Previous Topic: NTLM ProtocolNext Topic: Deployment Prerequisites for the Federation Agent for Windows

Agent for Windows Authentication GuideIntroduction to the Federation Agent for Windows AuthenticationKerberos Protocol

Kerberos Protocol

The following illustration shows how CA SiteMinder® Federation Standalone and the Federation Agent Agent use the Kerberos protocol:

Graphic showing thef Kerberos protocol for Windows authentication

The following process references annotations in the preceding diagram:

  1. An authentication request is made to the federation system at the asserting party.

    The federation system recognizes that this request is a delegated authentication request.

  2. CA SiteMinder® Federation Standalone redirects to the Federation Agent.
  3. The Federation Agent requests an HTTP authorization from the browser.
  4. If the browser is configured for IWA, it sends a SPNEGO token to the Federation Agent. This token allows initiators and acceptors to negotiate whether to use Kerberos or NTLM.
  5. The Federation Agent extracts a Kerberos token from the SPNEGO token.
  6. After the security context is established from the Kerberos token, the Agent retrieves the user identity information.
  7. The Agent creates the open format cookie and builds a redirect URL.
  8. The Agent sends the cookie to the federation system.
  9. CA SiteMinder® Federation Standalone does the required processing and sends an assertion to the relying party.