We have installed CA SSO 12.52 SP1 CR2
We have Policy Servers in Windows VMs and SiteMinder Agent in Windows VMs ( the SM Agents that are going to implement Kerberos Authentication ).
Altough i have not seem nothing related with, i´d like to confirm three points:
1. Kerberos protocol implementation is inside CA SSO Binaries or is delegated in Windows/Linux Box Kernel where the SM Agent or Policy Server is installed?
2. Is it necesary the Windows Domain where the Policy Server or SiteMinder Agents are installed has a Windows Trust relation with the Domain where the User Client Browser is running?
3. I´d like to concrete if the SiteMinder Libraries does not use any call to Windows APIs for implement the protocol again the KDC 88 port. I mean,for example: SiteMinder does:
- Open the connection to KDC Port.
- Encrypt the communication, build the request packed, send/retrieve a analyze.
All this without use Kerberos APIs of Microsoft ?
At first glance,
1. Kerberos libraries are in Web Agent and Policy Server libraries. That means that the Web Agent and the Policy Server do the Kerberos call using these libraries. As such, the OS should be configured for Kerberos with the configuration files and the keytabs.
2. Web Agents and Policy Servers doesn't need to be trusted to the Windows Domain where the Active Directory KDC will be running.
But the PC should be in the Windows Domain where the Active Directory KDC runs.
3. SiteMinder uses MIT kerberos libraries and doesn't rely on Microsoft APIs.
KB : KB000100585