Symantec Access Management

  • 1.  Single Resource Protected by Multiple Windows Authentication Schemes

    Posted Jun 23, 2016 12:36 PM

    My company is looking at trying to protect resources with Windows Authentication Schemes that are interna.

     

    Issue is, the scheme to use would depend on where the client is coming in from, not the resource.

     

    has anyone made or even attempted to make a page that tries this and logically selects the authentication scheme to use?



  • 2.  Re: Single Resource Protected by Multiple Windows Authentication Schemes

    Posted Jun 23, 2016 01:08 PM

    Not exactly that. But we have centralized credential collectors that do all the authentications. So on those servers, I have an incoming proxy rule to determine if it's coming from an "internal" subnet and if so then it redirects to an IWA protected scheme. If it's not a known internal subnet, then it redirects to a forms based scheme.



  • 3.  Re: Single Resource Protected by Multiple Windows Authentication Schemes

    Posted Jun 23, 2016 01:13 PM

    Ahh, this  is for our internal solution .. the issue is that differnet regions need different look up schemes.

     

    say one for Europe and one for North America ...



  • 4.  Re: Single Resource Protected by Multiple Windows Authentication Schemes

    Broadcom Employee
    Posted Jul 12, 2016 09:03 AM

    Hi Josh,

     

    I understand you've been working with a support engineer on this question.  His closest to "out of the box suggestion" is to add script to page that is able to determine where the user came from and have it determine which resource to access and hence the needed authentication scheme.  Unfortunately we do not have any examples implementing this functionality but you can reach out to Global Development to contract their services if help is needed.

     

    Regards,

    Sandy



  • 5.  Re: Single Resource Protected by Multiple Windows Authentication Schemes
    Best Answer

    Posted Jul 12, 2016 09:18 AM

    Sandy,

     

    Thank you. i forgot to come back to this and add our solution, as suggested by Pete Burant of CA Support.

     

    We have an aspx page that collects credentials as IWA would and examines the domain. based upon the domain it sends them to a protected resource that uses the  correct authentication scheme to get them logged in. the resource takes the target (sent form the selector page),  and decodes it, forwarding them back to their starting point.

     

    We had to use an small group for testing, but it is working well. We are working to expand the test group.



  • 6.  Re: Single Resource Protected by Multiple Windows Authentication Schemes

    Broadcom Employee
    Posted Jul 12, 2016 01:14 PM

    Super!  Thanks for following up and letting us know that Pete's suggestion is working.