Symantec Access Management

  • 1.  Winforms Select Auth

    Posted Sep 27, 2012 02:37 PM
      |   view attached

    Scenario:
    The customer is requesting HTML forms be a backup authentication scheme for Windows Authentication.

    Problem:
    If Windows Authentication fails, Windows will present a credentials challenge box. The customer does not want this box to appear but instead to have the FCC challenge for credentials.

    Attached is some sample configurations and code to achieve this. Feel free to recommend changes or fixes.

    Attachment(s)



  • 2.  RE: Winforms Select Auth

     
    Posted Sep 28, 2012 01:09 PM
    Thanks for posting this out to the community Steve! :grin:


  • 3.  RE: Winforms Select Auth

    Posted Oct 01, 2012 06:01 PM
    Very nice alternative. Thanks for the information. Our inf. uses apache(no tomcat) and java..Have to rewrite this into jsp? Have u seen any performance degradation from this extra validation?

    The alternative I use right now is, user enters his credentials, if incorrect, prompts the user three times before redicting them to a 403 page. This 403 page itself is protected by forms, upon aithentication, will show links to app apps. which use IWA.

    Thanks again for this. Appreciate it.


  • 4.  RE: Winforms Select Auth

    Posted Jan 02, 2013 10:24 AM
    We've been using SmNTLM_IWA_FailoverToHTMLForms for a while. If not the same, it's probably very similar to 'Winforms Select Auth". It worked fine, but had one drawback. As it relies on ActiveX for the initial access to the xml file, the usage is limited to IE and always triggers the failover when using another browser. So we ended up looking for an alternative behaving consistently on the most common browsers.

    We now rely on a persistent cookie to store initial NTLM result and redirect the user accordingly to the appropriate IWA or forms authentication for subsequent authentications. So, if NTLM is not ok it will trigger the notorious NTLM popup once. Subsequent authentications will trigger forms based alternative.


  • 5.  RE: Winforms Select Auth

    Posted Jan 02, 2013 10:30 AM
    Thanks PVB for sharing. Interesting approach using a persistent cookie.


  • 6.  RE: Winforms Select Auth

    Posted Dec 20, 2013 06:10 AM

    Hi Steven,

     

    Thanks for the providing the solution.

     

    I tried to implement the solution as per provided, but somehow it is not working.

     

    Configuration done :-

    1. Have IIS 7 webserver with 3 websites- Test, Protect & Redirect

    2. Test website(with Port 84) having the authenticationselector.asp, integratedauthenticationtester.js and requiresauthentication.xml deployed & unprotected. Windows Authentication enabled for this website in IIS.

    3. Authenticationselector.asp is having the parameters updated as mentioned

    Var HostServer = “***.***.***”

    Var ProtectedDir = “Redirect”

    Var SSLStatus = “http”

    4. Protect website(with Port 90) having the dummy.html page which is SiteMinder protected with Windows Authentication scheme(Target refers to authenticationselector.asp). Anonymous & Form Based Authentication enabled for this website in IIS.

    5. Redirect website(with Port 88) having Redirector.asp page which is SiteMinder protected with Form Based authentication scheme(Target refers to form.jsp deployed on some other server). Form Based Authentication enabled for this website in IIS.

    6. Policy domain is configured which is protecting dummy.html & Redirector.asp pages in separate realms having auth schemes as mentioned in point 4 & 5.

    7. ACO having FCCForceIsProtected parameter value set as NO

     

    Issue Description :-

    User’s IE browser is not having IWA specific setting enabled i.e. automatic login with username & password

    Upon accessing the protected URL – http://<FQDN>:90/Protect/dummy.html, it calls authenticationselector.asp page which in turns invokes the RequiresAuthentication.xml and then prompts with NTLM credential challenge box. After entering the credentials, it redirects me to http://<FQDN>:88/siteminderagent/ntlm/creds.ntc url along with Target set. The page displays 401 – Unauthorized error message.

    However, if I click on cancel button of login box, then it redirects me to authenticationselector.asp page displaying 401 – Unauthorized error message.

     

    Can you please advise where we are going wrong here and what needs to be done in order to make this work?

     

    Appreciate your earliest help in this.

    Regards,

    Vishal



  • 7.  Re: Winforms Select Auth

    Posted Dec 19, 2014 11:46 PM

    Hi,

    We implemented this tool kit in IIS 7.5. It works fine with IE does not challenge the user. It fails in Firefox keeps looping. with -------------- in the url.



  • 8.  Re: Winforms Select Auth

    Posted Dec 23, 2014 10:54 PM

    Hi

    This works only on windows for MAC users using safari they are prompted with windows authentication pop-up, after entering userid/pwd it presents the forms login FCC. Please let me know if there is a setting in Safari and FF for MAC users.



  • 9.  Re: Winforms Select Auth

    Posted Jan 24, 2017 10:05 AM

    It may also be helpful to look at the upcoming feature that development is working on to cover this use case.

     

    Windows Fallback to Forms