How to Setup Integrated Windows Authentication Using IIS and Layer7 Symantec SiteMinder Web Agent

Article By: Tiffany Kongpachith

Integrated Windows Authentication (IWA) is a proprietary mechanism developed by Microsoft to validate users in pure Windows environments. For Integrated Windows Authentication, it is IIS that does the authentication, not Symantec SiteMinder. SiteMinder Web Agent does not do any authentication for IWA—Siteminder Web Agent trusts the credentials accepted by the IIS and sends it to Policy Server for Siteminder authentication and authorization. Broadcom Techdocs does not provide a how-to guide for integration between both parties so this document will provide the necessary steps to ensure the integration is set up properly.

Prerequisites

  • Windows IIS Web Server is installed on the Windows Server.
  • SiteMinder Web Agent is installed and configured and registered to the SiteMinder Policy Server.

A. Windows IIS Web Server Installation:

1. First, you must log into a Windows Server with the credentials given to the user that will implement IIS. Once logged in, search for / hover over the toolbox icon for Server Manager, and right-click to select “Run as administrator.”

There the Server Manager Dashboard should appear.

2. On the top left corner of Server Manager menu, hover over and click ‘Manage’.

3. Left click for “Add roles and features” option.

4. From the Add Roles and Feature wizard, click “Next” as the pop-up describes to you the installation process of new features.

5. Here you would select “Role-based or feature-based installation” as the standard for new installations. Then click Next.

6. Here, you select the Server Pool in which you want these new features to be installed to whatever server provided. Then click “Next”.

7. Select the checkbox for “Web Server (IIS)” role.

8. Click “Add Features” to add the Web Server (IIS) features.

9. Once you have selected and added the IIS features, click “Next”.

10. Now for the Roles Services, scroll-down to the Security section and select “Basic Authentication” and “Windows Authentication” option.

11. Select “Application Development” service role.

12. Click the drop-down arrow to expand the additional options of the Application Development. Select all that applies EXCEPT for “Server Side Includes” and “WebSocket Protocol.”

13. Click “Next.

14. Make sure all the features you have selected are correct and listed below, and once you have verified those selections, click “Install”.

15. Once the installation process is complete, click “Close”.

16. Now, restart the Windows server to apply IIS changes.

17. Log back into the Windows Server with the credentials.

18. Search in the Start Menu for Administrative Tools then double-click on “Internet Information Services (IIS) Manager”.

Here you will see the IIS Manager and its contents.

19. You may also look to the left column, expand the name of your server (i.e. “WIN-5BV0LA1D8ET”) and click the drop-down arrow to view the “Application Pools”, “Sites”, and “Default Website.”

For example:

The Default Website allows users to add/remove contents of a website and configure through different options. Note: Any changes made in IIS must be Restart or Refreshed.

20. Open File Explorer to the C:\ drive > inetpub > wwwroot folder.

21. Create a new directory called “iwatest”.

22. Create a basic HTML page within this folder (that will appear once IWA is successful)..

For example:

23. Now on IIS Manager, expand Default Web Site to see aspnet_client, siteminderagent, and iwatest folders.

24. Click on Default Web Site > then click the Authentication icon for all authentication types supported.

25. Anonymous Authentication should be presented as Enabled. Right-click Anonymous Authentication and set it to Disabled.

26. Then right-click Windows Authentication from Disabled to Enabled.

27. Now under Default Web Site > siteminderagent (virtual directory), expand that folder out until you see a folder/directory called “ntlm”.

28. Click on the ntlm directory/folder and click the Authentication icon.

29. Same Steps as 25 and 26 – enable ONLY Windows Authentication.

30. Click the Server Name in IIS and on the right column, click Restart to apply changes for IIS and the SiteMinder Web Agent.

B. SiteMinder Web Agent Installation and Configuration Considerations:

  • Assuming that the SiteMinder Web Agent has been installed and configured on the Windows server.
  • Assuming the Agent / Agent Group has already been created within the SiteMinder Administrative User Interface (UI).
  • Assuming the Agent Configuration Object (ACO) has been created within the SiteMinder Administrative User Interface (UI) and associated to the correct Agent.
  • Assuming configurations for Active Directory have been configured under User Directories within the SiteMinder Administrative User Interface (UI).

C. Integrated Windows Authentication’s Authentication Scheme:

Integrated Windows Authentication (IWA) uses the security features of Windows clients and servers. IWA enforces Single Sign-On by allowing Windows to gather user credentials during the initial interactive desktop login process and then transmitting that information to the security layer. CA Single Sign-On, using the Windows Authentication scheme, secures resources by processing user credentials that are obtained by the Microsoft Integrated Windows Authentication infrastructure.

1. Login to the SiteMinder Admin User Interface (UI).

2. Expand the Tasks column for Infrastructure > Authentication > Authentication Schemes.

3. Create a new Authentication Scheme for IWA by clicking the Create Authentication Scheme button.

4. From the Create Authentication Scheme screen, select the radio button for Create a new object of type Authentication Scheme. Then click OK.

5. Enter a name for the Authentication Scheme in the Name field.

For example:Integrated Windows Authentication (IWA)

6. Enter a description for the Authentication Scheme in the Description field.

For example:Authentication Scheme for Integrated Windows Authentication

7. For the Authentication Scheme Type, click the drop-down for options, and select Windows Authentication Template.

8. Ensure the Protection Level is set at five (5).

9. For Scheme Setup – ensure the scheme supports the selected radio button for Active Directory / LDAP.

10. Enter the Fully Qualified Domain Name (FQDN) of the Windows Server or the VIP that will be hosting IWA (if high availability is accessible) in the Server Name field.

11. When selecting Windows Authentication Template, the Target field will default to /siteminderagent/ntlm/creds.ntc.

12. For User DN Lookup, enter the value as “(sAMAccountName={UID})”.

13. Lastly, click the Submit button to save Authentication Scheme configurations.

D. Integrated Windows Authentication Domain/Policy Creation:

In order for the integration to work from a SiteMinder perspective the necessary SiteMinder objects must be created within the SiteMinder Administrative User Interface (UI) in order to work with the SiteMinder Web Agent, protect the protected resource that users will access, and ensure the policy can be consumed by the Agent to forward the credentials from ISS to the Policy Server for authentication and authorization purposes.

1. Login to the SiteMinder Administrative User Interface (UI).

2. Expand the Tasks column for Policies > Domain > Domains.

3. Click the Create Domain button to create a new Domain for IWA.

4. Under the General tab, enter the name as “Integrated Windows Authentication (IWA)” in the Name field.

5. You may enter a description of the Domain in the Description field.

6. Under User Directories, click the Add/Remove button to associate Active Directory to this Domain.

7. Highlight or select Active Directory from the Available Members column, select the single right arrow to move Active Directory to the Selected Members column. Then click the OK button.

For example:

8. Then click the right arrow key to move the selected User Directory from Available Members to Selected Members column.

9. You will see the User Directory selected under the Selected Members column.

For example:

10. Then click OK to accept the selected User Directory.

11. You will return to the Domain screen under the General tab. The User Directory that was selected will now appear under the User Directories section.

12. Navigate to the Realms tab.

13. Click the Create Realm button to create a new protected Realm/resource for the Domain.

14. Enter the name as “Protected IWA Test” in the Name field for the Realm.

15. You may enter a description for the Realm in the Description field.

16. Select the Agent or Agent Group that is protecting the Windows server(s) for this Realm.

17. You will see the list of available Agents/Agent Groups. To select an Agent/Agent Group, click the radio button next to the Agent Name/Agent Group Name. Then click OK.

For example:

18. The Resource Filter section enter the value as “/iwatest”.

19. Ensure the Default Resource Protection is selected for the radio button “Protected”.

20. For Authentication Scheme, select the drop-down and select the authentication scheme we created for IWA. (i.e. Integrated Windows Authentication)

21. Under Rules, click the Create button to create a new rule set for the Realm.

22. For Rules, enter the name as “Methods” in the Name field.

23. You may enter a description of the Rule in the Description field.

24. Under Attribute – Realm and Resource, enter the value as “*” (asterisk).

25. For Action, ensure the radio button is selected for Web Agent actions.

26. Hold the Ctrl key down to select multiple actions and select GET, POST, PUT.

Note: To select multiple actions, you may hold the Ctrl key and select to highlight (in blue) the actions.

27. Once all Rule settings have been configured, click the OK button located at the bottom of the screen.

28. You will return to the Create Realm screen, scroll down, and click the OK button.

29. You will return to the Create Domain screen under Realms tab, click Submit button to save configurations.

30. From the SiteMinder Admin UI menu, under Tasks > click Policies to expand options > click Domain > then click Domains.

31. Locate and select the name of Integrated Windows Authentication Domain.

32. From the Domain screen, scroll to the bottom and click the Modify button to modify the Domain.

33. From the Domain screen, click on the Policies tab.

34. Click the Create button to create a new Policy.

35. From the General section, for the Name field; enter the Name of what the Policy will be named.

For example: Access Policy

36. From the General section, for Description field; you may enter a description for the Policy.

37. From General section, ensure the Enabled checkbox is marked.

38. From General section, ensure the Domain is associated to IWA Domain Name.

39. From the Create Policy screen, navigate and click on the Users tab.

40. The User Directory that was associated to the Domain will appear.

For example:

41. To add a new specified entry for users/groups, select the option between Add Members or Add Entry. For an option to select all users, select the option Add All.

  • For Add Members option – The Users/Group within the User Directory will appear. You may filter your search for specific users or groups with the Search Type drop-down, search by attribute, and by value.
  • For Add Entry option – The User Directory Search Expression Editor will appear. Filter the search between the Expression Editor drop-down option, Where to Search drop-down option, or by Manual Entry.

42. Navigate to the Rules tab within the Policy.

43. Click Add Rule to associated Rules to the Users.

44. A list of Realms will appear in the Rules for [IWA Domain Name]. Select the checkbox for the number of available Realms with its associated Rules that was created for the Domain.

For example:

45. Then click OK.

46. Then you will return to the Policy’s Rules screen and scroll to the end of the screen and click the OK button.

47. You will return to the Domain screen under the Policies tab and to save configurations, click the Submit button.

E. Internet Explorer Supports Automatic Login:

To configure automatic logon using current username and password that is logged into the Windows machine or Active Directory credentials in Internet Explorer 5.x and 6.x Browsers, perform the following steps:

1. Open Internet Explorer (IE) on the server.

2. Select the gear button (settings) > then select Internet options.

3. Click the Security tab on Internet Options.

4. Select the Custom Level button.

5. Scroll to the end for User Authentication section. Then select the radio button for “Automatic logon with current username and password”.

6. Then click OK. Then on the Internet Options > Security window, click Apply then OK to save changes.

7. Close the Internet Explorer browser and re-open a new window.

F. Test Integrated Windows Authentication:

This step is to test the integration between SiteMinder Web Agent and Policy Servers with Windows IIS.

1. To test if IIS is working properly – enter the URL in a web browser:

This will display the default IIS page.

For example:

2. To test if IWA is working – enter the URL:

This will display the example HTML page you created.

For example:

3. Check on the associated SiteMinder Policy Server logs for Authentication and Authorization entries for users logging in with their Active Directory credentials (smaccess.log for AuthAccept, AzAccept, and ValidateAccept entries).

Summary of Integrated Windows Authentication

Congratulations! You have successfully integrated the Symantec SiteMinder Web Agent with IIS for Integrated Windows Authentication leveraging Active Directory. The Integrated Windows Authentication (IWA) is for resources that Web Agents on IIS web servers protect, whose users access resources using Internet Explorer web browsers, relies on a properly configured IIS web server to acquire and verify user credentials; lastly, the Policy Server bases authorization decisions on a user identity as asserted by the IIS server. This gives users that are leveraging Active Directory the beauty to auto-logon with their credentials rather than to have users input their username and password for authentication and authorization purposes.

Looking for additional help with Integrated Windows Authentication? ISX Consulting is an elite IAM security firm that offers boundless expertise in a range of cybersecurity and business process services, including Symantec Siteminder and advanced authentication. Take your interoperability to the next level, and contact an ISX consultant today.

ISXHow to Setup Integrated Windows Authentication Using IIS and Layer7 Symantec SiteMinder Web Agent

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *