How does it work CA SSO kerberos authentication ?
1. The user signs into their workstation with their Windows logon
2. Windows sends a Kerberos authentication request (AS_REQ) to the domain controller
3. The domain controller returns a Kerberos authentication response (AS_REP) containing a ticket granting ticket (TGT)
4. Windows populates the LSA (Local Security Authority) credential cache with the TGT
5. The user opens their browser and sends HTTP request to a URL protected by the SiteMinder Kerberos authentication scheme
6. WebAgent send IsProtected() call to Policy Server
7. Policy Server response back to IsProtected() call from WebAgent with realm and authentication scheme URL.
8. The Web Agent redirects the browser to the Authentication Scheme URL (Kerberos credentials collector (KCC))
9. The browser follows the redirect, requesting the KCC
10. The KCC responds to the user with an HTTP Negotiate challenge
11. The browser retrieves the TGT from the LSA cache
12. The browser creates a security token derived from the TGT, and sends a base-64 encoded copy of it to the KCC
13. The KCC initializes the Kerberos credential cache with the web server principal's credentials
14. The KCC retrieves the security token sent by the browser
15. The KCC accepts the security token via GSSAPI
16. Web Agent read krb5.ini file
17. GSSAPI retrieves the web server principal’s credentials from keytab file
18. GSSAPI returns the user principal's delegated credentials
19. The KCC initializes a delegated security token via GSSAPI on behalf of the delegated credentials
20. GSSAPI retrieves the web server principal’s credentials
21. GSSAPI requests a forwarded TGT on behalf of the delegated credentials
22. The KDC returns the new forwarded TGT
24. GSSAPI returns a delegated security token
25. GSSAPI returns the delegated user’s principal name
26. The KCC prepares SiteMinder user credentials setting the username to the user principal and the password to the delegated security token
27. The Web Agent sends a login request using the SiteMinder user credentials via the SiteMinder Agent API
28. The Policy Server receives the login request and calls the authentication scheme to disambiguate the user
29. The authentication scheme constructs a directory search query based upon the user principal and returns the query to the Policy Server
30. The Policy Server disambiguates the user using the directory search query
31. The Policy Server passes the SiteMinder credentials to the authentication scheme for authentication
32. The authentication scheme initializes the Kerberos credential cache with the Policy Server's principal's credentials
33. The authentication scheme accepts the delegated security token via GSSAPI
34. Policy Server read krb5.ini file
35. GSSAPI retrieves the Policy Server principal’s credentials from keytab file
36. GSSAPI returns the accepted security context
37. The authentication scheme queries the delegated security token for its principal
38. The authentication scheme verifies the delegated security token's principal matches the intended principal
39. WebAgent generate SMSESSION cookie.
40. Client redirect to target resource with SMSESSION cookie.
41. WebAgent send IsAuthorized() call to Policy Server.
42. Policy Server send back to WebAgent for IsAuthorized() call.
43. Display content page successfully.