shoe's; I'd check this via CA Account Manager to get a timeline from Product Management. Just trying to save you custom work, if you are still in development phases. Yes there'll be an upgrade involved for sure. So we just need to weigh in all factors.




  • 15.  Re: Kerberos fallback to form

    Posted Oct 25, 2018 11:02 PM

    We are on 12.7.02 and we have work extensively with CA services and CA support to make our IWA fallback to form work and that is also not working OOB , we have CA case running for months. Prior to it we had custom solution for Kerberos fallback to form which works in most of our flows but at times it gives windows prompt so i am thinking to go back to that solution if we can solve windows prompt with custom solution.




  • 16.  Re: Kerberos fallback to form

    Posted Oct 25, 2018 11:12 PM

    Thank You Kanishak1 for the inputs. Could you message me the case# in a private message via communities messaging. Would like to have a read on the case, at-least be knowledgeable about it as to the anomaly.

  • 17.  Re: Kerberos fallback to form

    Posted Oct 25, 2018 11:40 PM

    I am not sure how to send private message , Please send me your email id , i can send you case number on it.




  • 18.  Re: Kerberos fallback to form

    Posted Oct 26, 2018 04:30 AM



    We have CA SSO 12.8 and we are trying to achieve the same thing as @Kanishak. Any input from your end also will help us a lot.


    And how to send a private message through communities?

  • 19.  Re: Kerberos fallback to form