Symantec Access Management

Requirement is to do a kerberos login when user is on network and domain joined machine and fallback to form based authentication otherwise.

We are able to achieve the kerberos login without any issues and in case of fallback we are getting windows pop-up which we want to remove , Any help is appreciated.

Below is the snippet of code:

try{

String auth = request.getHeader("Authorization");
if (auth == null){

response.setStatus(response.SC_UNAUTHORIZED);
response.setHeader("WWW-Authenticate", "NEGOTIATE");
response.flushBuffer();
//return;
}
if (auth != null && auth.startsWith("Negotiate")){
redirectURL = kerberosRedirectURL;
}
else {
if (orginalTarget != null) {
orginalTarget = orginalTarget.replaceAll("-SM-", "");
orginalTarget = orginalTarget.replaceAll("--", "-");

formProtectURL = formProtectURL + "?&ORIGINALTARGET=" + orginalTarget;
redirectURL = formProtectURL;
}

}

You can stay "in listen" using (if any) loadbalancer and handle at the beginning the request. Based on IP, Domain or other machine/session info you can send user/request to a resource protected by kerberos or instead send through a standard auth schema (form).

Cheers

Pasquale

Pasquale_Russo,

I am starting Kerberos authentication for O365 and fall back to form based authentication from scratch. Is there any document that you could help with. I have very little to none knowledge in coding. Please let me know, if you could assist with any samples.

And I have a similar use case as the original poster of this thread.

I created an Ajax page to handle that. In this case, even if there is an error the popup will not show and user is redirected to a specific page:

Thank you Wellington,

But from the code, i see that it uses only Kerberos. If the user is logging in from external network, then it doesn't know how to redirect to form based.

scenario here is to redirect to form based authentication if the user is logging in from external network. if he is in internal network, the user will be authenticated using kerberos, And i am using CA Access Gateway to do the proxy and redirect.

any help is much appreciated.

BR, 

Joseph

Thank you wadami

Can you please let me know the implementation of it ? Should we include this page in auth scheme and once application is accessed than it can redirect to this page which redirect to creds.kcc and if authentication fails than redirect to form based login.

Will this work for chrome and IE both? I will try this today and see if it works.

Thanks,

Kanishak

Here is the problem:

it redirects to the context protected by default Kerberos auth scheme but it did not redirects to that auth scheme of creds.kcc and just fallsback to form based.

When i try to access that context protected with kerberos directly it works fine and redirects to creds.kcc. So in this case i am always getting redirected to form based login.

Thanks,
Kanishak

Issue might be coming as context protected by Kerberos auth scheme is xmlhttp type and does not redirect to creds.kcc? Have you tested it?

Kanishak1

Just out of curiosity,

• what version of CA SSO are you currently on ?
• is this work still in development stage ?

The reason I ask this is because, it is good we are trying to get this to work. I built a custom solution for Kerberos failover to forms for a customer. We then stalled the entire custom work because Kerberos failover to forms is likely to be released in next version of CA SSO. I do not intend to promise (nor reveal) as Product Management would be in a better position to confirm on when and which version of CA SSO will have this OOB. So if I were in your shoe's; I'd check this via CA Account Manager to get a timeline from Product Management. Just trying to save you custom work, if you are still in development phases. Yes there'll be an upgrade involved for sure. So we just need to weigh in all factors.

Regards

Hubert

We are on 12.7.02 and we have work extensively with CA services and CA support to make our IWA fallback to form work and that is also not working OOB , we have CA case running for months. Prior to it we had custom solution for Kerberos fallback to form which works in most of our flows but at times it gives windows prompt so i am thinking to go back to that solution if we can solve windows prompt with custom solution.

Thanks,

Kanishak

Thank You Kanishak1 for the inputs. Could you message me the case# in a private message via communities messaging. Would like to have a read on the case, at-least be knowledgeable about it as to the anomaly.

I am not sure how to send private message , Please send me your email id , i can send you case number on it.

Thanks,

Kanishak

@Hubert,

We have CA SSO 12.8 and we are trying to achieve the same thing as @Kanishak. Any input from your end also will help us a lot.

And how to send a private message through communities?

Kanishak1

Add the case# here. It is OK. 

jschristiein

The way I achieved Kerb fall back to forms was using a completely different path.

I used something we already have as a starting point. This was proven for IWA. I used it for Kerberos.
https://communities.ca.com/docs/DOC-231151411  
https://communities.ca.com/servlet/JiveServlet/download/2031-99216727-99217046-47762/winforms+select+auth+1.2.zip  

First Step : Forget everything else and get a basic OOB Kerberos authentication scheme working. If a simple OOB Kerberos Authentication Scheme isn't working, don't even attempt customization.

Second Step : I followed the documentation with “winforms+select+auth+1.2.zip”. However instead of using an IWA Auth Scheme I used Kerberos Authentication Scheme. Screen Shot below. Our Kerberos Auth Scheme (WAM UI) content rendering does not effectively handle the Custom Target login page. I can create a new Kerb Auth with login page target as ASP. But when I save and then try to view it keeps reverting to /kerb.kcc (seems like the current Kerb Auth Scheme is hardcoded in UI to use kerb.kcc). But as long as we are aware / knowledgeable, I can deal with it and made Customer aware how to work with it. At the end of the WAM UI representations plays a very minor role, the bigger picture is what is present within the policy store. Another thing we have identified is if a Customer ENV uses CA SSO IWA and the decides to move to Kerberos, we have to turn off CA SSO IWA and then enable CA SSO Kerberos. If we opened a browser, accessed IWA protected resource and on the same browser access Kerberos protected resource, it goes into an indefinite loop. Something from IWA (NTLMCreds etc) does not gel well with Kerberos. Am assuming it is the FCCCompatMode setting, but never had the time to investigate that as we agreed to turn off IWA. We won't have both (IWA and Kerb) enabled at the same time.

XPSExplorer (Actual's)

We tested this for single factor logins and it works like a charm. We were in the process of testing Federation and OIDC usecases when we stalled this custom solution, as we received confirmation of Kerberos FO to Forms will be delivered soon.

Lastly don't hold me to this statement "Kerberos Failover to Forms will be available in R12.8 SP2" - This is the statement my Customer received. Current anticipated arrival date for R12.8 SP2 is Dec 2018. You could re-verify this via your CA Account Manager. 

It gets redirected to context protected by kerberos default but i do not see any redirection to creds.kcc(its authentication scheme) and directly it goes to fallback.

But if i access that context directly in browser it works fine, so what i am assuming is that from script it is making that context xmlhttp type of request and SSOdoes not know what to do with it.

have you tried this set up? Does it work?

Thanks,

Kanishak

Hi,

It works fine if i remove the cookie provider URL , Cookie provider URL is in different domain and w eneed to have cookie provider URL , Any thoughts on how to achieve with cookie provider?

Thanks,

Kanishak

I would not recommend having a Cookie Provider domain different from a login domain (that causes too many redirections). Try to see if you keep Cookie Provider Agent and Login Agent (doing kerberos authentication) the same. Just a thought.

Yes we have to support legacy and new platform but we will eventually have cookie provider and login domain same.

Redirections are fine for now but above script does not work if we have cookie provider enabled , not sure we are hitting CORS.

Thanks,

Kanishak

Any suggestion if i am using cookie provider in other domain than the AJAX script being hosted , i see it fails as it never redirects to creds.kcc URL but if i disable cookie provider it works fine.

Please let me know if any suggestion to make it work with cookie provider.

Thanks,

Kanishak