Installation and Upgrade Guides › Agent for IIS Installation Guide › Install an Agent for IIS on Windows Operating Environments › How to Configure Certain Settings for the Agent for IIS Manually

How to Configure Certain Settings for the Agent for IIS Manually

In some situations, the CA SiteMinder® Agent configuration programs cannot add the proper settings to all the IIS web server directories which need them.

Configure the CA SiteMinder® Agent for IIS settings manually in any of the following situations:

• Your CA SiteMinder® Agent for IIS log files are not stored in the following default directory:

  web_agent_home\log

  web_agent_home

  Indicates the directory where the CA SiteMinder® Agent is installed on your web server.

  Default (Windows 32-bit installations of CA SiteMinder® IIS Web Agents only): C:\Program Files\CA\webagent

  Default (Windows 64-bit installations [CA SiteMinder® Web Agents for IIS only]): C:\Program Files\CA\webagent\win64

  Default (Windows 32-bit applications operating on 64-bit systems [Wow64 with CA SiteMinder® Web Agents for IIS only]): C:\Program Files (x86)\webagent\win32

  For example, suppose that you store your log files in the C:\My Logs\SiteMinder directory. Grant this directory permissions.

• You use an authentication scheme which requests or requires client certificates.

Set Permissions Manually for Non-Default Log Locations

If you decide to store your agent log files in a non default directory, grant your application pools permissions to the directory. For example, if you want to store your log files in a directory named C:\MyLogFiles, grant permissions for all your application pool identities to C:\MyLogFiles.

Microsoft provides a command line utility, icacls.exe you can use to set the appropriate permissions. This procedure provides one possible example of a way to set permissions using tools or utilities provided by third-party vendors.

Important! CA provides this information only as an example of one possible method of configuring CA SiteMinder® without using the programs and utilities tested and approved by CA. Microsoft provides the icacls.exe command as part of the Windows operating environment. You may choose to use the following examples as a guide to grant file permissions for the agent for IIS. This command and the syntax shown are subject to change by Microsoft at any time and without notice. For more information, go to the Microsoft Support website, and search for "icacls"

Follow these steps:

1. Open a Command Prompt Window on your IIS web server.

   Important! Before running a CA SiteMinder® utility or executable on Windows Server 2008, open the command-line window with administrator permissions. Open the command-line window this way, even if your account has administrator privileges.

2. Run the icacls command. Use the following example as a guide:

   icacls log_directory /grant IIS AppPool\application_pool_identity
   

   log_directory

   Specifies the non default log directory to which you must grant permissions.

   application_pool_identity

   Specifies the identity of the application pool associated with the application protected by CA SiteMinder® on your IIS web server.

3. Repeat Step 2 for each application pool identity on your IIS web server. For example, if you have two application pools, grant permissions to both.
4. If you have an IIS server farm using Shared Configuration, repeat Steps 1 through 3 for each IIS web server in the farm.

   The permissions are set.

Change IIS Settings Manually for CA SiteMinder® Authentication Schemes Requiring Certificates

If you use CA SiteMinder® authentication schemes that request or require certificates, change the settings manually on your IIS web server for the following virtual directories:

• cert
• certoptional

Follow these steps:

1. Open IIS manager.
2. Expand your web server.

   The Application pools icon and Sites folder appear.

3. Expand Sites.
4. Expand the website associated with your authentication scheme that requires certificates.

   The siteminderagent virtual folder appears.

5. Expand the siteminderagent virtual folder.
6. Click the cert folder.
7. Double-click SSL Settings.
8. Select the Require SSL check box, and then click the Require option button.
9. Under Actions, click Apply
10. Click the certoptional folder.
11. Double-click SSL Settings.
12. Click the Accept option button.
13. Under Actions, click Apply.
14. Repeat Steps 3 through 14 for other websites on your IIS web server that require certificates.
15. For IIS server farms using Shared Configuration, repeat Steps 1 through 15 on each IIS web server in your farm.

    The settings are changed.