Previous Topic: Configure the Federation Agent for Windows AuthenticationNext Topic: Run the Configuration Wizard on Windows

Agent for Windows Authentication GuideConfigure the Federation Agent for Windows AuthenticationInformation Required by the Configuration Wizard

Information Required by the Configuration Wizard

After you install the Federation Agent, run the configuration wizard. On a Windows system, select the authentication protocol (Kerberos or NTLM). ON a UNIX system, Kerberos is the only supported protocol.

Note: The configuration executable and folder names include the string iwa, which references support for Integrated Windows Authentication technology.

The following parameters are required for NTLM and for Kerberos configurations.

Important! The values for these parameters must match the values that are specified in the Deployment settings of the CA SiteMinder® Federation Standalone Administrative UI. Find out the value of these these settings from the CA SiteMinder® Federation Standalone administrator before you configure the Federation Agent.

Cookie zone

Specifies the single sign-on security zone name.

Default: FED

Value: An alphabetic string

Cookie name

Specifies the name of the open format cookie.

Default: ""

Value: An alphabetic string

Encryption password

Specifies the password that derives a key for encrypting the cookie.

Default: ""

Value: An alphanumeric string

Encryption Transformation type

Specifies the FIPS-compliant cryptographic transform.

Default: AES128/CBC/PKCS5Padding

Limits: AES128/CBC/PKCS5Padding, AES192/CBC/PKCS5Padding, AES256/CBC/PKCS5Padding, 3DES_EDE/CBC/PKCS5Padding

UseHMAC

Specifies whether to use a Hash Message Authentication Code (HMAC).

Default: false

Limits: true or false

Note: If you are on a system running Windows and you have selected the Kerberos authentication protocol, you can optionally select NTLM as the failover option.

When specifying the Kerberos protocol, provide values for the following parameters:

KDC address

Specifies the fully qualified domain name of the key distribution center (KDC).

KDC realm

Specifies the domain name of the system on which the KDC is located.

Keytab location

Specifies the path of the keytab file. This file is created on the KDC system and moved to the system where the Federation Agent is installed.

Principal

Specifies the service principal name (SPN), which uniquely identifies an instance of a service, for example, HTTP/host.abc.com. HTTP is the name of the service and host.abc.com is the name of the host on which the service resides.

The Keytab location and Principal parameters are written to the login.conf file. The other parameters are written to the IWAConnectorConfig.conf file.

Note: If you review the login.conf file, do not change the value of the isInitiator parameter.