Question:
We have installed CA SSO 12.52 SP1 CR2
We have Policy Servers in Windows VMs and SiteMinder Agent in Windows VMs ( the SM Agents that are going to implement Kerberos Authentication ).
Altough i have not seem nothing related with, i´d like to confirm three points:
1. Kerberos protocol implementation is inside CA SSO Binaries or is
delegated in Windows/Linux Box Kernel where the SM Agent or Policy
Server is installed?
2. Is it necesary the Windows Domain where the Policy Server or
SiteMinder Agents are installed has a Windows Trust relation with
the Domain where the User Client Browser is running?
3. I´d like to concrete if the SiteMinder Libraries does not use any
call to Windows APIs for implement the protocol again the KDC 88
port. I mean,for example: SiteMinder does:
- Open the connection to KDC Port.
- Encrypt the communication, build the request packed, send/retrieve a
analyze.
All this without use Kerberos APIs of Microsoft ?
Answer:
At first glance,
1. Kerberos libraries are in Web Agent and Policy Server
libraries. That means that the Web Agent and the Policy Server do
the Kerberos call using these libraries. As such, the OS should be
configured for Kerberos with the configuration files and the
keytabs.
2. Web Agents and Policy Servers doesn't need to be trusted to the
Windows Domain where the Active Directory KDC will be running.
But the PC should be in the Windows Domain where the Active
Directory KDC runs.
3. SiteMinder uses MIT kerberos libraries and doesn't rely on Microsoft
APIs.
KB : KB000100585