Symantec Access Management

Tech Tip : CA Single Sign-On : Kerberos Protocol Implementation requirements - Windows

  • 1.  Tech Tip : CA Single Sign-On : Kerberos Protocol Implementation requirements - Windows

    Posted 06-11-2018 06:50 AM

    Question:


    We have installed CA SSO 12.52 SP1 CR2

    We have Policy Servers in Windows VMs and SiteMinder Agent in Windows VMs ( the SM Agents that are going to implement Kerberos Authentication ).

    Altough i have not seem nothing related with, i´d like to confirm three points:

     

    1. Kerberos protocol implementation is inside CA SSO Binaries or is
    delegated in Windows/Linux Box Kernel where the SM Agent or Policy
    Server is installed?

     

    2. Is it necesary the Windows Domain where the Policy Server or
    SiteMinder Agents are installed has a Windows Trust relation with
    the Domain where the User Client Browser is running?

     

    3. I´d like to concrete if the SiteMinder Libraries does not use any
    call to Windows APIs for implement the protocol again the KDC 88
    port. I mean,for example: SiteMinder does:

     

    - Open the connection to KDC Port.

    - Encrypt the communication, build the request packed, send/retrieve a
    analyze.

     

    All this without use Kerberos APIs of Microsoft ?

     

    Answer:

     

    At first glance,

    1. Kerberos libraries are in Web Agent and Policy Server
    libraries. That means that the Web Agent and the Policy Server do
    the Kerberos call using these libraries. As such, the OS should be
    configured for Kerberos with the configuration files and the
    keytabs.

     

    2. Web Agents and Policy Servers doesn't need to be trusted to the
    Windows Domain where the Active Directory KDC will be running.

    But the PC should be in the Windows Domain where the Active
    Directory KDC runs.

     

    3. SiteMinder uses MIT kerberos libraries and doesn't rely on Microsoft
    APIs.

     

    KB : KB000100585