Hi Ankur,
For Integrated Windows Authentication, it is IIS that does the authentication, not SiteMinder. SiteMinder Web Agent does not do any authentication for IWA, Siteminder Web Agent trusts the credentials accepted by the IIS and send it to Policy Server for Siteminder authentication and authorization.
When a user accesses a resource on any type of web server protected by the SiteMinder NTLM or Windows Authentication scheme,
SiteMinder Policy Server returns a credential collector redirect URL to the web agent that must use the FQDN of an IIS web server,with a URI of /siteminderagent/ntlm/creds.ntc.
The web agent then performs the redirect to the IIS Web server, which must be configured for NTLM/Windows authentication when the/siteminderagent/ntlm virtual directory is accessed.
The MS IIS web server then sends the IE browser a request for the user's credentials (user name and password )
The MS IE browser communicates with the MS Windows OS to get the current user's desktop login credentials, encrypts them and sends them back to the MS IIS web server.
The IIS web server decrypts the creds, then uses them to login to the Active Directory and declares the user authenticated if the login is successful.
Once IIS has authenticated the user, control finally passes to the SiteMinder Web Agent which extracts user's ID and passes it to the policy server for "Authentication".
The policy server doesn't really do full authentication. It disambiguates the user in a user store and then just declares the user authenticated, having trusted IIS to actually verify credentials.
The Web agent then sets an SMSESSION cookie, and sets SM_USER to domain\loginID, then redirects back to the user's original target.
Refer :
How NTLM/Windows Authentication works? - CA Knowledge
How to Troubleshoot Integrated Windows Authenticat - CA Knowledge
Regards,
Leo Joseph.