Agent for Windows Authentication Guide › Installation Prerequisites for the Federation Agent for Windows

Installation Prerequisites for the Federation Agent for Windows

Install the Federation Agent for Windows Authentication on the same Windows or UNIX system where is installed. The following restrictions apply:

• The Federation Agent is incompatible with federation installations using the CA SiteMinder® Connector.
• The browser issuing a single sign-on (SSO) request cannot be on the same system as the federation server.

The CA SiteMinder® Federation Windows Agent has three modes of operation, depending on the choice of authentication protocol

• NTLM mode (supported only on Windows)
• Kerberos mode (supported on Windows and UNIX)
• Kerberos mode with failover to NTLM (supported only on Windows)

You select the mode of operation when you run the Agent configuration wizard.

The setup process for Federation Windows Agent includes the following steps:

1. Complete installation prerequisites, which vary depending on the mode of operation and the operating environment:
   • NTLM with the Agent on Windows
   • Kerberos with the Agent on Windows and the KDC on Windows
   • Kerberos with the Agent on Windows and the KDC on UNIX
   • Kerberos with the Agent on UNIX and the KDC on Windows
   • Kerberos with the Agent on UNIX and the KDC on UNIX
2. Install the Federation Agent for Windows.
3. Configure Federation Agent for Windows.
4. Configure the delegated authentication for the federation system.

NTLM Mode on a Windows System

Before you install the Federation Windows Agent on a Windows system using NTLM, complete the installation prerequisites.

1. Set up the domain controller on Windows for NTLM.
2. Configure Internet Explorer settings.

FM--Set up the Domain Controller on Windows for NTLM

Windows 2003 SP 1 Active Directory is the primary domain controller for the Windows Domain. This host provides storage for the user, service accounts, credentials, and Windows Domain services.

The Federation Agent generates an NTLM response message to the NTML challenge message sent by the relying party. The server at the relying party passes the challenge and the response to the domain controller. The response is an encrypted version of the challenge using the hash of the user password. The domain controller encrypts the challenge using the same hash of the password and compares it with the response generated at the asserting party. If they match, the authentication is complete. The domain controller informs the server at the relying party.

Follow these steps:

1. Promote Windows 2003 SP 1 Server to a domain controller using the Windows dcpromo utility.
2. Open the Active Directory Users and Computers dialog from Administrative tools.
3. Select Create a User Account.
4. Enter a password for creating this account.
5. Clear the option User Must Change Password at Next Logon.

The domain controller is deployed for NTLM.

Configure Internet Explorer for single sign-on. The procedures apply whether you are using NTLM or Kerberos as the authentication protocol.

More information:

Internet Explorer Configuration Settings

Kerberos Mode for a Windows System with a Windows KDC

Complete the installation prerequisites for the Federation Agent on a Windows system using Kerberos mode. The KDC is on a Windows system. Set up the domain controller for Kerberos on Windows.

1. Set up the Domain Controller on Windows for Kerberos.
2. Complete Additional Configuration for Kerberos on Windows
3. Configure Internet Explorer Settings

Set up the Domain Controller on Windows for Kerberos

When using Kerberos, the domain controller is the key distribution center (KDC) for the Kerberos realm. In a pure Windows 2003 environment, a Kerberos realm is equivalent to a Windows domain. The domain controller host provides storage for the user, service accounts, credentials, the Kerberos ticketing services, and Windows domain services.

A keytab file is required for Kerberos authentication, which lets users logged on to the federation system authenticate with the KDC without being prompted for a password. The keytab file is created with the ktpass utility. The ktpass command tool utility is a Windows support tool. The default encryption type is RC4-HMAC-NT, which can be confirmed by running ktpass /? at the command prompt. Also, confirm the Kerberos version number.

Follow these steps:

1. Promote Windows 2003 SP 1 Server to a domain controller using the Windows dcpromo utility.
2. Open the Active Directory Users and Computers dialog from Administrative tools.
3. Select Create a User Account.
4. Enter a password for this account.
5. Clear the User Must Change Password at Next Logon option.
6. Associate the Windows 2003 workstation account with a server principal name (for example, HTTP/IWAConnectorHostName.idp.com@IDP.COM).
7. Create a keytab file by opening a command prompt window and enter the following command:

   ktpass -out output_keytab_location -princ SPN_name -ptype KRB5_NT_PRINCIPAL ‑mapuser username -pass password
   

   Use the password entered in step 4.

   The keytab file is created.

   For example:

   ktpass -out c:\workstation.keytab -princ HTTP/ IWAConnectorHostName.idp.com@IDP.COM 
   -ptype KRB5_NT_PRINCIPAL -mapuser testkrb -pass password
   Targeting domain controller: winkdc.idp.com
   Using legacy password setting method
   Successfully mapped HTTP/ IWAConnectorHostName.idp.com to testkrb.
   Key created.
   Output keytab to c:\workstation.keytab:
   Keytab version: 0x502
   keysize 67 HTTP/ IWAConnectorHostName.idp.com@IDP.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 2 etype 0x17 (RC4-HMAC) keylength 16 (0xfd77a26f1f5d61d1fafd67a2d88784c7)
   

8. Copy the keytab file to a secure location on the federation system at the asserting party.

   Important! The keytab name with its full path must be specified in the Keytab Location field during the Federation Agent configuration.

The domain controller is deployed for Kerberos on systems running Windows.

Complete Additional Configuration for Kerberos on Windows

The following actions are required on the federation system when using Kerberos on Windows:

1. Configure a Kerberos configuration file (krb5.ini). Place the krb5.ini file in the Windows system root path.
   1. Configure the KDC for the Windows 2003 Kerberos realm (domain) to use the Windows 2003 domain controller.
   2. Configure krb5.ini to use the Windows 2003 KDC keytab file containing the credentials of the workstation principal.

      [libdefaults]
      default_realm = IDP.COM
      default_keytab_name = C:\WINDOWS\krb5.keytab
      default_tkt_enctypes = des-cbc-md5 rc4-hmac
      default_tgs_enctypes = des-cbc-md5 rc4-hmac
      [realms]
      IDP.COM = {
      kdc = winkdc.idp.com:88
      default_domain = IDP.COM        
      }
      [domain_realm]
      .idp.com = IDP.COM
      

2. Deploy the Windows 2003 KDC keytab file to a secure location (as mentioned for krb5.ini).

Configure Internet Explorer for single sign-on. The procedures apply whether you are using NTLM or Kerberos as the authentication protocol.

More information:

Internet Explorer Configuration Settings

Kerberos Mode for a Windows System with a UNIX KDC

Complete the installation prerequisites for the Federation Agent on a system running Windows in Kerberos mode. The KDC is on a UNIX system.

1. Configure the KDC on a UNIX System.
2. Complete Additional Configuration for Kerberos on Windows.
3. Configure Internet Explorer Settings.

Configure the KDC on a UNIX System

The UNIX server that hosts the Kerberos key distribution center (KDC) must be configured to support the federation system. Part of this process is to create a keytab file. A keytab file is required for Kerberos authentication.

Follow these steps:

1. Open a command prompt window.
2. Enter the following command at the command-line prompt:

   usr/sbin/kadmin.local
   

3. Add the CA SiteMinder® Federation Standalone system service principal name with this command:

   addprinc -pw <password> HTTP/AgentHost Name.domainname.com@DOMAINNAME.COM
   

4. Create a keytab file by opening a command prompt window and enter the following command:

   ktadd -k output_keytab_location SPN name
   

   The keytab file is created.

5. Enter quit.

The configuration of federation on the UNIX KDC server is complete.

Complete Additional Configuration for Kerberos on UNIX

To configure Kerberos, the following commands are required on a federation system on a UNIX system:

• scp root@KDC system name:/etc/krb/krb.conf
• cat krb.profile
• kclient -p krb.profile

The UNIX system is configured for Kerberos authentication.

Configure Internet Explorer for single sign-on. The procedures apply whether you are using NTLM or Kerberos as the authentication protocol.

More information:

Internet Explorer Configuration Settings

Kerberos Mode for a UNIX System with a Windows KDC

Complete the prerequisites for installing the Federation Agent on a UNIX system running in Kerberos mode. The KDC is on a Windows system.

1. Set up the Domain Controller on Windows for Kerberos.
2. Additional Configuration for Kerberos on UNIX.
3. Configure Internet Explorer Settings.

Set up the Domain Controller on Windows for Kerberos

When using Kerberos, the domain controller is the key distribution center (KDC) for the Kerberos realm. In a pure Windows 2003 environment, a Kerberos realm is equivalent to a Windows domain. The domain controller host provides storage for the user, service accounts, credentials, the Kerberos ticketing services, and Windows domain services.

A keytab file is required for Kerberos authentication, which lets users logged on to the federation system authenticate with the KDC without being prompted for a password. The keytab file is created with the ktpass utility. The ktpass command tool utility is a Windows support tool. The default encryption type is RC4-HMAC-NT, which can be confirmed by running ktpass /? at the command prompt. Also, confirm the Kerberos version number.

Follow these steps:

1. Promote Windows 2003 SP 1 Server to a domain controller using the Windows dcpromo utility.
2. Open the Active Directory Users and Computers dialog from Administrative tools.
3. Select Create a User Account.
4. Enter a password for this account.
5. Clear the User Must Change Password at Next Logon option.
6. Associate the Windows 2003 workstation account with a server principal name (for example, HTTP/IWAConnectorHostName.idp.com@IDP.COM).
7. Create a keytab file by opening a command prompt window and enter the following command:

   ktpass -out output_keytab_location -princ SPN_name -ptype KRB5_NT_PRINCIPAL ‑mapuser username -pass password
   

   Use the password entered in step 4.

   The keytab file is created.

   For example:

   ktpass -out c:\workstation.keytab -princ HTTP/ IWAConnectorHostName.idp.com@IDP.COM 
   -ptype KRB5_NT_PRINCIPAL -mapuser testkrb -pass password
   Targeting domain controller: winkdc.idp.com
   Using legacy password setting method
   Successfully mapped HTTP/ IWAConnectorHostName.idp.com to testkrb.
   Key created.
   Output keytab to c:\workstation.keytab:
   Keytab version: 0x502
   keysize 67 HTTP/ IWAConnectorHostName.idp.com@IDP.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 2 etype 0x17 (RC4-HMAC) keylength 16 (0xfd77a26f1f5d61d1fafd67a2d88784c7)
   

8. Copy the keytab file to a secure location on the federation system at the asserting party.

   Important! The keytab name with its full path must be specified in the Keytab Location field during the Federation Agent configuration.

The domain controller is deployed for Kerberos on systems running Windows.

Complete Additional Configuration for Kerberos on UNIX

To configure Kerberos, the following commands are required on a federation system on a UNIX system:

• scp root@KDC system name:/etc/krb/krb.conf
• cat krb.profile
• kclient -p krb.profile

The UNIX system is configured for Kerberos authentication.

Configure Internet Explorer for single sign-on. The procedures apply whether you are using NTLM or Kerberos as the authentication protocol.

More information:

Internet Explorer Configuration Settings

Kerberos Mode for a UNIX System with a UNIX KDC

Complete the installation prerequisites for the Federation Agent on a UNIX system running in Kerberos mode. The KDC is on a UNIX system.

1. Configure the KDC on a UNIX System.
2. Additional Configuration for Kerberos on UNIX.
3. Configure Internet Explorer Settings.

Configure the KDC on a UNIX System

The UNIX server that hosts the Kerberos key distribution center (KDC) must be configured to support the federation system. Part of this process is to create a keytab file. A keytab file is required for Kerberos authentication.

Follow these steps:

1. Open a command prompt window.
2. Enter the following command at the command-line prompt:

   usr/sbin/kadmin.local
   

3. Add the CA SiteMinder® Federation Standalone system service principal name with this command:

   addprinc -pw <password> HTTP/AgentHost Name.domainname.com@DOMAINNAME.COM
   

4. Create a keytab file by opening a command prompt window and enter the following command:

   ktadd -k output_keytab_location SPN name
   

   The keytab file is created.

5. Enter quit.

The configuration of federation on the UNIX KDC server is complete.

Complete Additional Configuration for Kerberos on UNIX

To configure Kerberos, the following commands are required on a federation system on a UNIX system:

• scp root@KDC system name:/etc/krb/krb.conf
• cat krb.profile
• kclient -p krb.profile

The UNIX system is configured for Kerberos authentication.

Configure Internet Explorer for single sign-on. The procedures apply whether you are using NTLM or Kerberos as the authentication protocol.

More information:

Internet Explorer Configuration Settings

Internet Explorer Configuration Settings

To function in a single sign-on deployment, configure some specific Internet Explorer settings.

Local Intranet Properties Setup

Internet Explorer requires some specific settings to function in a single sign-on deployment. The setup for the browser requires configuring the local Intranet properties and configuring Intranet authentication. These settings apply whether you are using the Kerberos or the NTLM authentication protocol.

Follow these steps:

1. Open an Internet Explorer browser.
2. Select Tools form the Internet Explorer menu bar.
3. Select Internet Options from the drop-down menu.
4. Click the Security tab.
5. Click the Local Intranet button.
6. Click the Sites button.
7. Verify that the Include all sites that bypass the proxy server check box is selected.
8. Click the Advanced button.
9. Enter all domain names used on the Intranet, for example, AgentHostName.domainname.com.
10. Select the Advanced tab.
11. Scroll to the Security section.
12. Select Enable Integrated Windows Authentication (requires restart).
13. Restart the system.
14. Click OK.

The local Intranet properties are configured.

Intranet Authentication Setup

To function in a single-sign on solution requires some specific settings for the Internet Explorer. These client browser settings assume an Intranet environment. The setup for the browser requires configuring the local Intranet properties and configuring Intranet authentication.

Follow these steps:

1. Open an Internet Explorer browser.
2. Select the Tools menu from the Internet Explorer menu bar.
3. Select Internet Options from the drop-down menu.
4. Click the Security tab.
5. Click the Local Intranet button.
6. Click the Custom Level button.
7. Select the Security tab.
8. Scroll down to the User Authentication section.
9. Select Automatic logon only in Intranet zone.
10. Click OK.

Users are authenticated on the Intranet zone.

Browser Authentication through a Proxy Server (Optional)

At the asserting party, when a proxy server is inserted between the browser and the federation system with the Agent, authentication no longer works. In this case all URLs with relative domain names must be configured not to go through the proxy server.

Follow these steps:

1. Open an Internet Explorer browser.
2. Select the Tools menu from the Internet Explorer menu bar.
3. Select Internet Options from the drop-down menu.
4. Click the Advanced Tab.
5. Scroll down to the Security section.
6. Verify that Enable Integrate Windows Authentication is selected.
7. Click the Connections tab.
8. Click the LAN Settings button.
9. Verify that the proxy server address and port number are correct.
10. Click the Advanced button.
11. List any relevant domain name in the Exceptions field.
12. Click OK.

The browser is configured to bypass the proxy server for the specified domains.

Port Specification (Optional)

If your configuration has a firewall between the Federation Agent and the domain controller, the following static ports must be opened to allow communication:

• Microsoft-DS traffic (445/tcp, 445/udp)
• Lightweight Directory Access Protocol (LDAP) ping (389/udp)
• Domain Name System (DNS) (53/tcp, 53/udp)
• Kerberos authentication protocol (88/tcp, 88/udp)
• NetBIOS datagram Service (138/tcp, 138/udp)
• NetBIOS-ns Service (137/tcp, 137/udp)
• epmap (135/tcp, 135/udp)

In addition, the following Local Security Authority (LSA) ports are dynamic and must be made static by modifying registry entries:

• Local Security Authority Service(NTDS) (1025/tcp, 1025/udp):: Configurable Port required for NTLM
• Local Security Authority Service(NetLogin) (1026/tcp, 1026/udp):: Configurable Port required for Kerberos

Visit the following site for information about the LSA ports:

http://support.microsoft.com/kb/224196/