James_Atchley

IIS, Windows Security Context, SiteMinder and You

Discussion created by James_Atchley Employee on May 1, 2013
Latest reply on Mar 29, 2014 by venky7488

There is a new feature that is available with IIS 7x that SiteMinder is able to leverage when using Windows Authentication.
Historically, when leveraging an Integrated Windows Authentication Schema, the credentials would be cached to the virtual form, “Creds.ntc”
When doing so you would configure IIS Authentication for Anonymous and only Windows Authentication for the path pointing to “Creds.ntc”.

However, with IIS 7x and the using the SiteMinder IIS agent, you can now use an Agent Configuration Object called “inlinecredentials”.
This allows IIS to be configured with IWA at the root web application. The user credentials are passed through the SiteMinder IIS Agent and communicated across the Agent / Policy Server communication layer.
The Policy Server at that point performs both the Authentication and Authorization steps for the user.
Please review the Bookshelf links below for more information.

New Features: Inline Credentials Support
https://support.ca.com/cadocs/0/CA%20SiteMinder%20r12%20SP3-ENU/Bookshelf_Files/HTML/idocs/1773623.html
Manage User Access with IIS and Inline Credentials.
https://support.ca.com/cadocs/0/CA%20SiteMinder%20r12%20SP3-ENU/Bookshelf_Files/HTML/idocs/367390.html

Configuration Recommendations:
1: Siteminder: Define theACO parameter, "InlineCredentials" to yes.
InlineCredentials=Yes
2: Internet Explorer: Define Trusted Sites to allow "Automatic logon with
Current user name and password" option is selected.
3: IIS Manager:
When using the ACO inlinecredentials, in IIS Administration UI, disable the Anonymous Authentication and enable only the Windows authentication (use Windows User identity instead of Application
Pool identity)

Other Notes:
The ACO parameter “inlinecredentials” was introduced in R12 SP3.
This feature might not be relevant to all organizations and should be tested against your organizations web application to validate that this feature functions as expected.

Outcomes