Layer 7 Access Management

How to setup SiteMinder Kerberos Authentication - Part 1 

01-14-2015 01:08 AM

Hi, This is a pre-release document that I am working on and hope this will help many people who are having difficulty setting up a sample kerberos authentication.

 

This is Part 1, it is based on pure Windows Environment.

 

OS: Windows 2008 R2

SiteMinder Version: R12.52SP1

Web Server: IIS 7.5

All servers are joining the AD Domain.

 

So, this is going to be a very direct approach to setup a working sample environment and the purpose is to allow you to setup a sample working environment.

Hopefully then you will be able to further explore to setup that meets your enterprise requirement.

 

I am also preparing a Part 2 which would be including the following use case.

 

KDC is Windows 2012.

Policy Server is on Windows which is not joining the AD Domain.

Web Server is ASF 2.2.29 running on RHEL6.5.

It will be covering 2 use cases as below.

 

1. Kerberos Realm = AD Domain = Cookie Domain

2. Change of Cookie Domain from above setup

 

If you find any errors or have any comments, please do let me know and I will incorporate them in when submitting official technote.

 

Cheers,

 

Kim

Statistics
0 Favorited
12 Views
1 Files
0 Shares
6 Downloads
Attachment(s)
pdf file
How to setup SiteMinder Kerberos Authentication - Part 1.pdf   634K   1 version
Uploaded - 05-29-2019

Tags and Keywords

Comments

01-24-2019 05:49 AM

Hello ChristJS,

 

/siteminderagent/kerberos/creds.kcc is a virtual uri and doesn't exist. The reason for your error must be different. To know more details, please enable Kerberos tracing by adding the environment variable KRB5_TRACE pointing to some file in your file system, and run the Kerberos protected resource.

 

(e.g. 

C:\>echo %KRB5_TRACE%
C:\dumplogs\krbtrace.log

)

 

The trace log gives good clues.

01-24-2019 05:12 AM

SungHoon_Kim,

 

I have followed your documentation, step by step and i was able to eliminate almost all of the errors. But when the redirect happens to credential collector url, i get "Can't reach this page". Is this because of :

1. /siteminderagent/kerberos/creds.kcc not present? i dont see .kcc file in /examples/forms or /examples/siteminderagent/forms !!

2. upn of webagent service account doesn't have proper server name? cause, i am not using the complete server name, its just "HTTP/ppweb.something.com@differentdomain.com" webagent(CA Access Gateway) server name is different.

3. is it the proxy is blocking or not allowing the request to pass through., if its something i have to change in proxy, what should be in httpd.conf?

 

Your advice would be really helpful.

11-16-2017 01:21 PM

Hello Sung,

 

On the following PDF page 33. Talking about the testing scenario -Open IE and nativate to http://server03.domain.lab/kerberos/ . 
It would be a plain webserver with no wepage, Webagent installed and configured with policyserver.
What would be the expected result?.

1 << Page cant be displayed  >>

2 To test can we add a test page on the webserver to check the functionality ? what can we expect ?

3 What if there is no test page what will be the successful log on the WebAgent and Policy Server?

 

Thanks

Raj

12-20-2016 11:44 AM

I have a Linux based document for reference now as well - https://communities.ca.com/docs/DOC-231172118

04-27-2016 12:53 AM

Hey Kim,

I was researching on Kerberos and came across this post, great help. Did you get a chance to post or prepare Part2 or 3 ? We have policy server on Solaris, Webagents across Apache, IIS, OHS, IHS etc. Looking forward for some more useful documents.

 

 

Regards,

Ashish Gupta

01-07-2016 09:34 PM

Hi, SamWalker.

 

I am glad the document was helpful.

I had Part2 of this which is not yet posted but that is also covering the following use case.

 

1. KDC on Windows 2012

2. Policy Server on Windows 2008 R2 without joining AD Domain

3. 64bit Web Agent on RHEL6.5 with ASF Apache 2.2.29

 

So it is not exactly what you are looking for.

But this is covered in the product documentation below.

 

How To Configure Kerberos Authentication

 

I will need to find time to finalize the kerberos part2 and probably cover that use case in part3.

In the mean time, please try to follow the documentation and see how far you can go.

 

Cheers,

Kim

Sung Hoon Kim's Blog

01-07-2016 06:41 PM

Great document , Kim. Thanks for sharing. Do you know if Kerberos authentication works if Policy Server is installed on Linux, and web agents are installed on apache/linux? We currently use IWA, and would like to move away from as it requires an IIS server just for the authentication.

Related Entries and Links

No Related Resource entered.