Windows Authentication Schemes


Integrated Windows Authentication (IWA) is a proprietary mechanism developed by Microsoft to validate users in pure Windows environments. The Windows authentication scheme available with the Policy Server secures resources by processing user credentials that the Microsoft Integrated Windows authentication infrastructure obtains.
Previous versions of the product supported Windows authentication through the NTLM authentication scheme. However, this support was limited to environments with NT Domains or where the Active Directory service is configured to support legacy NT Domains in mixed mode.
The Windows authentication scheme provides access control in deployments with Active Directories running in native mode. The scheme also supports Active Directories that are configured to support NTLM authentication. The Windows authentication scheme replaces the product's NTLM authentication scheme. Existing NTLM authentication schemes continue to be supported and can be configured using the new Windows authentication scheme.
In some circumstances, it is better to combine Windows User Security Context functionality with other authentication schemes instead of using the Windows authentication scheme.
The Windows authentication scheme is for resources that Web Agents on IIS web servers protect, and whose users access resources using Internet Explorer web browsers. This scheme relies on a properly configured IIS web server to acquire and verify user credentials. The Policy Server bases authorization decisions on a user identity as asserted by the IIS server.
Verify that Windows Authentication Prerequisites Are Met
Verify that the following prerequisites are met before configuring a Windows authentication scheme:
  • For legacy WinNT directories or Active Directory in mixed mode:
    • The user directory connection that you create in the Administrative UI specifies the WinNT namespace.
    • The requested resources can be located on any type of web server. However, the authentication server and the web agent protecting those resources must be on a Microsoft IIS web server.
  • For Active Directories running in native mode:
    • User data resides in an Active Directory.
    • User directory connections must specify either an LDAP or AD namespace.
    • The requested resources can be located on any type of web server. However, the authentication server and the web agent protecting those resources must be on a Microsoft IIS web server.
    • Client and server accounts are enabled for delegation.
  • Users must use a browser that supports sending windows credentials and that is configured properly to send those credentials automatically.
  • To work on IIS in Windows, the "Verify that file exists" option in the Wildcard Application Maps must not be set.
  • Windows Authentication schemes also require that any virtual directory on the IIS web server that contains the creds.ntc file remain unprotected.
  • Internet Explorer browser options are configured for automatic logon with the current username and password of the user.
Configure a Windows Authentication Scheme
Use a Windows authentication scheme to authenticate users in a Windows environment.
The IIS web server, not the Policy Server, performs authentication based on credentials it receives from the Internet Explorer web browser. Therefore, you cannot use the OnAuthAttempt authentication event to redirect users who do not exist in the user store.
The following procedure assumes that you are creating an object. You can also copy the properties of an existing object to create an object. For more information, see Duplicate Policy Server Objects.
Follow these steps:
  1. Click Infrastructure, Authentication.
  2. Click Authentication Schemes.
  3. Click Create Authentication Scheme.
    Verify that the Create a new object of type Authentication Scheme is selected.
  4. Click OK. 
  5. Enter a name and protection level.
  6. Select Windows Authentication Template from the Authentication Scheme Type list.
  7. Enter Server Name, Target, and User DN information. If your environment requires NT Challenge/Response authentication, obtain the following values from the agent owner:
    • Server Name
      The fully qualified domain name of the IIS web server, for example:
    • Target
      The directory must correspond to the virtual directory already configured by the installation. The target file, smntlm.ntc, does not need to exist and can be any name that ends in .ntc or the custom MIME type that you use in place of the default.
    • User DN Lookup
    • smauthntlm
  8. Click Submit.
    The authentication scheme is saved and can be assigned to a realm.