search cancel

IWA to form fallback shows undesirable pop up authentication prompt

book

Article ID: 190084

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

IWA to HTML Form fallback chaining is not working as we hoped. If user is using domain laptop with a supported browser (IE and Chrome) – IWA login the user automatically without issues, but if we use another browser that does not support IWA login, or if the user is not logged into the domain, we get a basic authentication popup. We can click cancel on the popup and the HTML form appear.

We need a way for the basic auth pop up to not appear.

Environment

Release : 12.8.03

Component : SITEMINDER -WEB AGENT FOR APACHE

Resolution

A desktop browser has two settings (if it supports NTLM):

1. Do negotiate for domain joined URL (a.k.a. Trusted URL). Enabled by default
2. Do negotiate for non-domain joined URL. Disabled by default

If 1 is disabled, even by an administrator/policy etc, then when logged into the domain the user will get popup.
If 2 above is disabled, as it is by default, the user will get a pop-up if they are not logged into the domain.

Whether you get a popup or not is completely controlled by these browser settings and cannot be overridden externally.

To perform seamless IWA so that users do not get popup either when logged into the domain or not, you need both 1 and 2 above enabled.

This only affects, at least currently, desktop browsers because they include support for IWA. Mobile browsers do not (although it is possible if unlikely they might at some time in the future, or there might be a mobile browser which does we are unaware of).

For IE and Chrome, you need to add the sites as "Trusted sites", and in "Custom level..." for "Trusted sites" set "User Authentication" to "Automatic login with current user name and password"

In firefox, you need to set the following in about:config:

network.automatic-ntlm-auth.allow-non-fqdn = true
network.automatic-ntlm-auth.trusted-uris = <comma separated list of hosts and fqdns>