Symantec Access Management

  • 1.  Siteminder SSO using Kerberos Authentication Scheme.

    Posted Jun 01, 2016 12:12 PM

    Due to Windows SSO, siteminder auto authenticates the user based on the login ID which Siteminder receives in the request.

    So when the request reaches application webserver, Webagent intercepts the requests and process the user requests using NTID.
    Since it is a windows SSO, SM doesn't challenge the user with login page, instead it will search the user ID across all the AD's. Thus, User will be authenticated against that AD, where the user is found in the first place.

    In a situation like same "TEST1" user exits in two domains (Active Directory), then SM will stop the search at AD1, because "TEST1" user is found in AD1.  But same "TEST1" user also exists in AD3, but SM don't check against AD3.

    Thus, "TEST1" user will see the user information of other user from AD1, which is not correct.

     

    Please share your ideas.



  • 2.  Re: Siteminder SSO using Kerberos Authentication Scheme.

    Posted Jun 02, 2016 06:52 AM

    Hello,

     

    Actually Siteminder does authentication on binding user with password towards the user directory.

     

    If the same login is present in multiple user directories but passwords are differents, Siteminder will bind to the correct user/password. If there same login/password is used in multiple user directory then it will bind to the first user directory and not check to the other user directories.

     

    In case of NTLM/Kerberos authentication scheme, the authentication is done by the IIS Server and Siteminder does a validation of the user on the directory based on the authentication result provided by IIS. If there is multiple user directories with the same username, it will stop and will not try other directories.

     

    How can siteminder determine if it should stop to the first user directory where it found the user or it should continues ?

     

    Hope it helps,

    Julien.



  • 3.  Re: Siteminder SSO using Kerberos Authentication Scheme.
    Best Answer

    Broadcom Employee
    Posted Jun 02, 2016 07:13 AM

    Hi,

     

    Using "Kerberos Authentication Scheme", the Web Agent will uses kerberos api to authenticate the user against the KDC server. And it depens on the Kerberos Configuration.

    But if you attach several User Stores to the same siteminder domain, we assume that you consider for the same user that all the User Stores have the correct information for the given user. If information for the same user differs depending the User Store, you might review how you configure the SiteMinder domain and remove the user store where information isn't correct.

     

    Best Regards,

    Patrick