we have the following use case:
Customer wants SiteMinder to implement "IWA fall back to Form" for same set of apps, accessed by internal (employees) and external (customer) users. They run into a issue where external (customer) users get a basic pop up (problem being their computers not part of the domain and they require a specific setting on their browser, see: (
Network security LAN Manager authentication level (Windows 10) - Windows security
| Microsoft |
remove preview |
 |
| Network security LAN Manager authentication level (Windows 10) - Windows security |
| Describes the best practices, location, values, policy management and security considerations for the Network security: LAN Manager authentication level security policy setting. This policy setting determines which challenge or response authentication protocol is used for network logons. LAN Manager (LM) includes client computer and server software from Microsoft that allows users to link personal devices together on a single network. |
| View this on Microsoft > |
|
|
). Since its not vaible to make changes to customer browser settings. an alternate solution was advised. We are asking the SM architects here if this is a valid solution, (the objective being employees will get IWA and when outside office will fall back to form, customers will get the form auth...for same app). also if they have come across this implementation at a customer site:
1. Create 2 instances of Access Gateway (one on port 443, another on port 453)
2. Both instances will have different agent name (sso-int-agent and sso-ext-agent) but have virtual host setting for the same domain name. One is meant for handling traffic from external and the other will be for request from intranet.
3. The load balancer fronting Access Gateways will check if in coming request is coming from internet or intranet. If request is from intranet, forward request to port 443. If request is from internet, forward request to port 453
4. Policy server configures and external realm and an internal realm. The internal realm will use sso-int-agent + "/" resource filter and utilises the Auth scheme chain that is IWA with HTML form fallback. The external realm will use sso-ext-agent + "/" resource filter and utilises the HTML form auth scheme (no IWA).
Customer needs some assurance that this is a viable solution to the issue. If you can confirm that others have done the same, that will help too.
Another key thing to note is that they have a multi-domain SSO setup so we only configure a single cookie provider and SmMakeCookie.ccc is used extensively. With this, we will have to have 2 cookie providers, will that pose an issue in the above configuration. ?
Thanks in advance for you comment/advise.