Symantec Access Management

  • Private Community

  • 1.  IWA Fail over to Form login without active X

    Broadcom Employee
    Posted Jan 19, 2017 02:08 PM

    There is IWA failover to form login fail over sample file in community site. It is using active X. So it is not working other browser except IE. Here is JSP based IWA failover to form login. It is working fine in Chrome browser and Firefox browser. It is field developed module and it cannot be supported by CA officially. 

     

    Similar code is used one of customers in their production environment. Feel free to change it and use it. If you find any issue, please let me know that.

     

    Here is tested environment.

     

    Solution Pro demo 1.7 

    • Policy server R12.52 SP2 on windows 2008R2.
    • Active Directory 2008 R2.
    • Secure Proxy Server R12.52 sp2 on windows 2008 R2.

     

    The flow is the same as in https://communities.ca.com/servlet/JiveServlet/download/99217046-47762/winforms%20select%20auth%201.2.zip 

     

    1. User access to protected web page 
    2. redirect IWA_FAILOVER_FORM login page
    3. Validate windows domain login,
      1. if yes, goes to windows authentication.
      2. Otherwise, it redirects to form protected page.

     

    I have attached source code, CA SSO configuration and test screen shoot. 

     

    B.K.

    Attachment(s)

    pdf
    IWA_FAILOVER_FORM.pdf   1.93 MB 1 version
    zip
    forms.zip   7 KB 1 version
    zip
    css.zip   5 KB 1 version


  • 2.  Re: IWA Fail over to Form login without active X

    Broadcom Employee
    Posted Jan 24, 2017 04:03 PM

    Hi BK,

     

    Do you have a question or just providing info should we switch this form questions to discussions ?

     

    FYI We have an idea that is now planned - see link below:

    IWA Login with Forms Fallback 



  • 3.  Re: IWA Fail over to Form login without active X

    Posted Jul 06, 2017 03:24 PM

    Hi Rhim

    I have few questions regarding this solution IWA forms failover . Does this work with federation partnership regular /affwebservices/redirectjsp/redirect.jsp  protected with this authscheme. Also which authscheme we need to protect to have first to check IWA and then failover? Please email me would like your advise.



  • 4.  Re: IWA Fail over to Form login without active X

    Posted Sep 08, 2017 03:52 PM

    Hi B.K.,

     

    We tried doing the same with kerberos auth scheme and kerberos works fine but during fallback we are getting windows pop up that we want to avoid , Any help will be appreciated.

     

    We should not get windows pop up during the fallback.

     

    Thanks



  • 5.  Re: IWA Fail over to Form login without active X

    Posted Sep 15, 2017 08:12 AM

    All:

     

    CA SSO 12.7 added an IWA Failback to forms feature as a part of the core product. You can find more information at https://docops.ca.com/ca-single-sign-on/12-7/en/configuring/policy-server-configuration/authentication-schemes/authentication-chaining/configure-iwa-fallback-to-forms-using-authentication-chain.



  • 6.  Re: IWA Fail over to Form login without active X

    Posted Dec 11, 2018 11:34 AM

    rhibo02 , Does this work with NTLMv2 , we haven't upgraded our infra yet to 12.7 version so was looking to use this , It seems to fail on not being able to generate the 3rd request where it checks the message type 3 , Any help would be appreciated . 

     

    Thanks