Symantec Access Management

  • 1.  Hi is it possible to configure CA Agent for WIA (windows integrated authentication) without redirecting unauthenticated clients

    Posted Feb 12, 2016 11:05 AM

    Hi is it possible to configure CA Agent for WIA (windows integrated authentication) without redirecting unauthenticated clients.

    What I'm really looking for is that Ca Agent acts as reverse proxy supporting Windows kerberos and via kerberos delegation  forwarding the request to the application server which again can depend on windows integrated authentication (via the kerberos delegation feature).

     

    Context is to allow Client applications (WPF,...) keep using integrated security for accessing application servers behind CA Siteminder infrastructure.

    When reading documention, I see always unauthorized requests being redirected where a token will be sent back (via cookie).

    I would look to avoid this redirection (not sure all clients handle this well)

     

    If question is not clear, please let me know.

     

    Kind regards,

    email: alex.goeman@external.eni.com



  • 2.  Re: Hi is it possible to configure CA Agent for WIA (windows integrated authentication) without redirecting unauthenticated clients

    Posted Feb 16, 2016 02:56 AM

    Hi,

     

    Yes, you can configure IWA without redirecting to /siteminderagent/ntlm/creds.ntc

    There is a new ACO parameter called "InlineCredentials".

    There is some information in the Documentation below.

    IIS Web Server Settings

     

    Fortunately, I just published some content that has some more information.

    Configuring an ALL-IN-ONE VM Image - Part 8

     

    Let me know if it helps.

     

    Regards,

    Kim



  • 3.  Re: Hi is it possible to configure CA Agent for WIA (windows integrated authentication) without redirecting unauthenticated clients

    Posted Feb 16, 2016 04:11 AM

    Hi Kim,

    Thank you very much for your response.

    InlineCredentials looks promising.

     

    1)      I suppose this also allows Kerberos authentication ?

     

    2)      What is not so clear from the image in the documentation , is this only possible for agents being installed on the protected website (host) itself (no network separation). Or can this also be used to let the agent on IIS forward the request to another server (potentially also IIS webserver)? Question is then how is account/credentials forwarded to other server (is this the usual way using extra headers), and does the user (requesting the url) receives eventually also a token via cookie ?

     

    Context for my questions:

    We are moving our custom applications to another datacenter.

    The company want to create separate network layers on the server side (for security).

    First layer (where requests first arrive) on which authentication needs to happen (that is their requirement, cannot be forwarded to next layer), second layer where the real application server is located.

    Application server is using Microsoft .NET technology and internally makes use of Windows integrated authentication to make authorization decisions.

    So ideally we can use CA single sign-on (siteminder) (WIA) on first layer on some IIS (to have WIA) which then forward to another IIS, which ideally can still use WIA (converting to supporting some headers is possible if WIA here is not possible).

     

    Logically I would think that using Kerberos authentication on first layer and then having the agent using Kerberos delegation to access the application server should technically be possible and should fullfil our objective of having a security layer transparent to the application server, and transparent to clients (meaning no redirections)

     

    Hope this makes any sense, if not please let me know.

     

     

    Thanks in advance,

    Alex Goeman



  • 4.  Re: Hi is it possible to configure CA Agent for WIA (windows integrated authentication) without redirecting unauthenticated clients

    Posted Feb 16, 2016 11:18 PM

    Hi, Alex.

     

    From IIS Management Console, there are 2 options in the IIS Authenticator, NTLM or Negotiate.

    And if you select Negotiate you have option to select Kerberos too.

    So, it is worth testing to see if this will allow you to achieve your goal.

     

    Maybe exploring it with ARR may allow the users to get authenticated at the application level or maybe you can set REMOTE_USER header (or SMUSER header) and pass it to the 2nd layer if it is sufficient.

     

    Regards,

    Kim