search cancel

Kerberos to Forms Fallback

book

Article ID: 187651

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

 
We're running a Policy Server and we're trying to implement Kerberos
to froms fallback with Policy Server 12.8SP1 and Web Agent
12.52SP1CR09.
 
We've found the following link to implement Kerberos fallback to html
form, and we'd like to know if it would work ?
 
  Windows IWA Failover to HTML Form Login.docx
    Click on "Anonymous Authentication" and then on the far right under Actions, click "Disable".
    Click on "Windows Authentication" and then on the far right under Actions, click "Enable".
 

Environment

 

Policy Server 12.8SP1 on Windows 2016

 

Resolution

 
At first glance, you do need to run CA Access Gateway (SPS) 12.8SP2 in
order to benefit from that feature as mentioned in that KD and
documentation :
 
  Kerberos Fallback to Form Implementation
  https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=139516
 
As you're running Policy Server 12.8SP1, you'll need to upgrade your
environment to 12.8SP2 or higher and install CA Access Gateway (SPS)
the same version.
 
More, if the user is not in the domain, a popup is expected as
mentioned in this KD :
 
  Kerberos Fallback to Form Implementation
 
    We're running a Web Agent and when user reaches a page protected by the kerberos
    authentication scheme, when the user is not in the LDAP User
    Directory or is "outside Company Infra", then the browser receives a
    Popup asking for credentials. 
 
  https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=139516
 
You can follow the document from our communities as you mentioned :
 
  "Windows IWA Failover to HTML Form Login.docx"
  https://community.broadcom.com/enterprisesoftware/communities/community-home/librarydocuments/viewdocument?DocumentKey=49f3bcfe-05d5-49b0-99dd-bd0269fc93cf&CommunityKey=f9d65308-ca9b-48b7-915c-7e9cb8fc3295&tab=librarydocuments
 
But this is only for usage with NTLM Authentication, which doesn't
work the same way as Kerberos Authentication Scheme. More, this kit
has been developped by our Services department.
 
One important thing, the link mentions that you should disable
"Anonymous Authentication" on IIS and enable "Windows Authentication",
which shouldn't be configured like that for Kerberos authentication.
 
  Windows IWA Failover to HTML Form Login.docx
 
    Click on "Anonymous Authentication" and then on the far right under Actions, click "Disable".
    Click on "Windows Authentication" and then on the far right under Actions, click "Enable".
 
  https://community.broadcom.com/enterprisesoftware/communities/community-home/librarydocuments/viewdocument?DocumentKey=49f3bcfe-05d5-49b0-99dd-bd0269fc93cf&CommunityKey=f9d65308-ca9b-48b7-915c-7e9cb8fc3295&tab=librarydocuments
 
Finally, that kit for IWA Failover to HTML Form has been introduced
officially in CA Access Gateway (SPS) adn Policy Server 12.7 :
 
  IWA Fallback to Forms Using Authentication Chain
 
    If the primary authentication scheme fails, the authentication
    process falls back to the secondary authentication scheme. This
    fallback process helps you combine multiple authentication schemes
    as a new Authentication Chain. Currently, CA Single Sign-On
    supports only Integrated Windows Authentication (IWA) Fallback to
    Forms-based authentication scheme.
    For more information, see Authentication Chaining.
 
  https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-7/release-notes/new-features.html#concept.dita_0384d3ef52101beffdb5469f329c50f18cfc48ee_IWAFallbacktoFormsUsingAuthenticationChain
 
and the Kerberos Fallback to Forms feature has been introduced in
12.8SP2 :
 
  Kerberos Fallback to Forms Using Authentication Chain
 
   CA Single Sign-On supports Kerberos fallback to forms-based
   authentication scheme. If the primary authentication scheme fails,
   the authentication process falls back to the secondary authentication
   scheme. The fallback process helps you combine multiple
   authentication schemes as a new Authentication Chain. This feature
   requires CA Access Gateway 12.8.02.
   For more information, see Configure Kerberos Fallback to Forms.
 
  https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8/release-notes/new-features.html
 
So Windows Authentication and Kerberos Authentications are not the
same, and solution for fallback are different as explained above.