Previous Topic: Manage User Access with IISNext Topic: Export the Web Server Certificate to your smkey Database

Web Agent GuidesWeb Agent Configuration GuideManage User Access with IISValidate the Domains of Error PagesConfigure the Virtual Directory for Windows Authentication Schemes (IIS 6.0)

Configure the Virtual Directory for Windows Authentication Schemes (IIS 6.0)

To use the SiteMinder Windows authentication scheme, configure a virtual directory on the IIS 6.0 web server. The virtual directory requires Windows challenge and response for credentials.

Configure the virtual directory for Windows authentication schemes

  1. Open the Internet Information Services (IIS) Manager.
  2. In the left pane, expand the following items:
  3. Do one of the following steps:

    The Properties dialog appears.

  4. Click the Directory Security tab.
  5. In the Anonymous Access and Authentication Control group box, click Edit.

    The Authentication Methods dialog appears.

  6. Do the following steps:
  7. Click OK twice.

    The Authentication Methods dialog and the Properties dialog close. The virtual directory is configured and requires Windows challenge and response for credentials.

    Note: Reboot the web server for these changes to take effect.

Configure Automatic Logon for Internet Explorer

To authenticate users without the agent challenging them for their credentials, Internet Explorer browser users must configure the Automatic Logon browser security setting.

Follow these steps:

  1. Start the Internet Explorer browser.
  2. Open the Internet Options dialog. (Refer to the Internet Explorer online help to find out how to open the dialog for your version of the browser).
  3. Click the Security tab.
  4. Click the correct security zone.
  5. Click Custom Level.
  6. Scroll down to the User Authentication section. Under the Logon option, click the Automatic Logon with current username and password option.
  7. Apply the changes.

    The Security Settings dialog and the Internet Options dialog close. Your settings are saved, and automatic login is configured.

Configure the Windows Authentication Scheme for Challenge/Response Authentication

To implement NT Challenge/Response authentication, provide the policy administrator responsible for configuring the Windows authentication scheme with the following values:

Server Name

The fully qualified domain name of the IIS web server, for example:

server1.myorg.com

Target

/siteminderagent/ntlm/smntlm.ntc

Note: The directory must correspond to the virtual directory already configured by the installation. The target file, smntlm.ntc, does not need to exist and can be any name that ends in .ntc or the custom MIME type that you use in place of the default.

Library

smauthntlm

More Information

MIME Types for Credential Collectors

Specify an NTLM Credential Collector

The NTLM credential collector (NTC) is an application within the Web Agent. The NTC collects NT credentials for resources that the Windows authentication scheme protects. This scheme applies to resources on an IIS web server that are accessed by Internet Explorer browsers.

Each credential collector has an associated MIME type. For IIS, the NTC MIME TYPE is defined in the following parameter:

NTCExt

Specifies the MIME type that is associated with the NTLM credential collector. This collector gathers NT credentials for resources that the Windows authentication scheme protects. This scheme applies to resources on IIS web servers that only Internet Explorer browser users access.

You can have multiple extensions in this parameter. If you are using an Agent Configuration Object, select the multivalue option. If you are using a local configuration file, separate each extension with a comma.

Default: .ntc

If your environment already uses the default extension that the NTCExt parameter specifies, you can specify a different MIME type.

To change the extension that triggers the credential collector, add a different file extension to the NTCExt parameter.

More Information

Use Credential Collectors for Authentication and Single Sign-On

How to Implement an Information Card Authentication Scheme

CA SiteMinder supports an Information Card Authentication Scheme (ICAS) that implements Windows CardSpace. Users who request access to protected resources can select an authentication card. SiteMinder uses the information contained in the card to verify the identity of the user.

Implementing an ICAS requires configuration changes on the following SiteMinder components:

Follow these steps:

  1. Do the following tasks on the web server:
    1. Enable SSL communication on the IIS web server.

      Note: For more information, see your Microsoft documentation, or go to http://support.microsoft.com/

    2. Export the web server certificate as a .pfx file.
    3. Customize the SiteMinder InfoCard.fcc template.
  2. Do the following tasks on the Policy Server:
    1. Install the JCE on the Policy Server.
    2. Update the java.security file on the Policy Server.
    3. Update the config.properties file on the Policy Server.
    4. If you do not already have an smkey database, Create one with the Policy Server Configuration wizard.
    5. Add the .pfx file certificate from the web server to the smkey database.
    6. Configure the user directory in the Policy Server.
    7. Create a custom authentication scheme for CardSpace using the Administrative UI.
    8. (Optional) Store the claims in the session store to use in responses.
    9. (Optional) Enable personalization by allowing the retrieval of claim values from the session store.
    10. (Optional) Configure an active response to retrieve a stored claim value.