Windows credentials prompt for users trying to login to Site Minder protected application

book

Article ID: 51444

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Description:

A new web server was added to an existing web farm, all running web agent 6.0QMR6. The agent installed successfully and it triggers protection on the protected content, however, some users when they get served by this server, get a windows prompt just prior to their credentials being posted to the .fcc form.

Review of the transactions hitting the problematic web server showed authentication and authorization failures even though the users had sufficient privileges to access the requested protected resources:

[13:24:54][** Status: Not Authenticated. ][lab_wa][][LABNET\user1]           
[11/13/2008][13:25:30][LABNET\user1][** Status: Not Authenticated.][lab_wa][]       
[13:29:42][** Status: Not Authenticated. ][lab_wa][][LABWEB\user2]       
[11/13/2008][13:29:42][LABWEB\user2][** Status: Not Authenticated.][lab_wa][]       
[13:39:30][** Status: Not Authenticated. ][lab_wa][][LABNET\user3]       
[11/13/2008][13:39:33][LABNET\user3][** Status: Not Authenticated.][lab_wa][]  

Solution:

On analysis of the metabase of the IIS 5 web server configured for the NTLM authentication scheme it was found that the WebAgent was installed on a virtual directory that existed on the IIS 5 web server:

[/LM/W3SVC/3/Root/siteminderagent]           
{AccessFlags}       
6016="03EE","01","02","01","353137"       
{DirBrowseFlags}       
6005="06C3","01","02","01","31303733373431383836"       
{Win32Error}       
1099="031A","01","01","01","30"       
{KeyType}       
1002="0974","00","01","02","4949735765625669727475616C446972"       
{Path}       
3001="1541","01","02","02","443A5C50726F6772616D2046696C65735C6E65746567726974       
795C7765626167656E745C73616D706C6573"  

Client un-installed and re-installed SiteMinder webagent such that the siteminder agent was installed on a per server basis and the related mapping is at the server level for that IIS web server.

Environment

Release:
Component: SMIIS