Previous Topic: How to Enable FCC InternationalizationNext Topic: How To Configure Kerberos Authentication


Windows Authentication Schemes

Integrated Windows Authentication (IWA) is a proprietary mechanism developed by Microsoft to validate users in pure Windows environments. IWA enforces Single Sign-On by allowing Windows to gather user credentials during the initial interactive desktop login process and subsequently transmitting that information to the security layer. CA SiteMinder®, using the Windows Authentication scheme, secures resources by processing user credentials obtained by the Microsoft Integrated Windows Authentication infrastructure.

Previous versions of CA SiteMinder® supported Windows authentication through the NTLM authentication scheme. However, this support was limited to environments with NT Domains or where the Active Directory service is configured to support legacy NT Domains in mixed mode.

The Windows authentication scheme allows CA SiteMinder® to provide access control in deployments with Active Directories running in native mode, as well as Active Directories configured to support NTLM authentication. The Windows Authentication scheme replaces CA SiteMinder®’s previous NTLM authentication scheme. Existing NTLM authentication schemes continue to be supported and can be configured using the new Windows Authentication scheme.

Note: In some circumstances, you may want to combine Windows User Security Context functionality with other authentication schemes instead of using the Windows authentication scheme.

The Windows authentication scheme can be used for resources that are protected by Web Agents on IIS Web servers, and whose users access resources via Internet Explorer Web browsers. This scheme relies on a properly-configured IIS Web server to acquire and verify a user’s credentials. The Policy Server bases authorization decisions on the user’s identity as asserted by the IIS server.

More information:

Windows User Security Context Requirements

Verify that Windows Authentication Prerequisites Are Met

Verify that the following prerequisites are met before configuring a Basic over SSL authentication scheme:

More information:

Configure Automatic Logon for Internet Explorer

Review Windows Authentication Scheme Considerations

The IIS web server, not the Policy Server, performs authentication-based on credentials it receives from the Internet Explorer web browser. Therefore, you cannot use the OnAuthAttempt authentication event to redirect users who do not exist in the user store.

Configure a Windows Authentication Scheme

You can use a Windows authentication scheme to authenticate users in a Windows environment.

Note: The following procedure assumes that you are creating an object. You can also copy the properties of an existing object to create an object. For more information, see Duplicate Policy Server Objects.

Follow these steps:

  1. Click Infrastructure, Authentication.
  2. Click Authentication Schemes.

    The Authentication Schemes page appears.

  3. Click Create Authentication Scheme.

    Verify that the Create a new object of type Authentication Scheme is selected.

  4. Click OK

    The Create Authentication Scheme page appears.

    Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

  5. Enter a name and protection level.
  6. Select Windows Authentication Template from the Authentication Scheme Type list.

    Scheme-specific settings appear.

  7. Enter Server Name, Target, and User DN information. If your environment requires NT Challenge/Response authentication, obtain the following values from the agent owner:
    Server Name

    The fully qualified domain name of the IIS web server, for example:

    server1.myorg.com

    Target

    /siteminderagent/ntlm/smntlm.ntc

    Note: The directory must correspond to the virtual directory already configured by the installation. The target file, smntlm.ntc, does not need to exist and can be any name that ends in .ntc or the custom MIME type that you use in place of the default.

    Library
    smauthntlm
  8. Click Submit.

    The authentication scheme is saved and can be assigned to a realm.