Symantec Access Management

Hello,

I am opening a new discussion for my earlier question since the original question in that thread may be different:

Siteminder with IIS and Custom AD Domain Application pool account 

I have webagent installed & configured on an IIS 8.5 server. The .NET web application is setup to run under a Windows service account, setup as the Windows Identity in the IIS Application Pool setting. This is the application account that interacts with the backend database objects.  In the IIS administration UI, anonymous authentication is disabled and windows authentication is enabled.  When a user tries to access the web application, the SSO page is presented and the user is able to be authenticated. However, the application is not working, because the Windows Identity that the application sees is the user account that logged in through SSO instead of the Windows Identity (AD service account) set in the IIS application pool.   Does CA SSO ignore the Windows Identity setup in the IIS application pool (meant for backend processing) and if yes, how to make this application work with the app pool identity?

Thanks!

Hi Kumar,

If your application is depending upon Windows Identity (AD service account) in order to work, then why using CA SSO?

CA SSO as agent, after NTLM authentication, the agent is going to take user account that logged in through SSO, that is how the product is designed to be.

Or maybe there is some kind of sequence of events that need to happen at different stage of application flow.

SSO authentication first then access app, or access app, then go for SSO authentication.

You need to further examine that with your application team.

There is also ACO called EarlyCookieCommit, but is used on case by case basis.

List of Agent Configuration Parameters - CA Single Sign-On - 12.52 SP2 - CA Technologies Documentation

Thank you.

Hongxu 

Just to understand what you mentioned above....so if the application has a backend database (say SQL Server) and if updates are made through app UI which is then updated in the backend SQL Server, does that mean the user account has to have UPDATE access in the backend SQL Server for the updates to be successful?   Not sure, having the logon user account to be allowed UPDATE access to backend database is the right thing to do, unless i am missing something. ? Does CA SSO with IIS not allow the logon user account and the apppool to be different?  Sorry if i was not clear earlier.

CA SSO  logon user account is often different from IIS apppool identity. I have not heard due to that, customer is having problem access application. There are many different kind of applications SSO can protect. Commonly access right is tied to SSO  logon user account, that's what security protection is about, unless your requirement is different. Which user should be allowed to access to UPDATE backend SQL Server is up to your business requirement and DBA. SSO does not control or dictate that.

Thank you.

Hongxu 

Thank you for the confirmation that logon user account is different from IIS apppool identity.  That was my original question above . The logon use account is authenticated fine, however the CA webagent is not recognizing the IIS Apppool identity that we have defined (and that is the account that we have setup to do the backend processing of the application as per our needs).  So, basically back to the original question, why is ca-webagent not recognizing or ignoring the IIS apppool identity and instead, carries the logon user account as the apppool identity for the backend processing which throws errors then. That is what is happening in this case.  Appreciate any additional thoughts?