An Online Community for Identity & Access Management Professionals

IWA and Form Authentication

Hi All,

Can we have a single authentication scheme in CA Siteminder where user would be tried to authenticate using IWA and if it fails then automatically it would go to Form Login

▶ Reply to This

Replies to This Discussion

Permalink Reply by Todd Clayton on February 1, 2010 at 2:23pm

Not easily, but it should be possible. Since IWA is handled by IIS and not SiteMinder to some extent, you need to customize the IIS error messages. So, on an IIS error, send a redirect to a resource protected by forms authentication. I've never tried it, but it should work.

▶ Reply

Permalink Reply by Micky on February 1, 2010 at 2:27pm

Thanks, Let me try and would let you know

▶ Reply

Permalink Reply by Jeevan on September 7, 2010 at 7:27am

Hi, I am looking for help on CA Siteminder with IWA authentication? do you have any configuration steps?

▶ Reply

Permalink Reply by Micky on September 7, 2010 at 8:03am

sure.

Here are high level steps.

1. Install IIS
2. Install Siteminder webagent on that IIS
3. Create IWA authentication scheme and update the corresponding server details in that.

Please let me know about it

▶ Reply

Permalink Reply by Jeevan on September 7, 2010 at 8:43am

Hi,
Thanks for your reply.

I have followed the below steps:-
1. Installed PS on Win2k3 machine
2. Installed IIS on another Win2k3 machine and installed Webagent on the same machine and in IIS i checked the Integrated Windows Authentication option and unchecked rest of the options.
3. Joined the Web Agent machine to one AD machine and created one user on this AD machine and logged in to the machine with that user and tried to access the protected resource and now i am getting the challenge to enter the credentials instead of taking the logged on credentials.

please suggest.

▶ Reply

Permalink Reply by Micky on September 7, 2010 at 8:48am

are IIS and PS machine on same domain?

▶ Reply

Permalink Reply by Jeevan on September 7, 2010 at 8:51am

No.. PS and IIS are in different domains.

▶ Reply

Permalink Reply by Jeevan on September 7, 2010 at 8:51am

I have added the AD users into PS UI using the AD credentials.

▶ Reply

Permalink Reply by Todd Clayton on September 7, 2010 at 8:53am

It shouldn't matter if IIS and the policy server are in the same domain. However, IIS has to be in the same domain as the AD containing the users being authenticated.

What errors do you see if the policy server profiler log or the web agent trace log? You'll be able to tell why you are getting challenged that way.

Todd

▶ Reply

Permalink Reply by Jeevan on September 7, 2010 at 9:14am

In the smps.log i am seeing this error -
[SmDsLdapConnMgr.cpp:881][ERROR] SmDsLdapConnMgr Bind. Server DomainDnsZones.krish.com : 389. Error 91-Can't connect to the LDAP server

In the smtracedefault log i am seeing :-
[agent][][][09/07/2010][CSm_Az_Message::FormatAttribute][][][NTRealm][][][][][][][][][][][][agent][][][09/07/2010][CSm_Az_Message::FormatAttribute][][][NTRealm][][][][][][][][][][][][http://abc.krish.com:90/siteminderagent/ntlm/creds.ntc][][][][][][IsProtectedEx][agent][][][09/07/2010][CSm_Az_Message::FormatAttribute][][][NTRealm][][][][][][][][][][][][][][][][][][IsProtectedEx][21:08:49.180][][]
[agent][][][09/07/2010][CSm_Az_Message::FormatAttribute][][][NTRealm][][][][][][][][][][][][][][][][][][IsProtectedEx][21:08:49.180][][]
[agent][][][09/07/2010][CSm_Az_Message::ProcessMessage][][][NTRealm][][][][][][][][][][][][][][][][][][][21:08:49.180][][]
[][][][09/07/2010][CSm_Az_Message::SendReply][][][][][][][][][][][][][][][][][][][][][][21:08:49.180][][]
[][][][09/07/2010][CSm_Az_Message::IsProtected][Protected][][][][][][][][][][][][][][][][][][][][][21:08:49.180][][]
[][][][09/07/2010][CSm_Az_Message::ProcessMessage][727][][][][][][][][][][][][][][][][][][][][][21:08:49.180][][]
[][][][09/07/2010][CSmAuthUser::~CSmAuthUser][][][][][][][][][][][][][][][][][][][][][][21:08:49.180][][]
[][][][09/07/2010][CSmAuthUser::~CSmAuthUser][][][][][][][][][][][][][][][][][][][][][][21:08:49.180][][]
[][][][09/07/2010][CSmAuthUser::CSmAuthUser][][][][][][][][][][][][][][][][][][][][][][21:09:15.851][][]
[][][][09/07/2010][CSmAuthUser::CSmAuthUser][][][][][][][][][][][][][][][][][][][][][][21:09:15.851][][]
[][][][09/07/2010][CSm_Auth_Message::ProcessMessage][][][][][][][][][][][][][][][][][][][][][][21:09:15.851][][]
[][][][09/07/2010][CSm_Auth_Message::ProcessAgentMessage][][][][][][][][][][][][][][][][][][][][][][21:09:15.851][][]
[iwa][][][09/07/2010][CSmMessage::ParseAgentMessage][][][][][][][][][][][][][][][1283864924][][][][][][][21:09:15.851][][]
[iwa][][][09/07/2010][CSmMessage::ParseAgentMessage][][][][][][][][][][][][][][][1283864955][][][][][][][21:09:15.851][][]
[iwa][][][09/07/2010][CSmMessage::ParseAgentMessage][][][][][][][][][][][][][][][5][][][][][][][21:09:15.851][][]
[iwa][][][09/07/2010][CSmMessage::ParseAgentMessage][][][][][][][][][][][][][][][128][][][][][][][21:09:15.851][][]
[iwa][][][09/07/2010][CSmMessage::ParseAgentMessage][][][][][][][][][][][][][][][1][][][][][][][21:09:15.851][][]
[iwa][][][09/07/2010][CSmMessage::ParseAgentMessage][][][][][][][][][][][][][][][][][][][][][][21:09:15.851][][]

Apart from these no errors in the smtrace log.

please suggest..

▶ Reply

Permalink Reply by Micky on September 8, 2010 at 1:41pm

This means Policy Server is not able to connect to AD

▶ Reply

Permalink Reply by Jeevan on September 9, 2010 at 2:34am

If i use any other Auth Scheme such as FormsAuth other than Windows Authentication Scheme, i can access the protected resource. So, Policy Server is able to connect to AD.