search cancel

How to Troubleshoot Integrated Windows Authentication (IWA NTLM)

book

Article ID: 51398

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER CA Single Sign On Agents (SiteMinder)

Issue/Introduction

 

This is an easy way to test the Integrated Windows Authentication
(IWA NTLM) configured properly.

 

Resolution

 

For Integrated Windows Authentication, IIS does the authentication,
not SiteMinder. SiteMinder Web Agent doesn't do any authentication for
IWA, Siteminder Web Agent trusts the credentials accepted by the IIS
and sends them to Policy Server for Siteminder authentication and
authorization.

To verify that Windows Authentication on IIS is working correctly by
performing the following steps.

  1. Disable the Web agent and restart IIS;

  2. Change the Internet Explorer logon setting from

     "Automatic Logon..."

     to

     "Prompt for user name and password"

     and quit and restart IE.

     (This may require a logout if an application is using an IE session.);

  3. Attempt to access http://FQDN/siteminderagent/ntlm/creds.ntc (Must
     be 2 dot FQDN );

  4. A prompt for credentials by IIS should show up;

  5. Provide credentials. Try this step twice,

     - Once with the specific user;
     - Once with another valid user that has permission to access this
       application;

  6. If IIS Windows Authentication is configured correctly, a '404'
     error should be seen in the browser, since creds.ntc does not
     exist;

  7. If receiving a 401 or 403 error, the user doesn't have permission
     to access the credentials collector. This will prevent user
     credentials from being passed to SiteMinder. Correct the Windows
     security settings for this resource in order for the
     authentication scheme to work.

  8. Make sure that on the IIS where the Windows Authentication occurs,
     set "Anonymous Authentication" to disabled;