Chapter 11: Manage User Access with IIS
This section contains the following topics:
Use an IIS Proxy User Account (IIS Only) (see page 146)
Use the NetBIOS Name or UPN for IIS Authentication (see page 148)
How to Configure the NT Challenge/Response Authentication (IIS Only) (see page 149)
146 Web Agent Guide
Use an IIS Proxy User Account (IIS Only)
If users try to access resources on an IIS web server protected by SiteMinder, the Web Agent may deny access if those users lack sufficient IIS privileges for those resources.
For example, if users are stored in an LDAP user directory on a UNIX system, those users may not have access to the Windows system with the IIS web server.
The IIS web server has a default proxy account that has sufficient privileges for users who are granted access by SiteMinder. The Web Agent uses the values of the
DefaultUserName and DefaultPassword parameters as credentials even if the user has a valid Windows security context.
To configure the IIS Web Agent to use a proxy user account
1. Set the value of the ForceIISProxyUser parameter to one of the following values:
■ If access to the applications on the IIS server is based on the users' credentials themselves, set the value of the ForceIISProxyUser parameter to yes.
■ If access to the applications on the IIS server is based on a specific account (such as a proxy) which acts on behalf of the users, set the value of the ForceIISProxyUser parameter to no.
2. If you are not using either of the following Windows features, continue with Step 3:
■ The Windows authentication scheme
■ The Windows User Security Context
3. Enter the user name for the proxy user account in the DefaultUserName parameter.
If you are using a domain account, and the local machine is not a part of that domain, use the syntax shown in the following example:
DefaultUserName=Windows_domain\acct_with_admin_privilege Otherwise, specify just the user name.
4. Enter the password associated with the existing Windows user account in the DefaultPassword parameter.
Important! We recommend setting this parameter in your Agent Configuration Object because you can encrypt it. If you set it in a local configuration file, the value is stored unencrypted in plain text.
The IIS Proxy account is configured.
Use an IIS Proxy User Account (IIS Only)
Chapter 11: Manage User Access with IIS 147
Enable Anonymous User Access
If you do not want users to have access as the proxy user, you can set the following parameter:
UseAnonAccess
Instructs the IIS Web Agent to execute the web application as an anonymous user, instead of using credentials of the proxy user.
Default: No
Note: This parameter applies to IIS Web Agents only.
To enable anonymous user access, set the UseAnonAccess parameter to yes.
148 Web Agent Guide
Use the NetBIOS Name or UPN for IIS Authentication
In an IIS network, you may have a NetBIOS name that is different than the domain name for the location of a requested resource. When a user tries to access a protected resource and there are multiple domain controllers, user authentication fails and the web server log shows an "IIS logon failure." You can control whether the UPN or NetBIOS name is sent to the IIS web server with the following parameter:
UseNetBIOSforIISAuth
Specifies whether the IIS 6.0 Web Agent sends the user principal name (UPN) or the NetBIOS name to the IIS 6.0 web server for IIS user authentication.
Note: This parameter is valid only if an Active Directory user store is associated with the Policy Server.
If you enable this parameter, the Policy Server extracts the UserDN, the UPN, and the NetBIOS name from the Active Directory during SiteMinder
authentication, and sends this data back to the IIS 6.0 Web Agent.
Depending on whether or not you selected the Run in Authenticated User's Security Context option for the user directory with the Policy Server User Interface and how you set the UseNetBIOSforIIAuth parameter, a user's logon credentials are sent as follows:
■ When the UseNetBIOSforIISAuth parameter is set to no, the IIS 6.0 Web Agent sends the UPN name.
■ When the UseNetBIOSforIISAuth parameter is set to yes, the Web Agent sends the NetBIOS name.
The IIS web server authenticates the user with the credentials it receives from the Web Agent.
Default: No
To have the Web Agent use the NetBIOS name for IIS authentication, set the UseNetBIOSAuth parameter to yes.
How to Configure the NT Challenge/Response Authentication (IIS Only)
Chapter 11: Manage User Access with IIS 149
How to Configure the NT Challenge/Response Authentication (IIS Only)
The IIS Web Agent supports the NT challenge/response authentication scheme. With NT challenge/response authentication, the IIS web server challenges the user's Internet Explorer browser when a user requests access to a resource. The challenge is a mathematical calculation based on the user’s password that is stored on the user’s client system. The browser returns the results of the calculation to the web server, which compares the response with the password information in its database and does the same calculation. If the results match, the server allows the user access. This process is transparent to the user.
Note: The NT challenge/response authentication scheme only works with Internet Explorer browsers.
There are two ways you can choose to implement the challenge/response authentication scheme:
■ Challenge users when they try to access a protected resource (in single sign-on environments, users are only challenged the first time they request a resource)
■ Have your users configure the automatic logon feature of their Internet Explorer browser.
The automatic logon feature allows users to access a resource without being challenged. The authentication process still takes place, but the NT
challenge/response process between the browser and the server is transparent to the user. Automatic logon is typically used for intranets where security is less strict and you want users to have seamless access to resources. Automatic logon is not recommended for communication across the Internet and is usually not possible because the user’s Windows account would need to be in the same Windows domain system as the web server.
SiteMinder Agents use credential collectors to gather a user’s Windows credentials for the NT challenge/response authentication scheme. The agent supports the extension .NTC for collecting NTLM credentials.
Note: NTCEXT only has to be set if the you wish to change this default behavior.
To make SiteMinder operate with NT challenge/response authentication, use the following process:
1. Set up the NT Challenge response authentication for the IIS web server with the following tasks:
a. Map the .ntc file extension.
b. Create and configure the virtual directory, and then ensure that it requires the NT challenge and response credentials.
150 Web Agent Guide
2. Configure the NT challenge/response authentication scheme in the Policy Server User Interface.
3. Specify an NTLM credential collector.
4. Configure policies for NT Challenge/Response authentication using the Policy Server User Interface.
5. (Optional) Have your users configure the automatic logon feature of their Internet Explorer browser.
The NT Challenge Response Authentication for IIS is configured.
More Information
Configure Automatic Logon for Internet Explorer (see page 153)
Configure the Challenge/Response Authentication Scheme (see page 154) Specify an NTLM Credential Collector (see page 155)
How to Configure the NT Challenge/Response Authentication (IIS Only)
Chapter 11: Manage User Access with IIS 151
Map the .NTC File Extension
You must map the .NTC file extension to the ISAPIWebAgent.dll application to configure tNT Challenge/Response Authentication on the IIS Web Server.
To map the .NTC file extension
1. Open the Internet Services Manager.
2. Right-click Web Sites in the left pane, and then right click Default Web Site in the right pane and select Properties.
The Default Web Site Properties dialog appears.
3. Click the Home Directory tab.
4. In the Application Settings group box, click Configuration.
The Application Configuration dialog appears.
5. Click Add.
The Add/Edit Application Extension Mapping dialog opens.
a. In the Executable field, click Browse and locate the following file:
web_agent_home/bin/ISAPIWebAgent.dll.
b. Click Open.
c. In the Extension field, enter .ntc.
6. Click OK three times.
The Add/Edit Application Extension Mapping dialog, the Application Configuration dialog and the Default Web Site Properties dialog close. The .ntc file extension is mapped.
152 Web Agent Guide
Configure the Virtual Directory for Windows Authentication Schemes (IIS 6.0)
To use the SiteMinder Windows authentication scheme, configure a virtual directory on the IIS 6.0 web server. The virtual directory requires NT challenge and response for credentials.
Configure the virtual directory for Windows authentication schemes 1. Open the Internet Information Services (IIS) Manager.
2. In the left pane, expand the following items:
■ The web server icon
■ The Web Sites folder 3. Do one of the following steps:
■ To protect all the resources on the entire website with SiteMinder Windows authentication scheme, right-click the Default Web Site folder, select Properties, and then go to Step 4.
■ If you do not want to protect the entire website, with the SiteMinder Windows authentication scheme, do the following steps:
a. Locate the following folder:
\siteminderagent\ntlm
b. Right-click the ntlm folder, select Properties and go to Step 4.
The Properties dialog appears.
4. Click the Directory Security tab.
5. In the Anonymous Access and Authentication Control group box, click Edit.
The Authentication Methods dialog appears.
6. Do the following steps:
■ Clear the Enable Anonymous Access check box.
■ Select the Integrated Windows Authentication check box.
7. Click OK twice.
The Authentication Methods dialog and the Properties dialog close. The virtual directory is configured and requires NT challenge and response for credentials.
Note: Reboot the web server for these changes to take effect.
How to Configure the NT Challenge/Response Authentication (IIS Only)
Chapter 11: Manage User Access with IIS 153
Configure Automatic Logon for Internet Explorer
If you want to authenticate users without having the Web Agent challenge them for their credentials, have each user configure the NT automatic logon feature of the Internet Explorer browser by changing the security settings.
To configure automatic logon
1. Start the Internet Explorer browser.
2. Click one of the following:
■ The View menu (on Internet Explorer 4.x or 5.x)
■ The Tools menu (on Internet Explorer 6.0) 3. Select Internet Options.
The Internet Options dialog opens.
4. Click the Security tab.
5. Click the correct security zone (internet, intranet, trusted, or restricted).
6. Click one of the following:
■ The Custom radio button (on Internet Explorer 4.x).
■ The Custom Level radio button (on Internet Explorer 5.x or 6.0).
7. Click Settings.
8. Scroll down to the User Authentication section. Under the Logon option, click the Automatic Logon with current username and password radio button.
9. Click OK twice.
The Security Settings dialog and the Internet Options dialog close. Your settings are saved, and automatic login is configured.
154 Web Agent Guide
Configure the Challenge/Response Authentication Scheme
To implement NT Challenge/Response authentication, you must create an authentication scheme using the Policy Server User Interface.
Note: For more information, see the Policy Server documentation.
Use the following settings when creating an NT Challenge/Response authentication scheme:
■ In the Scheme Common Setup group box:
Authentication Scheme Type: Windows Template
■ In the Scheme Type Setup tab:
Server Name: enter the fully qualified domain name, for example:
server1.myorg.com
Target: /siteminderagent/ntlm/smntlm.ntc
Note: The directory should correspond to the virtual directory already set up by the installation. The target file, smntlm.ntc, does not need to exist and can be any name that ends in .ntc or the custom MIME type that you use in place of the default.
■ In the Advanced tab:
Library: smauthntlm More Information
MIME Types for Credential Collectors (see page 258)
How to Configure the NT Challenge/Response Authentication (IIS Only)
Chapter 11: Manage User Access with IIS 155
Specify an NTLM Credential Collector
The NTLM credential collector (NTC) is an application within the Web Agent. It collects NT credentials for resources that are protected by the Windows authentication scheme.
This scheme applies to resources on an IIS web server accessed by Internet Explorer browsers.
Each credential collector has an associated MIME type. For IIS, the NTC MIME TYPE is defined in the following parameter:
NTCExt
Specifies the MIME type associated with the NTLM credential collector. This collector gathers NT credentials for resources that are protected by the Windows authentication scheme. This scheme applies to resources on IIS web servers that are accessed by the Internet Explorer browser.
You can have multiple extensions in this parameter. If you are using an Agent Configuration Object, select the multi-value option. If you are using a local configuration file, separate each extension with a comma.
Default: .ntc
If your environment already uses the default extension specified by the previous parameter, you can specify a different MIME type.
To change the extension that triggers the credential collector, add a different file extension to the NTCExt parameter.
More Information
Use Credential Collectors for Authentication and Single Sign-On (see page 257)