000021784 - How to configure Integrated Windows Authentication (IWA) mode for RSA ClearTrust protected resources

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000021784
Applies ToRSA ClearTrust 5.5
Microsoft Windows 2000 SP4
Microsoft Windows Server 2003
Microsoft Internet Information Server (IIS) 5.0
Microsoft Internet Information Services (IIS) 6.0 on Microsoft Windows Server 2003
Microsoft Integrated Windows Authentication (IWA)
IssueHow to configure Integrated Windows Authentication (IWA) mode for RSA ClearTrust protected resources
ResolutionWithin the RSA ClearTrust Agent for IIS web server's webagent.conf, set the cleartrust.agent.auth_resource_list=/*=IWA . Set the following configuration parameter within your ldap.conf file:

# In order to perform Single Sign-On (SSO) into a Windows domain, the
# RSA ClearTrust IIS Agent needs to look up mappings between ClearTrust user
# names and their equivalent User Principal Names (UPNs) for the domain
# being authenticated against. These mappings are normally created manually via
# the Administrative API. However, it is possible (especially in the Active
# Directory case) that an attribute holding the UPN exists as part of each user
# entry. Setting this parameter will allow the Authorization Server to construct
# these mappings dynamically in response to lookup requests by the IIS Agent.
# With this parameter set, any UPN mappings you create using the Administrative
# API will be ignored by the Auth Server.
# Allowed Values:
#   A valid LDAP attribute name.
# Default Value:
#   None
cleartrust.data.ldap.user.attributemap.windowsupn              :

The value of this parameter must be a valid ClearTrust user property. The user property contains a value equivalent to the user's principle name (UPN). This value must match that which is constructed by the Integrated Windows Authentication (IWA) mechanism. The ClearTrust user must also have the exact same userID as the user logged into the Windows machine. The format of the UPN is userID@domain.com.

In Windows 2000, within the IIS 5.0  MMC snap-in, right-click the default web site and select properties. Under Master Properties, click edit. Click the Directory Security tab. Under the Anonymous Access and authentication control section, select edit. Ensure that only the IWA box is checked and no others are checked. Save these changes and restart your web server.

In Windows 2003, within the IIS 6.0 MMC snap-in, right-click on the default website.  Select "Properties" and then the "Directory Security" tab.  Under "Authentication and access control", click "Edit...".  Ensure that ONLY the checkbox for "Integrated Windows authentication" is checked; all others should not be checked.
Legacy Article IDa25080