How to Troubleshoot Integrated Windows Authentication (IWA)?

Document ID : KB000051398
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

This is an easy way to test if you have Integrated Windows Authentication (IWA) configured properly .

Solution:

For Integrated Windows Authentication, it is IIS that does the authentication, not SiteMinder. SiteMinder Web Agent does not do any authentication for IWA, Siteminder Web Agent trusts the credentials accepted by the IIS and send it to Policy Server for Siteminder authentication and authorization.

To verify that Windows Authentication on IIS is working correctly by performing the following steps.

  1. Disable the Web agent and restart IIS.

  2. Change the Internet Explorer logon setting from "Automatic Logon ..." to "Prompt for user name and password" and quit and restart IE.

    (This may require a logout if an application is using an IE session.)

  3. Attempt to access http://YouServer/siteminderagent/ntlm/creds.ntc (Must be 2 dot FQDN )

  4. You should be prompted for credentials by IIS

  5. Provide credentials. Try this step twice,

    1. Once with the user that you are logged in as,

    2. Once with another valid user that has permission to access this application.

  6. If IIS Windows Authentication is configured correctly, you should receive a '404' error, since creds.ntc does not exist.

  7. If you receive a 401 or 403 error, the user does not have permission to access the credentials collector. This will prevent user credentials from being passed to SiteMinder. You will need to correct the Windows security settings for this resource in order for the authentication scheme to work.