Symantec Access Management

Hi All,

Here is my scenario,

I need to use IWA, but I should not get the pop up which usually pops up for IWA auth scheme. It should grab the credentials from the windows login and have the user logged into the application, is this feasible? Does it involve customization? if its feasible, how to achieve this?

Though i understand that there might be some security concerns, I want to implement and tn demonstrate the security issues.

Hi Christie

I am assuming this is an all-windows

Please look into the IWA authentication scheme documentation, in the part that talks about configuring Internet Explorer for automatic login

If you follow those guidelines you will have Internet Explorer to talk directly to the IIS without prompting for authentication.

For other browsers it may still be possible provided they are able to pass the present user context to IIS

Hope to have helped

Hello Christie,

Please find below links to the guide and KBs with specific information on how to set this up.

You will also find the KBs with the information to resolve some issues you may encounter while setting this up:

Please find some useful documents on how to setup IWA:

1. Windows Authentication Schemes:

https://docops.ca.com/ca-single-sign-on-12-52-sp1/en/configuring/policy-server-configuration/authentication-schemes/windows-authentication-schemes

2. How to Troubleshoot Integrated Windows Authentication (IWA)?
Document ID:  TEC529547
http://www.ca.com/us/support/ca-support-online/product-content/knowledgebase-articles/tec529547.aspx

3. HTTP Error 500 when accessing html page during Integrated Windows Authentication Scheme setup.
Document ID:  TEC522828
http://www.ca.com/us/support/ca-support-online/product-content/knowledgebase-articles/tec522828.aspx

4. How NTLM/Windows Authentication works?
Document ID:  TEC483088
http://www.ca.com/us/support/ca-support-online/product-content/knowledgebase-articles/tec483088.aspx

Hope this helps.

Osarobo

Thank you @Osarobo Idehen and @

Miquel Gilibert i Sunye

I have configured Authentication Scheme and IIS as per documentation, however it keeps on throwing the dialogue box to login. But if i change the settings in IE to "Automatically login using the current user name and password" i dont get the doalogue box, is this a expected behaviour? is there way to configure this without touching ie settings, since some of the users might use other browsers.

Hello Christie,

Thanks for the feedback.

Yes, you are correct - this is expexted behaviour as per the information in the guide.

IE has to be configured for automatically login.

Verify that Windows Authentication Prerequisites Are Met:

- Users must use a browser that supports sending windows credentials and that is configured properly to send those credentials automatically.

- Internet Explorer browser options are configured for automatic logon with the current username and password of the user.

https://docops.ca.com/ca-single-sign-on-12-52-sp1/en/configuring/policy-server-configuration/authentication-schemes/windows-authentication-schemes

Hope this answers your query.

You can mark this thread as answered if it does.

Thanks,

Osarobo

Yes, it does.

But query is, could this be achieved without changing the IE settings, though this change could be made globally by pushing update or global policy from Admin. IS it possible without those options and customizing from SiteMinder?

Hi Christie

The point is the authentication is done by IIS and it is that one that interacts with the browser, so there is little that SiteMinder can do here. In short, there is no setting you can set not to have to set the IE settings

Hello Christie,

Thanks for marking the thread as answered.

No, it is not possible without changing the IE settings.

As you rightly indicated, a good way to go might be by using AD Group policy.

Thanks and Regards,

Osarobo