Previous Topic: Grant Access to Agent for IIS Files and Folders with cacls.exeNext Topic: SiteMinder Protection of Outlook Web Access Overview


How to Configure Certain Settings for the SiteMinder Agent for IIS Manually

In some situations, the SiteMinder Agent configuration programs cannot add the proper settings to all the IIS web server directories which need them.

Configure the SiteMinder Agent for IIS settings manually in any of the following situations:

Set Permissions Manually for Non-Default Log Locations

If you decide to store your agent log files in a non default directory, grant your application pools permissions to the directory. For example, if you want to store your log files in a directory named C:\MyLogFiles, grant permissions for all your application pool identities to C:\MyLogFiles.

Microsoft provides a command line utility, icacls.exe you can use to set the appropriate permissions. This procedure provides one possible example of a way to set permissions using tools or utilities provided by third-party vendors.

Important! CA provides this information only as an example of one possible method of configuring SiteMinder without using the programs and utilities tested and approved by CA. Microsoft provides the icacls.exe command as part of the Windows operating environment. You may choose to use the following examples as a guide to grant file permissions for the agent for IIS. This command and the syntax shown are subject to change by Microsoft at any time and without notice. For more information, go to the Microsoft Support website, and search for "icacls".

To set permissions manually for non default log locations

  1. Open a Command Prompt Window on your IIS web server.

    Important! Before running a SiteMinder utility or executable on Windows Server 2008, open the command line window with administrator permissions. Open the command line window this way, even if your account has administrator privileges.

  2. Run the icacls command. Use the following example as a guide:
    icacls log_directory /grant IIS AppPool\application_pool_identity
    
    log_directory

    Specifies the non default log directory to which you must grant permissions.

    application_pool_identity

    Specifies the identity of the application pool associated with the application protected by SiteMinder on your IIS web server.

    Note: For more information about Application Pool Identities, see the IIS website.

  3. Repeat Step 2 for each application pool identity on your IIS web server. For example, if you have two application pools, grant permissions to both.
  4. If you have an IIS server farm using Shared Configuration, repeat Steps 1 through 3 for each IIS web server in the farm.

    The permissions are set.

Change IIS Settings Manually for SiteMinder Authentication Schemes Requiring Certificates

If you use SiteMinder authentication schemes that request or require certificates, change the settings manually on your IIS web server for the following virtual directories:

To change IIS settings manually for SiteMinder authentication schemes requiring certificates

  1. Open IIS manager.
  2. Expand your web server.
  3. The Application pools icon and Sites folder appear.
  4. Expand Sites.

    A list of web sites appears.

  5. Expand the website associated with your authentication scheme that requires certificates.

    The siteminderagent virtual folder appears.

  6. Expand the siteminderagent virtual folder.

    A list of subfolders appears.

  7. Click the cert folder.

    The settings icons appear.

  8. Double-click SSL Settings.

    The SSL Settings page appears.

  9. Select the Require SSL check box, and then click the Require option button.
  10. Under Actions, click Apply.

    The changes are applied.

  11. Click the certoptional folder.

    The settings icons appear.

  12. Double-click SSL Settings.

    The SSL Settings page appears.

  13. Click the Accept option button.
  14. Under Actions, click Apply.

    The changes are applied.

  15. Repeat Steps 3 through 14 for other websites on your IIS web server that require certificates.
  16. For IIS server farms using Shared Configuration, repeat Steps 1 through 15 on each IIS web server in your farm.

    The settings are changed.