Set Up Credential Collectors for IIS and Domino Web Servers

Web Agent Guides › Web Agent Configuration Guide › Forms Authentication › How to Configure Basic FCC Authentication › Set Up Credential Collectors for IIS and Domino Web Servers

Set Up Credential Collectors for IIS and Domino Web Servers

IIS and Domino web servers require mapping of MIME types (represented as file extension parameters) in your Web Agent configuration. To configure credential collectors for IIS and Domino web servers.

Follow these steps:

Map the specific MIME types for use with each credential collector. We recommend using the default values shown in the following table:

Agent Configuration Parameter	Credential Collector	MIME Type
CCCExt	Cookie Provider	.ccc
FCCExt	Forms Credential Collector	.fcc
SCCExt	SSL Credential Collector	.scc
SFCCExt	SSL Forms Credential Collector	.sfcc
NTCExt	NTLM Credential Collector	.ntc
KCCExt	Kerberos Credential Collector	.kcc

Note: If you do not want to use the default extensions or the defaults are already in use for other purposes, enter the extensions that you want instead. For example, if you set FCCExt to .myext for the FCC, and rename the FCC template to use this extension, for example, login.myext, the agent recognizes URLs ending in .myext as forms authentication requests.

The credential collectors are set.

Enable FCCs and SCCs to Use Agent Names as Fully Qualified Host Names

To enable the forms and SSL credential collectors to use the fully qualified host name of the target URL as an Agent name, define the AgentNamesAreFQHostNames configuration parameter.

For example, if the AgentNamesAreFQHostNames parameter is set to Yes, the www.nete.com portion of the following URL string serves as the Web Agent name:

url?A=1&Target=http://www.nete.com/index.html

The credential collector uses this parameter in the following situations:

If no Agent name is appended to the URL from the target agent. (Sometimes the case with third-party agents.)
You have not configured agent-to-host name mappings in the AgentName parameter.

If the AgentNamesAreFQHostNames parameter is set to No, the credential collector uses the value of the DefaultAgentName parameter as the name of the target Web Agent.

Configure the FCC to Use a Single Resource Target

To configure the FCC to direct users to a single resource, hard-code the target in the login.fcc template file.

Follow these steps:

Open the login.fcc file, which is located in agent_home/Samples.
Add @target=target_resource to the FCC.
Add the following entry:
@smagentname=agent_name_protecting_resource

For example: @smagentname=mywebagent
Set the EncryptAgentName parameter to no. This parameter is required because no method exists to encrypt the agent name after you hard code it in the file.
Set the EncryptAgentName to no for any other agent using this FCC.

Note: For more information, see the Policy Server documentation.

Use a Relative Target for Credential Collector Redirects

Optionally, instruct an agent to use a relative URI instead of a fully qualified URL when directing requests to a credential collector and target resource. Using a relative URI prevents credential collectors on other systems with Web Agents from processing requests.

Note: This setting applies to all credential collectors except the cookie credential collector (CCC). The CCC must use a fully-qualified domain name for this parameter. OnAuthAccept responses will not work properly with a CCC if a relative URI is used.

Typically, a fully qualified URL is appended to the credential collector URL. For example:

url?A=1&Target=http://www.nete.com/index.html.

To use only a relative URI, set the TargetAsRelativeURI parameter to yes. If set to yes, the target parameter that is appended to the credential collector URL is a relative target, such as url?A=1&Target=/index.html. In turn, when the credential collector redirects back to the Web Agent protecting the target resource, it is a relative redirect. Also, the Web Agent rejects any target that does not begin with a forward slash (/).

The default value for this parameter is no, so a fully qualified URL is always used.

Define Valid Target Domains

To configure SiteMinder Agents to help protect your resources from phishing attempts that could redirect users to a hostile website, set the following configuration parameter:

ValidTargetDomain

Specifies the domains to which a credential collector is allowed to redirect users. If the domain in the URL does not match the domains set in this parameter, the redirect is denied.

Default: No.

All advanced authentication schemes, including forms credential collectors (FCCs) support this parameter.

The ValidTargetDomain parameter identifies the valid domains for the target during processing. Before the user is redirected, the agent compares the values in the redirect URL against the domains in this parameter. Without this parameter, the agent redirects the user to targets in any domain.

The ValidTargetDomain parameter can include multiple values, one for each valid domain.

For local Web Agent configurations, specify an entry, one entry per line, for each domain, for example:

validtargetdomain=".xyzcompany.com"

validtargetdomain=".abccompany.com"