Preventing an Additional Authentication Prompt: Preparing to Install Agent for Microsoft IIS 5.0

As explained in Additional Authentication Prompt, Agent for Microsoft IIS 5.0 supports HTTP basic authentication.

However, when Policy Agent 2.2 for Microsoft IIS 5.0 is configured and basic authentication is enabled in the Microsoft IIS 5.0 server, users are required to authenticate twice. Users need to authenticate first with Access Manager and then with the Microsoft IIS 5.0 basic authentication module.

To prevent the user from being prompted a second time for user name and password, you must set the Basic Authentication filter, which is a feature of Agent for Microsoft IIS 5.0. Setting the Basic Authentication filter is a three part process. Notice that two steps of that process are described in this section as pre-installation tasks, as follows:

• To Deploy the Post Authentication Module in Access Manager

• To Enable Basic Authentication in Microsoft IIS 5.0

After you have performed the two tasks described in this section, install the agent. Then, as a post-installation step, you can perform the final task required to set the Basic Authentication filter, as described in Configuring Agent for Microsoft IIS 5.0 for Basic Authentication.

To Deploy the Post Authentication Module in Access Manager

Before You Begin

Synchronize the user name and password on the following two host machines, since such synchronization is required:

• The machine that hosts Access Manager.

• The machine that hosts Microsoft IIS 5.0 server.

Furthermore, the following information about Access Manager is helpful for this task:

AccessManager-base represents the Access Manager base installation directory.

The following are the default Access Manager base installation directories for Solaris systems and Windows systems:

• Solaris Systems: /opt/SUNWam

• Windows Systems: jes-install-dir\Access Manager\config

The following are the default locations of the AMConfig.properties file on Solaris systems and Windows systems:

• Solaris Systems: /etc/opt/SUNWam/config

• Windows Systems: AccessManager-base\config

1. Set the JAVA_HOME variable to the location used to install Java.

2. (Conditional) If the files DESGenKey.java and ReplayPasswd.java are not bundled with the Access Manager binaries (see the explanation within this step for details) obtain and compile them. Otherwise, skip to the next step.

   The DESGenKey.java file is a key generator while the ReplayPasswd.java file is a plug-in.

   The availability of DESGenKey.class and ReplayPasswd.class varies according to the Access Manager version. The following list indicates which versions of Access Manager have these classes bundled with them and which versions do not.

   Bundled with

   • Access Manager 7.0 series from Patch 5 forward

   • Access Manager 7.1 series from Patch 1 forward

   Not bundled with

   • Any version of the Access Manager 7.0 series prior to patch 5

   • Access Manager 7.1

   You can obtain the files DESGenKey.java and ReplayPasswd.java by contacting Sun technical support.

   1. Download the files DESGenKey.java and ReplayPasswd.java to the following directory:

      AccessManager-base\lib

   2. Change to the following directory:

      AccessManager-base\lib

   3. Compile ReplayPasswd.java and DESGenKey.java as follows

      AccessManager-base\lib javac -classpath
      AccessManager-base\lib\am_services.jar;AccessManager-base\lib\am_sdk.jar;AccessManager-base\lib\servlet.jar
      ReplayPasswd.java DESGenKey.java

3. Execute DESgenKey.class as follows:

   Access Manager 7.0 series from Patch 5 forward and Access Manager 7.1 series from Patch 1 forward

   AccessManager-base\lib java com.sun.identity.common.DESGenKey

   Any version of the Access Manager 7.0 series prior to patch 5 and Access Manager 7.1

   AccessManager-base\lib java DESGenKey

   Executing the DESgenKey.class returns a string output.

4. Add the string produced in the previous step to a newly created text file as described in the substeps that follow.

   1. Copy the string produced in the previous step.

   2. Create a file, which for this example is named des_key.txt, in a directory of your choosing.

      The des_key.txt name is used in this guide as an example. Name the file differently if you wish.

   3. Save the copied string in the des_key.txt file.

5. Configure the com.sun.am.replaypasswd.key property in the AMConfig.properties configuration file as described in the substeps that follow.

   1. Open the AMConfig.properties configuration file.

   2. Add the following property to the file:

      com.sun.am.replaypasswd.key

   3. Copy the string from the des_key.txt file.

   4. Add the copied string as the value of the com.sun.am.replaypasswd.key property.

      For example, if the string in the des_key.txt file is wuqUJyr=5Gc=, then the new property would be set as follows:

      com.sun.am.replaypasswd.key = wuqUJyr=5Gc=

   5. Save and close the AMConfig.properties configuration file.

6. Deploy the post-authentication plug-in, ReplayPasswd, as described in the substeps that follow.

   This step requires the use of Access Manager Console.

   1. Log in to Access Manager as amadmin.

   2. With the Access Control tab selected, click the name of the realm you wish to configure.

   3. Click the Authentication tab.

   4. Click Advanced Properties.

      The Advanced Properties button is in the General section.

   5. Scroll down to the Authentication Post Processing Classes field.

   6. In the Authentication Post Processing Classes field, enter the appropriate text depending upon the Access Manager version:

      For Access Manager 7.0 series from Patch 5 forward and Access Manager 7.1 series from Patch 1 forward

      Enter the following: com.sun.identity.authentication.spi.ReplayPasswd

      For any version of the Access Manager 7.0 series prior to patch 5 and Access Manager 7.1

      Enter the following: ReplayPasswd

   7. Scroll up to click Save.

   8. Click Log Out to log out of the Access Manager Console.

7. Verify the deployment of the post-authentication plug-in, ReplayPasswd, as described in the substeps that follow.

   1. Stop Access Manager.

   2. Access the AMConfig.properties configuration file.

   3. Note the value of the following property before changing it to message, as indicated:

      com.iplanet.services.debug.level = message

      You must change this value back to its original value at the completion of this step.

   4. Save and close the file.

   5. Start Access Manager.

   6. Log in to Access Manager Console.

      Again use amadmin.

   7. Click Log Out to immediately log out of the Access Manager Console.

   8. Change directories to the Access Manager debug log files.

      The default location of the debug log files is /var/opt/SUNWam/debug.

   9. Verify the existence of a file named ReplayPasswd.

      The existence of this file indicates the successful deployment of the post-authentication plug-in.

   10. Reset the debug value to its original value.

8. Restart Access Manager.

To Enable Basic Authentication in Microsoft IIS 5.0

This task is performed in Microsoft IIS 5.0 server.

1. Start the Internet Services Manager.

2. Right click the web site that is protected by the agent.

3. Select Properties from the drop-down list.

4. Select Directory Security.

5. Select Edit in Authentication and access control.

   By default, “Enable anonymous access” is selected.

6. Uncheck the “Enable anonymous access” box.

7. Check the box Basic Authentication.

8. Click OK to save the changes.

9. Restart the web site.