Web Agent Guides › Web Agent Configuration Guide › Authenticate Users with Forms › Use Credential Collectors for Authentication and Single Sign-On › How to use Forms with ACE Authentication

How to use Forms with ACE Authentication

If you want to use a SiteMinder form together with an ACE authentication scheme, do one of the following:

• If you are creating a new authentication scheme, use the following form as a template:

  web_agent_home\samples_default\forms\smaceauth.fcc
  

• If you are modifying an existing authentication scheme to use ACE, then add the following directive below the other directives in the forms.fcc file:

  @smacefcc=1
  

Specify Redirect URL Protocols with Lowercase Characters

If you protect legacy applications that do not confirm to RFC 2396 with a forms-based authentication scheme, and you need the protocol portions of URLs to be lowercase, then set the following parameter:

LowerCaseProtocolSpecifier

Specifies whether the scheme (protocol) portion of a redirect URL uses only lowercase characters. This configuration parameter accommodates legacy applications that do not confirm to RFC 2396. This RFC states that applications must handle the protocol portion of a URL in both uppercase and lowercase. Change this parameter in any of the following situations:

• You use legacy applications that do not confirm to RFC 2396.
• Your redirect URLS contain query data.
• You use an HTML-forms (FCC) authentication scheme.

Default: No (uppercase characters are used HTTP, HTTPS).

Example: Yes (lowercase characters are used http, https).

To specify lowercase protocols for the URLs in your environment, set the value of the LowerCaseProtocolSpecifier parameter to yes.

How to Configure the FCC to Allow Windows Authentication

The SiteMinder Forms Credential Collector (FCC) is designed to enable CA Services to trigger custom authentication schemes securely. As such, the FCC can authenticate users against any authentication scheme. However, the FCC does not authenticate against Windows authentication schemes by default. This behavior prevents an attacker from exploiting the FCC to generate a SiteMinder session for any valid Windows user in certain configurations.

If your environment requires the FCC to authenticate against the Windows authentication scheme, you can enable it by specifying the EnableFCCWindowsAuth agent configuration parameter. However, before you enable FCC support for Windows authentication, review the risks of doing so and be aware of configurations that expose the vulnerability.

1. Review the risks of enabling the FCC to allow Windows authentication.
2. Configure the FCC to allow Windows authentication.

Risks of Enabling the FCC to Allow Windows Authentication

By default, the FCC does not authenticate against Windows authentication schemes. You can enable the FCC to allow Windows authentication. However, doing so exposes a vulnerability whereby an attacker could use an FCC to generate a SiteMinder session for any valid Windows user in certain configurations.

The vulnerability is present in configurations in which the same SiteMinder Agent name or Agent group name is used in both an HTML Forms-protected realm and a Windows-protected realm. For example, a configuration in which a single Web Agent is configured to protect different realms that are configured with HTML Forms and Windows authentication.

Consider the following example scenario:

• Resource A is configured in a realm protected using HTML Forms authentication. The FCC challenges users accessing Resource A with an HTML form.
• Resource B is configured in a realm protected using Windows authentication. Users accessing Resource B complete Windows authentication.
• Both resources are hosted on the same IIS Server and are protected by the same Web Agent. Both realms are therefore configured with the same Agent name.

The attack occurs as follows:

1. The attacker modifies the TARGET parameter in the HTML form from "Resource A" to "Resource B."
2. The attacker submits the form with any valid Windows username.
3. The FCC passes the username to the Policy Server for authentication. SiteMinder executes the Windows authentication scheme instead of the HTML Forms authentication scheme and the username is validated.

The result is a SiteMinder session returned to the user which enables single sign-on for all following requests where the new session is considered valid. The attacker is now impersonating the user whose Windows username was submitted to the FCC.

Configure the FCC to Allow Windows Authentication

You configure the FCC to allow Windows authentication by specifying the following agent configuration parameter:

EnableFCCWindowsAuth

Specifies whether an agent, acting as an FCC, can authenticate users against resources that the SiteMinder Windows authentication scheme protects.

This parameter uses the following values:

• Yes—FCCs can authenticate against a Windows authentication scheme.

  Important! When this parameter is set to Yes, an attacker can potentially exploit the FCC to impersonate Windows users without providing required credentials.

• No—FCCs cannot authenticate against a Windows authentication scheme.

Default: No