IWA authentication scheme - disable negotiate to force NTLM only on CA Secure Gateway


Article ID: 205886


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER



We're running a CA Access Gateway (SPS) and when we protect a resource
with Windows Authentication Scheme, if the user has a SPN value, then
the browser receives 2 values for the same header :


We've worked around this issue by adding to the SPS http server the
following configuration :

    Header edit WWW-Authenticate "Negotiate.*" "NTLM"

We'd like to know how to make the browser to receive only 1 header
like :


How can we fix this ?




  CA Access Gateway (SPS) 12.8SP3 on Windows 2016;
  Policy Server 12.8SP3 on Windows 2016;




The behavior is by design. We add both in header to perform Windows
Authentication, however incase if negotiate fails (as underline
browser unable to provide the ticket for any reasons), With NTLM
client received the pop-up to supply credentials to authenticate and
generate the ticket.

Out of the box, there's no possibility to set CA Access Gateway (SPS)
to provide one of both WWW-Authenticate Headers.