ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

How to Troubleshoot Integrated Windows Authentication (IWA)?


Article ID: 51398


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On



This is an easy way to test if you have Integrated Windows Authentication (IWA) configured properly .



Component: SMPLC



For Integrated Windows Authentication, it is IIS that does the authentication, not SiteMinder. SiteMinder Web Agent does not do any authentication for IWA, Siteminder Web Agent trusts the credentials accepted by the IIS and send it to Policy Server for Siteminder authentication and authorization.

To verify that Windows Authentication on IIS is working correctly by performing the following steps.

  1. Disable the Web agent and restart IIS.
  2. Change the Internet Explorer logon setting from "Automatic Logon ..." to "Prompt for user name and password" and quit and restart IE.

    (This may require a logout if an application is using an IE session.)
  3. Attempt to access http://YouServer/siteminderagent/ntlm/creds.ntc (Must be 2 dot FQDN )
  4. You should be prompted for credentials by IIS
  5. Provide credentials. Try this step twice,
    1. Once with the user that you are logged in as,
    2. Once with another valid user that has permission to access this application.
  6. If IIS Windows Authentication is configured correctly, you should receive a '404' error, since creds.ntc does not exist.
  7. If you receive a 401 or 403 error, the user does not have permission to access the credentials collector. This will prevent user credentials from being passed to SiteMinder. You will need to correct the Windows security settings for this resource in order for the authentication scheme to work.
  8. Make sure that on the IIS where the Windows Authentication occurs, set "Anonymous
    Authentication" to disabled;