IWA authentication scheme - disable negotiate to force NTLM only on CA Secure Gateway

book

Article ID: 205886

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

 

We're running a CA Access Gateway (SPS) and when we protect a resource
with Windows Authentication Scheme, if the user has a SPN value, then
the browser receives 2 values for the same header :

    WWW-Authenticate=Negotiate
    WWW-Authenticate=NTLM

We've worked around this issue by adding to the SPS http server the
following configuration :

    Header edit WWW-Authenticate "Negotiate.*" "NTLM"

We'd like to know how to make the browser to receive only 1 header
like :

    WWW-Authenticate=NTLM

How can we fix this ?

 

Environment

 

  CA Access Gateway (SPS) 12.8SP3 on Windows 2016;
  Policy Server 12.8SP3 on Windows 2016;

 

Resolution

 

The behavior is by design. We add both in header to perform Windows
Authentication, however incase if negotiate fails (as underline
browser unable to provide the ticket for any reasons), With NTLM
client received the pop-up to supply credentials to authenticate and
generate the ticket.

Out of the box, there's no possibility to set CA Access Gateway (SPS)
to provide one of both WWW-Authenticate Headers.