|
|
|
When an authentication scheme is created using the Windows Authentication Template, authentication occurs at the site of the IIS Web server instead of the Policy Server. The Policy Server, in turn, depends on the IIS Web server to securely authenticate the user.
The IIS Web server passes to the Policy Server the user name and domain name, but not the user password, which is stored in a SAM account. SAM is an acronym for Security Accounts Manager, a Windows database that stores user passwords in a hashed format. The user name and domain name are passed from the IIS Web server to the Policy Server in this format:
domain_name\user_name
When you create a Windows authentication scheme for an Active Directory (AD) or LDAP user directory, you specify the User DN Lookup string that the Policy Server uses to locate the user in the user directory. The Policy Server searches any or all AD/LDAP user directories bound to the SiteMinder policy domain associated with the SiteMinder realm that contains the domain protected by the Windows authentication scheme.
There are two ways to specify the User DN Lookup string:
Specifies a fully qualified Distinguished Name (DN) that the Policy Server uses to look up the specified user in the user directories bound to the SiteMinder policy domain.
Specifies a Distinguished Name (DN) that the Policy Server uses to search for the specified user in the user directories bound to the SiteMinder policy domain.
Note: The Policy Server searches the user directories in the directory order specified by the policy domain object.
Note: The value specified in the User DN Lookup field supersedes the User Lookup Start and User Lookup End values specified in the user directory object associated with the AD/LDAP user directory.
In this scenario, there is one domain named ACompany, one user directory, and a user named John Smith who has the following attributes:
cn: jsmith distinguishedName: CN=jsmith,CN=Users,DC=ACOMPANY,DC=com sAMAccountName: jsmith
User credentials are passed from the IIS Web server to the Policy Server as follows:
ACOMPANY\jsmith
To map these credentials to a User DN in the user directory, configure the User DN Lookup string in the Windows authentication scheme as follows:
CN=%{UID},CN=Users,DC=%{DOMAIN},DC=com
When the authentication scheme is invoked, the %{UID} and %{DOMAIN} variables in the Lookup string are replaced by the user name and domain name passed to the Policy Server, as follows:
CN=jsmith,CN=Users,DC=ACOMPANY,DC=com
The user jsmith exists in the user directory and is located by the Policy Server.
In this scenario, there are two domains named ACompany and BCompany. The SiteMinder policy domain has two user directories associated with it: one is an AD directory and the other can be an AD or LDAP directory. The AD user directory contains a user named jsmith who has the following attributes:
cn: jsmith distinguishedName: CN=jsmith,CN=Users,DC=ACOMPANY,DC=com sAMAccountName: jsmith
The AD/LDAP user directory also contains a user named jsmith who has these attributes:
cn: jsmith distinguishedName: CN=jsmith,CN=Users,DC=BCOMPANY,DC=com sAMAccountName: jsmith
User credentials are passed from the IIS Web server to the Policy Server in this format:
domain_name\jsmith
To map these credentials to a User DN in one of the two user directories, configure the User DN Lookup string in the Windows authentication scheme as follows:
(sAMAccountName=%{UID})
When the authentication scheme is invoked, the %{UID} variable in the Lookup string is replaced by the user name passed to the Policy Server, as follows:
(sAMAccountName=jsmith)
The Policy Server searches for the specified user in the user directories in the directory order specified by the SiteMinder policy domain object. Depending on the directory order, the Policy Server may locate jsmith in the AD user directory or in the AD/LDAP user directory first. Once the Policy Server locates the first user, it stops searching.
Note: Because the Policy Server does not have access to passwords in a Windows environment, it cannot use them to disambiguate users with identical user names.
Important! There is a security risk associated with multiple domains. For example, consider a trust relationship between two domains: ACompany and BCompany. When the IIS Web server authenticates a user in a trusted domain such as BCompany, the Policy Server can grant the user access to the domain ACompany, even though the user may not be authenticated in this domain. To prevent this outcome, always include the domain name in the User DN Lookup string.
| Copyright © 2011 CA. All rights reserved. | Email CA Technologies about this topic |