Kerberos to Forms Fallback
Article ID: 187651
Updated On:
Products
CA Single Sign On Secure Proxy Server (SiteMinder)
CA Single Sign On Agents (SiteMinder)
CA Single Sign On Federation (SiteMinder)
CA Single Sign On SOA Security Manager (SiteMinder)
SITEMINDER
Issue/Introduction
We're running a Policy Server and we're trying to implement Kerberos
to froms fallback with Policy Server 12.8SP1 and Web Agent
12.52SP1CR09.
to froms fallback with Policy Server 12.8SP1 and Web Agent
12.52SP1CR09.
We've found the following link to implement Kerberos fallback to html
form, and we'd like to know if it would work ?
form, and we'd like to know if it would work ?
Windows IWA Failover to HTML Form Login.docx
Click on "Anonymous Authentication" and then on the far right under Actions, click "Disable".
Click on "Windows Authentication" and then on the far right under Actions, click "Enable".
Click on "Windows Authentication" and then on the far right under Actions, click "Enable".
Environment
Policy Server 12.8SP1 on Windows 2016
Resolution
At first glance, you do need to run CA Access Gateway (SPS) 12.8SP2 in
order to benefit from that feature as mentioned in that KD and
documentation :
order to benefit from that feature as mentioned in that KD and
documentation :
Kerberos Fallback to Form Implementation
https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=139516
https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=139516
As you're running Policy Server 12.8SP1, you'll need to upgrade your
environment to 12.8SP2 or higher and install CA Access Gateway (SPS)
the same version.
environment to 12.8SP2 or higher and install CA Access Gateway (SPS)
the same version.
More, if the user is not in the domain, a popup is expected as
mentioned in this KD :
mentioned in this KD :
Kerberos Fallback to Form Implementation
We're running a Web Agent and when user reaches a page protected by the kerberos
authentication scheme, when the user is not in the LDAP User
Directory or is "outside Company Infra", then the browser receives a
Popup asking for credentials.
authentication scheme, when the user is not in the LDAP User
Directory or is "outside Company Infra", then the browser receives a
Popup asking for credentials.
https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=139516
You can follow the document from our communities as you mentioned :
"Windows IWA Failover to HTML Form Login.docx"
https://community.broadcom.com/enterprisesoftware/communities/community-home/librarydocuments/viewdocument?DocumentKey=49f3bcfe-05d5-49b0-99dd-bd0269fc93cf&CommunityKey=f9d65308-ca9b-48b7-915c-7e9cb8fc3295&tab=librarydocuments
But this is only for usage with NTLM Authentication, which doesn't
work the same way as Kerberos Authentication Scheme. More, this kit
has been developped by our Services department.
work the same way as Kerberos Authentication Scheme. More, this kit
has been developped by our Services department.
One important thing, the link mentions that you should disable
"Anonymous Authentication" on IIS and enable "Windows Authentication",
which shouldn't be configured like that for Kerberos authentication.
"Anonymous Authentication" on IIS and enable "Windows Authentication",
which shouldn't be configured like that for Kerberos authentication.
Windows IWA Failover to HTML Form Login.docx
Click on "Anonymous Authentication" and then on the far right under Actions, click "Disable".
Click on "Windows Authentication" and then on the far right under Actions, click "Enable".
Click on "Windows Authentication" and then on the far right under Actions, click "Enable".
https://community.broadcom.com/enterprisesoftware/communities/community-home/librarydocuments/viewdocument?DocumentKey=49f3bcfe-05d5-49b0-99dd-bd0269fc93cf&CommunityKey=f9d65308-ca9b-48b7-915c-7e9cb8fc3295&tab=librarydocuments
Finally, that kit for IWA Failover to HTML Form has been introduced
officially in CA Access Gateway (SPS) adn Policy Server 12.7 :
officially in CA Access Gateway (SPS) adn Policy Server 12.7 :
IWA Fallback to Forms Using Authentication Chain
If the primary authentication scheme fails, the authentication
process falls back to the secondary authentication scheme. This
fallback process helps you combine multiple authentication schemes
as a new Authentication Chain. Currently, CA Single Sign-On
supports only Integrated Windows Authentication (IWA) Fallback to
Forms-based authentication scheme.
process falls back to the secondary authentication scheme. This
fallback process helps you combine multiple authentication schemes
as a new Authentication Chain. Currently, CA Single Sign-On
supports only Integrated Windows Authentication (IWA) Fallback to
Forms-based authentication scheme.
For more information, see Authentication Chaining.
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-7/release-notes/new-features.html#concept.dita_0384d3ef52101beffdb5469f329c50f18cfc48ee_IWAFallbacktoFormsUsingAuthenticationChain
and the Kerberos Fallback to Forms feature has been introduced in
12.8SP2 :
Kerberos Fallback to Forms Using Authentication Chain
CA Single Sign-On supports Kerberos fallback to forms-based
authentication scheme. If the primary authentication scheme fails,
the authentication process falls back to the secondary authentication
scheme. The fallback process helps you combine multiple
authentication schemes as a new Authentication Chain. This feature
requires CA Access Gateway 12.8.02.
authentication scheme. If the primary authentication scheme fails,
the authentication process falls back to the secondary authentication
scheme. The fallback process helps you combine multiple
authentication schemes as a new Authentication Chain. This feature
requires CA Access Gateway 12.8.02.
For more information, see Configure Kerberos Fallback to Forms.
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8/release-notes/new-features.html
So Windows Authentication and Kerberos Authentications are not the
same, and solution for fallback are different as explained above.
same, and solution for fallback are different as explained above.
Feedback
Yes
No
Powered by
