Symantec Access Management

 View Only

Tech Tip : CA Single Sign-On : How to Troubleshoot Integrated Windows Authentication (IWA)?

  • 1.  Tech Tip : CA Single Sign-On : How to Troubleshoot Integrated Windows Authentication (IWA)?

    Broadcom Employee
    Posted Aug 23, 2018 08:08 AM



    This is an easy way to test if you have Integrated Windows Authentication (IWA) configured properly .




    For Integrated Windows Authentication, it is IIS that does the authentication, not SiteMinder. SiteMinder Web Agent does not do any authentication for IWA, Siteminder Web Agent
    trusts the credentials accepted by the IIS and send it to Policy Server for Siteminder authentication and authorization.

    To verify that Windows Authentication on IIS is working correctly by performing the following steps.

    1 Disable the Web agent and restart IIS.
    2 Change the Internet Explorer logon setting from "Automatic Logon ..." to "Prompt for user name and password" and quit and restart IE.

    (This may require a logout if an application is using an IE session.)
    3 Attempt to access http://YouServer/siteminderagent/ntlm/creds.ntc (Must be 2 dot FQDN )
    4 You should be prompted for credentials by IIS
    5 Provide credentials. Try this step twice,

    1 Once with the user that you are logged in as,
    2 Once with another valid user that has permission to access this application.

    6 If IIS Windows Authentication is configured correctly, you should receive a '404' error, since creds.ntc does not exist.
    7 If you receive a 401 or 403 error, the user does not have permission to access the credentials collector. This will prevent user credentials from being passed to SiteMinder. You
    will need to correct the Windows security settings for this resource in order for the authentication scheme to work.
    8 Make sure that on the IIS where the Windows Authentication occurs, set "Anonymous
    Authentication" to disabled;

    KB : KB000051398