ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Error : 403 Forbidden Error in IWA Windows Authentication Web Agent

book

Article ID: 5044

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On CA Single Sign On Agents (SiteMinder) SITEMINDER

Issue/Introduction

 

After updating IIS 7 Web Agents from 12.0 to 12.51, IWA Authentication
stops working, and the browsers recieve 403 Forbidden errors. After
uninstalling the Web Agent, and reinstalling 12.0, functionality is
restored.

In the web agent logs, the following can be seen :

  [12/05/2016][18:23:12][4077976432][][][][][][][][][][][][][federation agent][** Received request from agent][][]
  [12/05/2016][18:23:12][4077976432][][][][][][][][][][][][][][Look up a cached object.][][]
  [12/05/2016][18:23:12][4077976432][][][][][][][][][][][][][][Enter function CSm_Auth_Message::AnalyzeAgentAuthMessage][][]
  [12/05/2016][18:23:12][4077976432][][][][][][][][][][][][][][Retrieve an object from the object cache.][][]
  [12/05/2016][18:23:12][4077976432][][][][][][][][][][][][][][Retrieve an object from the object cache.][][]
  [12/05/2016][18:23:12][4077976432][][][][][][][][][][][][][][Leave function CSm_Auth_Message::AnalyzeAgentAuthMessage][][]
  [12/05/2016][18:23:12][4077976432][][][][][][][][][][][][][][Enter function CSm_Auth_Message::AuthenticateUser][][]
  [12/05/2016][18:23:12][4077976432][IISTESTIWA][][][5][0][Integrated Windows Authentication][NT AUTHORITY\IUSR][][/IISTESTIWA/][][][][federation agent][Authenticating user.][][]

 

Cause

 

Between 12.0 and 12.51, there was a change in the default values of
IIS in the "inlinecredentials" ACO parameter. This allows the webagent
to use the Anonymous Authentication, rather than using Windows
Authentication. If IIS has Anonymous Authentication enabled, this will
use the IUSR user, rather than the user specified with Windows
Authentication, and ignore the Windows Authentication.

 

Environment

 

 Applies to all supported environments upgrading from 12.0 to at least
 12.51 and later

 

Resolution

 

Do one of two things:

  1. Set inlinecredentials ACO parameter to be "no" (1). This will prevent
     Single Sign On from utilizing Anonymous Authentication.

  2. Set IIS Anonymous Authentication to be "false" (2). This will allow
     IIS to use Windows Authentication.

 

Additional Information

 

(1)

    Configure Agents for IIS to Obtain User Credentials Without
    Redirecting to an NTLM Credential Collector (NTC)

      To configure an agent to obtain credentials of the user from the HTTP
      request without redirecting to an NTC, set the InlineCredentials
      configuration parameter as follows:

      InlineCredentials

      Specifies how the Agent for IIS handles user credentials. When the
      value of this parameter is yes, the Agent for IIS reads the
      credentials directly from the HTTP request. When the value of this
      parameter is no, the Agent redirects to an NTC credential collector.

      Default: No

      Note: If any CA Single Sign-On Agents in your environment are
      configured to use NTC redirects, configure NT challenge/response
      authentication.

    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-52-01/configuring/web-agent-configuration/advanced-configuration-settings/iis-web-server-settings.html#concept.dita_418cf38d77f7633174c47e612aca70f3923875af_ConfigureAgentsforIIStoObtainUserCredentialsWithoutRedirectingtoanNTLMCredentialCollectorNTC

(2)

    Configure Agents for IIS to Support NT Challenge/Response
    Authentication

      You can implement NT challenge/response authentication in either
      of the following ways:

      Challenge users when they try to access protected
      resources. Users in single-sign on environments are only
      challenged the first time that they request a resource.

      Have your users configure the automatic logon feature of their
      Internet Explorer browser.

      The automatic logon feature allows users to access a resource
      without being challenged. The authentication process still takes
      place, but the NT challenge/response process between the browser
      and the server is transparent to the user. Automatic logon is
      typically used for Intranets where security is less strict and
      you want users to have seamless access to resources. We do not
      recommend using the Automatic logon feature for communication
      across the Internet.

      CA Single Sign-On Agents use credential collectors to gather the
      Windows credentials of users for the NT challenge/response
      authentication scheme. The agent supports the NTC extension for
      collecting NTLM credentials.

      [...]

      Create and Configure the Virtual Directory for Windows
      Authentication Schemes (IIS 7.5)

 8. Do the following steps:
 
  a. Right-click Anonymous Authentication, and then select
          Disable.
    
    b. Right-click Windows Authentication, and then select
          Enable.
   
The virtual directory for Windows authentication schemes is
 configured.

    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-52-01/configuring/web-agent-configuration/advanced-configuration-settings/iis-web-server-settings.html#concept.dita_418cf38d77f7633174c47e612aca70f3923875af_ConfigureAgentsforIIStoSupportNTChallengeResponseAuthentication