search cancel Search

How to Troubleshoot Integrated Windows Authentication (IWA NTLM)

book
Article 51398 Updated On: 12-01-2022
calendar_today
ID:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER

CA Single Sign On Agents (SiteMinder)

Issue/Introduction

This is an easy way to test the Integrated Windows Authentication

(IWA NTLM) configured properly.

Resolution

For Integrated Windows Authentication, IIS does the authentication,

not SiteMinder. SiteMinder Web Agent doesn't do any authentication for
IWA, Siteminder Web Agent trusts the credentials accepted by the IIS
and sends them to Policy Server for Siteminder authentication and
authorization.
To verify that Windows Authentication on IIS is working correctly by
performing the following steps.
1. Disable the Web agent and restart IIS;

2. Change the Internet Explorer logon setting from

"Automatic Logon..."

to

"Prompt for user name and password"

and quit and restart IE.

(This may require a logout if an application is using an IE session.);

3. Attempt to access http://FQDN/siteminderagent/ntlm/creds.ntc (Must

be 2 dot FQDN );

4. A prompt for credentials by IIS should show up;

5. Provide credentials. Try this step twice,

- Once with the specific user;

- Once with another valid user that has permission to access this
application;

6. If IIS Windows Authentication is configured correctly, a '404'

error should be seen in the browser, since creds.ntc does not
exist;

7. If receiving a 401 or 403 error, the user doesn't have permission

to access the credentials collector. This will prevent user
credentials from being passed to SiteMinder. Correct the Windows
security settings for this resource in order for the
authentication scheme to work.

8. Make sure that on the IIS where the Windows Authentication occurs,
set "Anonymous Authentication" to disabled;

Feedback
Was this article helpful?
thumb_up Yes thumb_down No

Powered by