ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

How to enabled CA Secure Gateway (formely Secure Proxy Server) to do NTLM authentication to the backend server

book

Article ID: 41688

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

 

Question: 

I have a back end server behind my CA Secure Gateway Proxy which requires NTLM authentication - how do I configure CA Secure Gateway to access these NTLM protected resources ? 

Environment:  

    All ( linux, windows, Solaris)

 

Answer: 

The setting you need for passing the NTLM Authenticate request from the backend onto the user is the following setting in the proxyrules.xml forward directive to that specific backend server : 

<forward connection-auth="yes">http://backend.example.com$0</forward>

 

This will then propagate the normal HTML authenticate headers straight through as normal proxied request, and pass it to the user.  The user's browser will then fill out the details and send the Authenticate response through the proxy to the backend server.   If the backend sever accepts the NTLM credentials then the user will be given access to the resource.

 

Additional Information:
  

The reason you need the extra setting is because of the way NTLM authentication works.   When NTLM is used then NTLM autheticates the "connection" as belonging to the user.  So any other requests going down that socket to the backend are considered as also being from the same (authenticated) user.

 

Obviously that is a real problem for a proxy if you are trying to run a pool of connections to the backend and want to pass different requests from different users along the same pool of connections.    Adding connection-auth="yes" means it will not use the normal backend pool of connections, but will use the connection oriented pool, which maintains individual sockets per authenticated user :

 

<connection-pool name="connection oriented authentication">

    connection-timeout="10 seconds"

    max-size="200"

    enabled="yes"

</connection-pool>

 

You can keep track of the number of currently open connections via the netstat -an command.

 

Environment

Release: ETRSBB99000-12.52-SiteMinder-B to B
Component: