User is not authenticated in IWA

book

Article ID: 37331

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Issue: 

Recently we upgraded our web agent to R12.52SP1 while migrating OS from 2k3 - 2k8, applications running on this platform are using IWA for authentication and were running fine on 2k3 servers (previous agent version was 6.x sp35), Newly Siteminder integrated application which is hosted on IIS is not working with Windows authentication and the request is going in loop. Observed below error in agent trace logs.

[09/28/2015][06:09:29][7800][7604][CSmLowLevelAgent.cpp:1332][AuthenticateUser][0000000000000000000000000f3215ac-1e78-56091fe9-1db4-014a2965][*xxxxxxxxxxxx][][cm2k-pu-2k8][/cm2k/][][User 'NT AUTHORITY\IUSR' is not authenticated by Policy Server.]

Environment:  

Web agent: R12.52 SP01

Cause: 

Here The NTLM directory under Siteminder agent virtual directory have both Windows Authentication and Anonymous authentication enabled. Because of that the request is failing with below error.

09/28/2015][06:09:29][7800][7604][CSmLowLevelAgent.cpp:1332][AuthenticateUser][0000000000000000000000000f3215ac-1e78-56091fe9-1db4-014a2965][*xxxxxxxxxxxx][][cm2k-pu-2k8][/cm2k/][][User 'NT AUTHORITY\IUSR' is not authenticated by Policy Server.]

Smtracedefault logs:

[09/28/2015][06:09:29.432][06:09:29][5402][23][smauthntlm.cpp:267][SmAuthenticate][][][][NT AUTHORITY\IUSR][][][][][][][][][][][][][][][][][Processing Windows credentials]

[09/28/2015][06:09:29.432][06:09:29][5402][23][smauthntlm.cpp:289][SmAuthenticate][][][][][][][][][][][][][][][][][][][][][isADNativeMode = 1]

[09/28/2015][06:09:29.432][06:09:29][5402][23][smauthntlm.cpp:364][SmAuthenticate][][][][][][][][][][][][][][][][][][][][][User DN Lookup: (CN=IUSR)]

[09/28/2015][06:09:29.432][06:09:29][5402][23][smauthntlm.cpp:365][SmAuthenticate][][][][][][][][][][][][][8][][][][][][][][Leave function SmAuthenticate]

[09/28/2015][06:09:29.432][06:09:29][5402][23][SmAuthUser.cpp:1695][CSmAuthUser::SavePasswordState][][][][][][][][][][][][][][][][][][][][][Enter function CSmAuthUser::SavePasswordState]

[09/28/2015][06:09:29.432][06:09:29][5402][23][SmAuthUser.cpp:1697][CSmAuthUser::SavePasswordState][][][][][][][][][][][][][false][][][][][][][][Leave function CSmAuthUser::SavePasswordState]

[09/28/2015][06:09:29.432][06:09:29][5402][23][SmAuthUser.cpp:5376][CSmAuthUser::Authenticate][][][][][][][][][][][][][8][][][][][][][][Leave function CSmAuthUser::Authenticate]

[09/28/2015][06:09:29.433][06:09:29][5402][23][SmDsLdapProvider.cpp:1729][CSmDsLdapProvider::SearchImpl][][][][][][][][][][][][][][][][][][][][][search filter is : (CN=IUSR)]

[09/28/2015][06:09:29.435][06:09:29][5402][23][SmDsLdapConnMgr.cpp:1191][CSmDsLdapConn::SearchExts][][][][][][][][][][][][][][][][][][][][][LDAP search of (CN=IUSR) took 0 seconds and 1988 microseconds]

[09/28/2015][06:09:29.435][06:09:29][5402][23][SmDsLdapProvider.cpp:2195][CSmDsLdapProvider::Search][][][][][][][][][][][][][][][][][][][(Search) Base: 'ou=people,o=ca', Filter: '(CN=IUSR)'. Status: 0 entries][][Ldap Search callout succeeds.]

NT AUTHORITY\IUSR is an anonymous user, Policy Server cannot find this user from the user directory, that's why it is not authenticated, also if you enable the anonymous authentication then it means that the user that login to the application might be an anonymous user but not the windows user

Resolution:

As per the standard configuration, The NTLM directory under Siteminder agent virtual directory should have Windows Authentication enabled and rest are disabled to achieve windows authentication.

Environment

Release:
Component: SMIIS