IWA authentication fails with a 403 Forbidden Error

book

Article ID: 5044

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

After updating my IIS 7 web agents from 12.0 to 12.51, I can no longer get IWA to work properly, and we are receiving 403 Forbidden errors. After uninstalling the webagent, and reinstalling 12.0, functionality is restored. 

 

In the web agent logs, we see the following:

[12/05/2016][18:23:12][4077976432][][][][][][][][][][][][][federation agent][** Received request from agent][][]

[12/05/2016][18:23:12][4077976432][][][][][][][][][][][][][][Look up a cached object.][][]

[12/05/2016][18:23:12][4077976432][][][][][][][][][][][][][][Enter function CSm_Auth_Message::AnalyzeAgentAuthMessage][][]

[12/05/2016][18:23:12][4077976432][][][][][][][][][][][][][][Retrieve an object from the object cache.][][]

[12/05/2016][18:23:12][4077976432][][][][][][][][][][][][][][Retrieve an object from the object cache.][][]

[12/05/2016][18:23:12][4077976432][][][][][][][][][][][][][][Leave function CSm_Auth_Message::AnalyzeAgentAuthMessage][][]

[12/05/2016][18:23:12][4077976432][][][][][][][][][][][][][][Enter function CSm_Auth_Message::AuthenticateUser][][]

[12/05/2016][18:23:12][4077976432][IISTESTIWA][][][5][0][Integrated Windows Authentication][NT AUTHORITY\IUSR][][/IISTESTIWA/][][][][federation agent][Authenticating user.][][]

Cause

Between 12.0 and 12.51, there was a change in the default values of IIS in the "inlinecredentials" ACO parameter. This allows the webagent to use the Anonymous Authentication, rather than using Windows Authentication. If IIS has Anonymous Authentication enabled, this will use the IUSR user, rather than the user specified with Windows Authentication, and ignore the Windows Authentication. 

Environment

Applies to all supported environments upgrading from 12.0 to at least 12.51

Resolution

Do one of two things:

1. Set inlinecredentials ACO parameter to be "no". This will prevent Single Sign On from utilizing Anonymous Authentication.

2. Set IIS Anonymous Authentication to be "false". This will allow IIS to use Windows Authentication.