Hi Duc,
There's a mismatch in the command parameter and the target :
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"
--disable-plugins --process-per-site
-auth-server-whitelist="vmslciwad01.regence.com,
extn-cbc-dev.regence.com"
-auth-negotiate-delegatewhitelist="vmslciwad01.regence.com,
extn-cbc-dev.regence.com" -auth-schemes="digest,ntlm,negotiate"
https://extn-dev-cbc.regence.com/cbc/Search.doshould be :
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"
--disable-plugins --process-per-site
-auth-server-whitelist="vmslciwad01.regence.com,
extn-cbc-dev.regence.com, extn-dev-cbc.regence.com"
-auth-negotiate-delegatewhitelist="vmslciwad01.regence.com,
extn-cbc-dev.regence.com, extn-dev-cbc.regence.com" -auth-schemes="digest,ntlm,negotiate"
https://extn-dev-cbc.regence.com/cbc/Search.doIndeed, this is probably related to the browser.
Best Regards,
Patrick
Original Message:
Sent: 08-12-2019 02:03 PM
From: Duc Tran
Subject: New IWA auth scheme only works with IE (NOT a browser config issue)
Hi Pratrick,
Here is my command:
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --disable-plugins --process-per-site -auth-server-whitelist="vmslciwad01.regence.com, extn-cbc-dev.regence.com" -auth-negotiate-delegatewhitelist="vmslciwad01.regence.com, extn-cbc-dev.regence.com" -auth-schemes="digest,ntlm,negotiate" https://extn-dev-cbc.regence.com/cbc/Search.do
This command launched Chrome and attempted to request the protected TARGET: https://extn-dev-cbc.regence.com which then gets redirected to the IWA auth scheme at: http://vmslciwad01.regence.com and according to the agenttrace.log file on the IWA server, it successfully authenticated the user and created the SMSESSION cookie and then passes the browser back to the TARGET, but for some reason Chrome does not present the SMESSION cookie to the webagent on the TARGET server and therefore, the redirect back to IWA happens again and goes into loop.
This is strange because of several factors:
*IWA auth scheme works just fine for IE/Chrome/FF when pointing to the old IWA auth scheme (Windows 2008 Server with IIS webagent r12.0)
*IWA auth scheme now only works for IE when pointing to NEW auth scheme (Windows 2016 Server with r12.52 webagent)
*The agenttrace.log fie on the NEW IWA server shows that it successfully authenticated the user on both Chrome and FF and created SMSESSION cookie so this leads you to believe that Windows / Kerberos authentication setting is NOT an issue with Chrome and FF
I am at lost here with this and Broadcom support wants to close out this case saying that because this works with IE but not Chrome or FireFox then it's a web browser config issue and not with SiteMinder. But I contradict that base on the above.
Original Message:
Sent: 08-12-2019 05:13 AM
From: Patrick Dussault
Subject: New IWA auth scheme only works with IE (NOT a browser config issue)
Hi Duc,
Following
chrome IWA
https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=110055
make sure that the new server is listed and the target domain is
listed also in the different parameter you set.
Have you tried the command line for google chrome ? What is your command line ?
Best Regards,
Patrick
Original Message:
Sent: 08-09-2019 01:09 PM
From: Duc Tran
Subject: New IWA auth scheme only works with IE (NOT a browser config issue)
Hello Patrick,
Thank you for your response. This is a very strange issue and I really don't think it is a web browser config/compatibility issue with Chrome or FireFox. Let me give you a bit more background for your assessment:
Chrome and FireFox browsers currently works with IWA but only if the apps are pointing to the current/old IWA auth scheme which is a combination of IIS webagent r12.0 SP3 on Windows Server 2008. We build a new Windows Server 2016 and installed SiteMinder IIS webagent r12.52 SP1 CR09 and configured IIS website for IWA authentication. Now when we point our internal intranet web apps to the new IWA auth scheme, then it appears to only work with IE but not with Chrome or FF.
The agenttrace.log file on the new IWA server shows that the user was authenticated by the policy server and identified the user as well as creating the SMSESSION cookie and then pass the browser back to the application TARGET, but it appears that the SMSESSION cookie would only exist on the IE browser but not on Chrome or FF and therefore the webagent on the application web server will redirect the request back to the IWA server to obtain SMSESSION cookie and hence, goes into a loop.
The fact that IWA works on both Chrome and FF if the browser is redirected to the old/current IWA auth scheme, but not on the new IWA auth scheme, this would make me think that both Chrome and FF browsers are configured to work with Windows Authentication. Also when these browsers hit the new IWA auth scheme, the agenttrace.log file showed that it authenticated the user and created the SMSESSION cookie which proves that the browsers successfully passed the user's identity to the IWA server.
If you have any additional insights I would love the help.
Thanks!
Original Message:
Sent: 08-09-2019 02:25 AM
From: Patrick Dussault
Subject: New IWA auth scheme only works with IE (NOT a browser config issue)
Hi Duc,
For Chrome, you need to add 3 parameters to the configuration. To get
a sample to test it, check the following KD :
chrome IWA
https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=110055
Hope this helps,
Best Regards,
Patrick
Original Message:
Sent: 08-08-2019 04:50 PM
From: Duc Tran
Subject: New IWA auth scheme only works with IE (NOT a browser config issue)
Hi Folks,
We have had our IWA authentication scheme working fine since 2012. Our current IWA auth scheme runs on Windows 2008 Server with r12.0 SP3 IIS webagent. InfoSec requires us to upgrade to Windows 2016 Server so we built a new Windows 2016 Server and installed r12.52 SP1 CR09 IIS webagent on this new server and configure IIS for IWA/NTLM authentication.
Here's the issue we're running into:
1) All of our web applications that uses the IWA authentication scheme works with Internet Explorer, FireFox, and Chrome when it is pointed to the existing IWA auth scheme from the Windows 2008 Server.
2) If we configure these apps to point them to the new IWA auth scheme on the new Windows 2016 Server then the Integrated Windows Authentication only works if the web browser is IE but not with FireFox or Chrome.
3) When using Chrome or FF, the agenttrace.log file on the new Windows 2016 Server indicated that it successfully authenticated the user and created the SMSESSION cookie, but when the web browser is redirected back to the web application TARGET, it does not contain the SMSESSION cookie and therefore the webagent on the application redirect the browser to the IWA auth scheme which does the same thing again as it goes into a loop.
4) reason why I don't think this is a web browser (Chrome/FF) configuration issue is because these browsers works fine when the IWA auth scheme is the old Windows 2008 Server.
I have a support case open with Broadcom Support, but I don't seem to be getting anywhere with them on this case so turning to the community for help.
Thanks in advance!