Symantec Access Management

  • 1.  Siteminder with IIS and Custom AD Domain Application pool account

    Posted Aug 16, 2018 03:09 PM

    Hello,

    We are trying to apply Siteminder/Single-SignOn to an existing web/.net application running on IIS and running under a custom domain Active Directory Windows account as the AppPool identity (integrated pipeline mode). The Siteminder webagent setup is done to our knowledge, however we find that the application breaks at the first SQL command execution, with the error 'Login failed for user NT Authority\Anonymous logon'.  It looks like the application under Siteminder is not getting the context of Domain AD account that is setup for the AppPool identity. The IIS settings and SQL permisisons are not changed and verified are the same as it was working prior to the SiteMinder setup (we can verify that the application works without the Siteminder perfectly). Appreciate any inputs on what may be causing the application running under Siteminder to not get the right custom domain apppool account setup in the IIS?

     

    Thanks



  • 2.  Re: Siteminder with IIS and Custom AD Domain Application pool account

    Broadcom Employee
    Posted Aug 16, 2018 08:07 PM

    Have you tried to disable Web Agent (see below link) and verify again? Is the problem is persisted after disabling Web Agent?

    Starting and Stopping Web Agents - CA Single Sign-On - 12.8 - CA Technologies Documentation 



  • 3.  Re: Siteminder with IIS and Custom AD Domain Application pool account

    Broadcom Employee
    Posted Aug 17, 2018 09:46 AM

    Hi Kumar,

     

    I guess I need to understand little bit more how the app is setup. 

    when you say application breaks on first sql command, how is this sql executed ? can you please clarify the flow of the transaction ? 

    We need to see if Siteminder Agent is intercepting the Request or not . The agent does not hinder any Request header that came originally with Request.

     

    Also you may want to enable Failed Request Trace on IIS and perform 2 tests , one with the agent and another without and compare the requests and see if Agent is stripping any header details (which i doubt) or clearing any buffer needed by the app .

     

    Regards 

    Joe 



  • 4.  Re: Siteminder with IIS and Custom AD Domain Application pool account

    Posted Aug 17, 2018 12:59 PM

    Thanks. I tried these options:

    1. Webagent turned off with Windows Authentication enabled: I am getting the same error. The application is identifying the incoming user (httpcontext.user) as the AppPool identity instead of the custom domain AD service account set in the IIS Windows Authentication app pool identity attribute.

    2. Webagent turned on with Windows Authentication enabled: Same behaviour as above.

    3. Setup the application in another new webserver with the identical IIS build. The only difference is that Siteminder webagent is not installed in this new server. The same application, when deployed is able to get the correct custom domain AD account as the WindowsIdentity (AppPool identity). 

    4. We also replaced the real application with a new test application that does 2 steps: (1) just displays a message and (2) then makes a call to a SQL server backend.  (The SQL connection string is coded as Integrated Security=TRUE in the .NET format.) This test application also behaves the same for options 1, 2 and 3 mentioned above.

    5. I tried to change Windows authentication to Anonymous authentication with AppPoolidentity redirect in IIS. It seemed to work, but the Windows usercontext information (User.Identity) is lost. I guess i can use SM_USER for that. While this seems a solution or a workaround, we prefer not to change windows authentication to anonymous authentication in IIS. Any way to make this work with IIS Windows authentication enabled?

     

    Haven't yet tried IIS tracing, but will be doing that later today..Meanwhile, appreciate any additional thoughts or suggestions. Thanks!



  • 5.  Re: Siteminder with IIS and Custom AD Domain Application pool account

    Broadcom Employee
    Posted Aug 21, 2018 08:34 AM

    Hi Kumar,

     

    When you say Windows Authentication is enabled , on what level ? if you are to use Windows IWA auth Scheme with Siteminder, only the ntlm virtual folder under siteminder should be set with Windows Authentication and the rest should be anonymous .

    Can you please confirm how IWA was enabled  ?

    Thank you 

    Joe 



  • 6.  Re: Siteminder with IIS and Custom AD Domain Application pool account

    Posted Sep 05, 2018 07:19 PM

    Sorry, i had been out for few days and could not respond. Anyways, the issue is still there and appreciate any help.

     

    Joe, no, this is not at Windows IWA auth scheme. I was able to narrow the issue by creating a small single page aspx webform. The only thing the webform does is to display these 2 values:

     

    Current User: <%= HttpContext.Current.User.Identity.Name  + "<br />"%>
    Windows Identity: <%=System.Security.Principal.WindowsIdentity.GetCurrent().Name + "<br />"%>

     

    I ran the above test page url and here is what I received as output when ran from the IIS server with CA webagent installed, and logged with myaccountid SSO credentials and the below IIS settings on the web server:

     

    IIS Windows Authentication settings enabled.
     a. IIS -> select Application -> Windows Authentication -> Enabled
     b. IIS -> Select Application -> Advanced Setting ->  ApplicationPool -> Set as "TestApp"
     c. IIS -> Applicationpools -> Select 'TestApp' -> Advanced Setting -> Identity -> Set as "Domain\service_account"
     d. Anonymous authentication is disabled.

     

    Actual Result:

    Current User:   Domain\myaccountid
    Windows Identity:  Domain\myaccountid 

     

    Expected result:

    Current User:   Domain\myaccountid
    Windows Identity:  Domain\service_account

     

    I was expecting the Windows Identity to show the domain AD service account setup in the Application pool for this testapp.  Why is Windows Identity showing as Domain\myaccountid  instead of Domain\service_account ?

     

    I get the same result even if I turn off the webagent.  But if I uninstall the webagent, then I get the 'expected result' mentioned above.

     

    Appreciate any pointers.



  • 7.  Re: Siteminder with IIS and Custom AD Domain Application pool account

    Posted Sep 05, 2018 07:39 PM

    kuser

     

    Not sure if this would work or not. But try "DefaultUserName" and "DefaultPassword" in ACO. In the DefaultUserName use the service_account. 

     

    IIS Web Server Settings - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation 



  • 8.  Re: Siteminder with IIS and Custom AD Domain Application pool account

    Posted Sep 06, 2018 01:09 PM

    Does not seem to help. I already had ForceIISProxyUser as No (default) in my ACO.  This also raises another important question -

     

    Does siteminder  ignore the IIS Application Pool settings especially the AppPool Identity?

     

    I tried the above test page with 'Anonymous Authentication' enabled in IIS and it seems to read the correct AppPool identity, but then the Current User context is blanked out (as expected from anonymous authentication).

     

    IIS Anonymous Authentication settings enabled.
     a. IIS -> select Application -> Anonymous Authentication -> Enabled

    b.  IIS -> select Application -> Anonymous Authentication -> Edit - > select 'Application Pool Identity'
     c. IIS -> Select Application -> Advanced Setting ->  ApplicationPool -> Set as "TestApp"
     d. IIS -> Applicationpools -> Select 'TestApp' -> Advanced Setting -> Identity -> Set as "Domain\service_account"
     e. Windows authentication is disabled.

     

    Actual Result:

    Current User:  
    Windows Identity:  Domain\service_account

     

    The above test was just to see if siteminder ignores IIS AppPool identity settings, apparently it does not seem to with Anonymous authentication. However with 'IIS windows authentication', it seems to ignore the AppPool identity settings, unless I am missing something. So, I guess going back to the original issue, what may be needed to show this expected result  with 'IIS Windows Authentication' enabled.

     

     

    Expected result:

    Current User:   Domain\myaccountid
    Windows Identity:  Domain\service_account