SungHoon_Kim

Configuring an ALL-IN-ONE VM Image - Part 8

Blog Post created by SungHoon_Kim Employee on Feb 16, 2016

This is something I like to do once in a while. It takes long time to setup everything but to me it is a hobby. It is like putting zigsaw puzzles.

 

WARNING: THIS IS NOT SUPPORTED! THIS IS ONLY TO FULFILL YOUR CURIOSITY AND SATISFY YOUR SPIRIT GOING AGAINST ALL ODDS. THIS IS NOT A DEMONSTRATION ALLOWING YOU TO RUN SUCH CONFIGURATION IN YOUR DEV/TEST/QA/PROD ENVIRONMENT.

 

This environment is continuation from the "Creating an ALL-IN-ONE VM Image" series. (links below)

Decided to put a complete list of the articles.

========================================

Creating an ALL-IN-ONE VM Image - Part 1

Creating an ALL-IN-ONE VM Image - Part 2

Creating an ALL-IN-ONE VM Image - Part 3

Creating an ALL-IN-ONE VM Image - Part 4

Creating an ALL-IN-ONE VM Image - Part 5

Creating an ALL-IN-ONE VM Image - Part 6

Creating an ALL-IN-ONE VM Image - Part 7

Creating an ALL-IN-ONE VM Image - Part 8

Creating an ALL-IN-ONE VM Image - Part 9

Creating an ALL-IN-ONE VM Image - Part 10-1

Creating an ALL-IN-ONE VM Image - Part 10-2

========================================

Configuring an ALL-IN-ONE VM Image - Part 1

Configuring an ALL-IN-ONE VM Image - Part 2

Configuring an ALL-IN-ONE VM Image - Part 3

Configuring an ALL-IN-ONE VM Image - Part 4

Configuring an ALL-IN-ONE VM Image - Part 5

Configuring an ALL-IN-ONE VM Image - Part 6

Configuring an ALL-IN-ONE VM Image - Part 7

========================================

 

Following configuration will be setup.

 

01. Basic setup - Create application and protect using Forms Authentication.

    - Service configuration

    - Startup/Shutdown scripts

    - Logging

    - Basic Concepts

02. Standard Authentication Schemes

    - Basic Concepts

    - Basic

    - HTML Forms

    - HTML using UID and EMAIL

    - Basic over SSL

03. Certificate Authentication Schemes

    - X.509 Certificate Only

    - X.509 Certificate or Basic

    - X.509 Certificate and Basic

    - X.509 Certificate or Form

    - X.509 Certificate and Form

04. Windows Authentication Scheme

05. OAuth Authentication Scheme

06. Cookie Provider

07. Directory Mapping

08. Password Services

09. Impersonation

10. Session Assurance

11. SAML 2.0 Partnership Federation - SSO

12. SAML 2.0 Partnership Federation - SLO

13. SAML 2.0 Partnership Federation - RelayState

14. SAML 2.0 Partnership Federation - Negative Assertion

15. SAML 1.x Partnership Federation

16. Audit Log import

17. Generating Reports

18. SiteMinder Test Tool

19. Global Delivery Modules

20. Troubleshooting

 

Continued from Part 7.

 

04. Windows Authentication Scheme

 

Windows Authentication Scheme is popular as there is no password being transmitted and is seamless login.

There are several things that you need to check before Windows Authentication would work.

  • Does your browser support windows authentication?
  • Is DNS FQHN resolves to different FQHN than the physical hostname?
  • Can IIS authenticate user using Windows Authentication without Web Agent involved?
  • Are the IIS and client machine are joined to AD domain?
  • Are you going to use Negotiate or NTLM?

 

 

Does your browser support windows authentication?

 

If you are using Internet Explorer, then you just need to check if the site is registered as "Local intranet" zone.

If you are using chrome, it will take configurations from IE and do not need any configuration.

If you are using firefox, you will need to change following configuration.

At the address bar, enter "about:config" and enter.

 

For NTLM, add ".sso.lab" to "network.automatic-ntlm-auth.trusted-uris"

 

For Negotiate, add ".sso.lab" to "network.negotiate-auth.delegation-uris" and "network.negotiate-auth.trusted-uris"

Is DNS FQHN resolves to different FQHN than the physical hostname?

 

In many cases, your hostname(testmc1.sso.lab) may not be the FQHN you access your IIS.

In this sample, it is actually "www.sso.lab" and not "testmc1.sso.lab".

When the FQHN is different from the physical hostname, windows authentication may fail and you get reprompted for challenge.

And even when you submit the correct userID and PWD, you will get rechallenged.

 

In those cases, you need to add a registry to skip checking the loopback checks for hostname.

 

Registry Key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0

Right click MSV1_0, point to "New" and then click "Multi-String" value.

Type "BackConnectionHostNames" and press Enter.

Add the value with the FQHN that you want to use (in this case "www.sso.lab").

 

More info here https://support.microsoft.com/en-au/kb/896861

 

 

 

Can IIS authenticate user using Windows Authentication without Web Agent involved?

 

This is important part of troubleshooting Windows Authentication.

You can try with /ntlm/ virtual directory by disabling the anonymous authentication and enable windows authentication.

Select /ntlm/ virtual directory(you need to create this directory under wwwroot folder) and at the right pane click on "Authentication".

 

Change the configuration below.

Change the "Anonymous Authentication" to "Disabled" and "Windows Authentication" to Enabled.

If you have not created the registry above, you would be challenged when you access http://www.sso.lab/ntlm/

 

 

With the registry, you should get access to the resource and you can see the following headers.

AUTH_USER: SSO\Administrator

AUTH_TYPE: NTLM

HTTP_AUTHORIZATION: TIRMxxxxx

 

So, it is a proof the NTLM is working.

 

Revert the changes above back to "Anonymous Authentication: Enabled" and "Windows Authentication: Disabled".

 

 

Are the IIS and client machine are joined to AD domain?

 

Yes, it is the same machine in this case so they are joining SSO domain.

 

 

Are you going to use Negotiate or NTLM?

 

Let's stick to NTLM. Negotiate would also work with the registry key above.

 

 

As all the above requirements are satisfied, we can now go ahead with Windows Authentication Scheme.

Following need to be configured.

 

  • Make sure you have the content on your web server for /ntlm/ virtual directory.
  • Create "Windows Authentication" Scheme.
  • Create Component and Resource from AdminUI to protect this resource.
  • Configure "Authentication" for "/siteminderagent/ntlm" virtual directory.

 

 

Create "Windows Authentication" Scheme.

 

Create the Windows Authentication Scheme as below.

Name: Windows Authentication

Authentication Scheme Type: Windows Authentication Template

Protection Level: 5

Password Policies enabled for this Authentication Scheme: true

Scheme support: Active Directory / LDAP

Use Relative Target: False

Server Name: www.sso.lab

Port:

Use SSL Connection: True (In case if the client did not support NTLM handshake and get basic popup, it is safer to be on https)

Target: /siteminderagent/ntlm/creds.ntc

User DN Lookup: (sAMAccountName=%{UID})

Library: smauthntlm

Windows Authentication Scheme is created. And you can notice it is now in the second page.

 

Create Component and Resource from AdminUI to protect this resource.

 

Logon to AdminUI and create the Component as below.

Component Name: Windows Authentication

Agent Type: Web Agent

Agent: agent.iis

Resource Filter: /ntlm/

Default Resource Protection: Protected

Authentication Scheme: Windows Authentication

 

Navigate to Resource tab, select context root "/ntlm/".

Create Resource as below.

Name: Access Windows Authentication

Resource: *

Allow Access: True

Action: Web Agent Actions: GET, POST

 

Assign "Basic Role" to "Access Windows Authentication" resource and "Submit".

 

 

Configure "Authentication" for "/siteminderagent/ntlm" virtual directory.

 

 

 

Now to test the use case.

Open IE and access http://www.sso.lab/ntlm/

The SMUSER header is set as "SSO\administrator".

Some customers want the SMUSER value to be "administrator" only without the domain.

It is possible with Global Develiry Module called "SmOverrideAuth".

You can reach out to CA Account Manager if you are interested in trying this module.

 

So, now you have Windows Authentication working.

But we have a new feature to not redirect to /siteminderagent/ntlm/ virtual directory.

Refer to Documentation regarding "InlineCredentials" IIS Web Server Settings

 

Do not create separate Windows Authentication scheme but create separate Component and Resource for /inlinecredentials/ virtual directory.

 

  • Make sure you have the content on your web server for /inlinecredentials/ virtual directory.
  • Add "InlineCredentials=Yes" in ACO.
  • Create "Windows Authentication" Scheme. (skip this as it is already created)
  • Create Component and Resource from AdminUI to protect this resource.
  • Configure "Authentication" for "/inlinecredentials/" virtual directory.

 

Add "InlineCredentials=Yes" in ACO.

 

Logon to AdminUI, navigate to "Infrastructure ==> Agent ==> Agent Configuration Objects" and modify the "aco.www.sso.lab".

Click "Add" button to create new parameter.

Create "InlineCredentials" parameter and set "Yes" as the value.

Click "OK" and "Submit".

 

 

Create Component and Resource from AdminUI to protect this resource.

 

I will skip the part for creating Components and Resource and assigning "Basic Role" to "Access InlineCredentials" resource.

Please create the above mentioned.

 

 

Configure "Authentication" for "/inlinecredentials/" virtual directory.

 

 

 

Now, if you did not have "inlinecredentials=yes" in the ACO, you would get basic prompt when accessing the http://www.sso.lab/inlinecredentials/.

But with this parameter enabled, you will have access to the resource without being redirected to the /siteminderagent/ntlm/creds.ntc

webagenttrace.log

[02/16/2016][18:26:04][5840][7008][CSmHighLevelAgent.cpp:321][ProcessRequest][000080fe0000000097e114e8f8b90736-16d0-56c2cf0c-1b60-00784a80][][][][][][Start new request.]

[02/16/2016][18:26:04][5840][7008][CSmResourceManager.cpp:75][CSmResourceManager::ProcessResource][000080fe0000000097e114e8f8b90736-16d0-56c2cf0c-1b60-00784a80][][][][][][Calling SM_WAF_HTTP_PLUGIN->ProcessResource.]

[02/16/2016][18:26:04][5840][7008][CSmHttpPlugin.cpp:399][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-16d0-56c2cf0c-1b60-00784a80][][][][][][Resolved HTTP_HOST: 'www.sso.lab'.]

[02/16/2016][18:26:04][5840][7008][CSmHttpPlugin.cpp:5249][Entered CSmHttpPlugin::ResolveFQServerName sHost: ][][][][][][][www.sso.lab]

[02/16/2016][18:26:04][5840][7008][CSmHttpPlugin.cpp:490][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-16d0-56c2cf0c-1b60-00784a80][][][][][][Resolved hostname: 'www.sso.lab'.]

[02/16/2016][18:26:04][5840][7008][CSmHttpPlugin.cpp:509][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-16d0-56c2cf0c-1b60-00784a80][][][][][][Resolved agentname: 'agent.iis'.]

[02/16/2016][18:26:04][5840][7008][CSmHttpPlugin.cpp:5602][CSmHttpPlugin::ResolveClientIp][000080fe0000000097e114e8f8b90736-16d0-56c2cf0c-1b60-00784a80][][][agent.iis][][][Resolved Client IP address '192.168.201.101'.]

[02/16/2016][18:26:04][5840][7008][CSmHttpPlugin.cpp:657][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-16d0-56c2cf0c-1b60-00784a80][*192.168.201.101][][agent.iis][][][Resolved URL: '/inlinecredentials/'.]

[02/16/2016][18:26:04][5840][7008][CSmHttpPlugin.cpp:781][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-16d0-56c2cf0c-1b60-00784a80][*192.168.201.101][][agent.iis][/inlinecredentials/][][Resolved METHOD: 'GET'.]

[02/16/2016][18:26:04][5840][7008][CSmHttpPlugin.cpp:834][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-16d0-56c2cf0c-1b60-00784a80][*192.168.201.101][][agent.iis][/inlinecredentials/][][Resolved cookie domain: '.sso.lab'.]

[02/16/2016][18:26:04][5840][7008][CSmResourceManager.cpp:112][CSmResourceManager::ProcessResource][000080fe0000000097e114e8f8b90736-16d0-56c2cf0c-1b60-00784a80][*192.168.201.101][][agent.iis][/inlinecredentials/][][SM_WAF_HTTP_PLUGIN->ProcessResource returned SmSuccess.]

[02/16/2016][18:26:04][5840][7008][CSmSessionManager.cpp:82][CSmSessionManager::EstablishSession][000080fe0000000097e114e8f8b90736-16d0-56c2cf0c-1b60-00784a80][*192.168.201.101][][agent.iis][/inlinecredentials/][][Calling SM_WAF_HTTP_PLUGIN->EstablishSession.]

[02/16/2016][18:26:04][5840][7008][CSmSessionManager.cpp:126][CSmSessionManager::EstablishSession][000080fe0000000097e114e8f8b90736-16d0-56c2cf0c-1b60-00784a80][*192.168.201.101][][agent.iis][/inlinecredentials/][][SM_WAF_HTTP_PLUGIN->EstablishSession returned SmNoAction.]

[02/16/2016][18:26:04][5840][7008][CSmLowLevelAgent.cpp:503][IsResourceProtected][000080fe0000000097e114e8f8b90736-16d0-56c2cf0c-1b60-00784a80][*192.168.201.101][][agent.iis][/inlinecredentials/][][Resource is protected from Policy Server.]

[02/16/2016][18:26:04][5840][7008][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-16d0-56c2cf0c-1b60-00784a80][*192.168.201.101][][agent.iis][/inlinecredentials/][][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[02/16/2016][18:26:04][5840][7008][CSmHttpPlugin.cpp:2824][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-16d0-56c2cf0c-1b60-00784a80][*192.168.201.101][][agent.iis][/inlinecredentials/][][Processing IsProtected responses.]

[02/16/2016][18:26:04][5840][7008][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-16d0-56c2cf0c-1b60-00784a80][*192.168.201.101][][agent.iis][/inlinecredentials/][][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[02/16/2016][18:26:04][5840][7008][CSmCredentialManager.cpp:132][CSmCredentialManager::GatherCredentials][000080fe0000000097e114e8f8b90736-16d0-56c2cf0c-1b60-00784a80][*192.168.201.101][][agent.iis][/inlinecredentials/][][Calling SM_WAF_HTTP_PLUGIN->ProcessCredentials.]

[02/16/2016][18:26:04][5840][7008][CSmCredentialManager.cpp:169][CSmCredentialManager::GatherCredentials][000080fe0000000097e114e8f8b90736-16d0-56c2cf0c-1b60-00784a80][*192.168.201.101][][agent.iis][/inlinecredentials/][][SM_WAF_HTTP_PLUGIN->ProcessCredentials returned SmSuccess.]

[02/16/2016][18:26:04][5840][7008][CSmLowLevelAgent.cpp:1200][AuthenticateUser][000080fe0000000097e114e8f8b90736-16d0-56c2cf0c-1b60-00784a80][*192.168.201.101][][agent.iis][/inlinecredentials/][][User 'SSO\administrator' is authenticated by Policy Server.]

[02/16/2016][18:26:04][5840][7008][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-16d0-56c2cf0c-1b60-00784a80][*192.168.201.101][][agent.iis][/inlinecredentials/][SSO\administrator][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[02/16/2016][18:26:04][5840][7008][CSmHttpPlugin.cpp:2992][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-16d0-56c2cf0c-1b60-00784a80][*192.168.201.101][][agent.iis][/inlinecredentials/][SSO\administrator][Processing Authentication responses.]

[02/16/2016][18:26:04][5840][7008][CSmHttpPlugin.cpp:8077][CSmHttpPlugin::GenerateNTCChallengeDoneCookie][000080fe0000000097e114e8f8b90736-16d0-56c2cf0c-1b60-00784a80][*192.168.201.101][][agent.iis][/inlinecredentials/][SSO\administrator][Generating SMCHALLENGE=NTC_CHALLENGE_DONE set-cookie response header.]

[02/16/2016][18:26:04][5840][7008][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-16d0-56c2cf0c-1b60-00784a80][*192.168.201.101][][agent.iis][/inlinecredentials/][SSO\administrator][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[02/16/2016][18:26:04][5840][7008][CSmSessionManager.cpp:209][CSmSessionManager::CreateSession][000080fe0000000097e114e8f8b90736-16d0-56c2cf0c-1b60-00784a80][*192.168.201.101][][agent.iis][/inlinecredentials/][SSO\administrator][Calling SM_WAF_HTTP_PLUGIN->CreateSession.]

[02/16/2016][18:26:04][5840][7008][CSmHttpPlugin.cpp:1605][CSmHttpPlugin::CreateSession][000080fe0000000097e114e8f8b90736-16d0-56c2cf0c-1b60-00784a80][*192.168.201.101][][agent.iis][/inlinecredentials/][SSO\administrator][Generated SMSESSION cookie.]

[02/16/2016][18:26:04][5840][7008][CSmSessionManager.cpp:247][CSmSessionManager::CreateSession][000080fe0000000097e114e8f8b90736-16d0-56c2cf0c-1b60-00784a80][*192.168.201.101][][agent.iis][/inlinecredentials/][SSO\administrator][SM_WAF_HTTP_PLUGIN->CreateSession returned SmSuccess.]

[02/16/2016][18:26:04][5840][7008][CSmLowLevelAgent.cpp:2768][AuthorizeUser][000080fe0000000097e114e8f8b90736-16d0-56c2cf0c-1b60-00784a80][*192.168.201.101][][agent.iis][/inlinecredentials/][SSO\administrator][User 'CN=Administrator,CN=Users,DC=sso,DC=lab' is authorized by Policy Server.]

[02/16/2016][18:26:04][5840][7008][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-16d0-56c2cf0c-1b60-00784a80][*192.168.201.101][][agent.iis][/inlinecredentials/][SSO\administrator][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[02/16/2016][18:26:04][5840][7008][CSmHttpPlugin.cpp:3270][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-16d0-56c2cf0c-1b60-00784a80][*192.168.201.101][][agent.iis][/inlinecredentials/][SSO\administrator][Processing Authorization responses.]

[02/16/2016][18:26:04][5840][7008][CSmHttpPlugin.cpp:3277][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-16d0-56c2cf0c-1b60-00784a80][*192.168.201.101][][agent.iis][/inlinecredentials/][SSO\administrator][Removing HTTP cache request headers.]

[02/16/2016][18:26:04][5840][7008][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-16d0-56c2cf0c-1b60-00784a80][*192.168.201.101][][agent.iis][/inlinecredentials/][SSO\administrator][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[02/16/2016][18:26:04][5840][7008][CSmHighLevelAgent.cpp:801][ProcessRequest][000080fe0000000097e114e8f8b90736-16d0-56c2cf0c-1b60-00784a80][*192.168.201.101][][agent.iis][/inlinecredentials/][SSO\administrator][AuthorizationManager returned SmYes, end new request.]

[02/16/2016][18:26:04][5840][7008][CSmHighLevelAgent.cpp:921][ProcessRequest][000080fe0000000097e114e8f8b90736-16d0-56c2cf0c-1b60-00784a80][*192.168.201.101][][agent.iis][/inlinecredentials/][SSO\administrator][End new request.]

 

When the browser accessed http://www.sso.lab/inlinecredentials/ it did not have existing SMSESSION so you do not find any trace in the above webagenttrace.log mentioning about it.

And without redirect, Credential Manager was able to "Gather Credentials" and authenticates the user.

The same can be witnessed from fiddler trace.

 

So, if you want to use seamless windows authentication but do not want to redirect, this is going to be the solution.

Some customers want to login without involving redirects and the only authentication scheme that does not redirect was the "Basic" authentication which was not secure. But with inlinecredentials, we have one more that does not require a redirect.

 

Downside is that you will need to manually enable "Windows Authentication" and disable "Anonymous Authentication" on each virtual directory that you want to protect using inlinecredentials.

 

Also, this "InlineCredentials" parameter is Agent Wide configuration.

Meaning, you cannot have "Redirect to Windows Authentication Scheme" and "InlineCredentials" mode together.

Once you enable "InlineCredentials", your "http://www.sso.lab/ntlm/" will no longer redirect to "https://www.sso.lab/siteminderagent/ntlm/creds.ntc".

 

Screenshot below explains what is happening. (Frame #3 ~ #6 was non-related requests made by IE so I removed them).

When the browser visited "http://www.sso.lab/ntlm/", it no longer redirects due to InlineCredentials feature and protected resource does not require Windows Authentication(to initiate the NTLM handshake) so it does not ask client for it.

As a result, the browser gets HTTP 403.

 

ACO Parameter "InlineCredentials" did not appear immediately but it did appear later in the wa.log.

 

That concludes the Windows Authentication Scheme.

Next article will be OAuth.

Outcomes