As explained in Additional Authentication Prompt, Agent for Microsoft IIS 5.0 supports HTTP basic authentication.
However, when Policy Agent 2.2 for Microsoft IIS 5.0 is configured and basic authentication is enabled in the Microsoft IIS 5.0 server, users are required to authenticate twice. Users need to authenticate first with Access Manager and then with the Microsoft IIS 5.0 basic authentication module.
To prevent the user from being prompted a second time for user name and password, you must set the Basic Authentication filter, which is a feature of Agent for Microsoft IIS 5.0. Setting the Basic Authentication filter is a three part process. Notice that two steps of that process are described in this section as pre-installation tasks, as follows:
After you have performed the two tasks described in this section, install the agent. Then, as a post-installation step, you can perform the final task required to set the Basic Authentication filter, as described in Configuring Agent for Microsoft IIS 5.0 for Basic Authentication.
Synchronize the user name and password on the following two host machines, since such synchronization is required:
The machine that hosts Access Manager.
The machine that hosts Microsoft IIS 5.0 server.
Furthermore, the following information about Access Manager is helpful for this task:
AccessManager-base represents the Access Manager base installation directory.
The following are the default Access Manager base installation directories for Solaris systems and Windows systems:
Solaris Systems: /opt/SUNWam
Windows Systems: jes-install-dir\Access Manager\config
The following are the default locations of the AMConfig.properties file on Solaris systems and Windows systems:
Solaris Systems: /etc/opt/SUNWam/config
Windows Systems: AccessManager-base\config
Set the JAVA_HOME variable to the location used to install Java.
(Conditional) If the files DESGenKey.java and ReplayPasswd.java are not bundled with the Access Manager binaries (see the explanation within this step for details) obtain and compile them. Otherwise, skip to the next step.
The DESGenKey.java file is a key generator while the ReplayPasswd.java file is a plug-in.
The availability of DESGenKey.class and ReplayPasswd.class varies according to the Access Manager version. The following list indicates which versions of Access Manager have these classes bundled with them and which versions do not.
Access Manager 7.0 series from Patch 5 forward
Access Manager 7.1 series from Patch 1 forward
Any version of the Access Manager 7.0 series prior to patch 5
Access Manager 7.1
You can obtain the files DESGenKey.java and ReplayPasswd.java by contacting Sun technical support.
Download the files DESGenKey.java and ReplayPasswd.java to the following directory:
Change to the following directory:
Compile ReplayPasswd.java and DESGenKey.java as follows
AccessManager-base\lib javac -classpath AccessManager-base\lib\am_services.jar;AccessManager-base\lib\am_sdk.jar;AccessManager-base\lib\servlet.jar ReplayPasswd.java DESGenKey.java
Execute DESgenKey.class as follows:
AccessManager-base\lib java com.sun.identity.common.DESGenKey
AccessManager-base\lib java DESGenKey
Executing the DESgenKey.class returns a string output.
Add the string produced in the previous step to a newly created text file as described in the substeps that follow.
Configure the com.sun.am.replaypasswd.key property in the AMConfig.properties configuration file as described in the substeps that follow.
Open the AMConfig.properties configuration file.
Add the following property to the file:
Copy the string from the des_key.txt file.
Add the copied string as the value of the com.sun.am.replaypasswd.key property.
For example, if the string in the des_key.txt file is wuqUJyr=5Gc=, then the new property would be set as follows:
com.sun.am.replaypasswd.key = wuqUJyr=5Gc=
Save and close the AMConfig.properties configuration file.
Deploy the post-authentication plug-in, ReplayPasswd, as described in the substeps that follow.
This step requires the use of Access Manager Console.
Log in to Access Manager as amadmin.
With the Access Control tab selected, click the name of the realm you wish to configure.
Click the Authentication tab.
Click Advanced Properties.
The Advanced Properties button is in the General section.
Scroll down to the Authentication Post Processing Classes field.
In the Authentication Post Processing Classes field, enter the appropriate text depending upon the Access Manager version:
Enter the following: com.sun.identity.authentication.spi.ReplayPasswd
Enter the following: ReplayPasswd
Scroll up to click Save.
Click Log Out to log out of the Access Manager Console.
Verify the deployment of the post-authentication plug-in, ReplayPasswd, as described in the substeps that follow.
Stop Access Manager.
Access the AMConfig.properties configuration file.
Note the value of the following property before changing it to message, as indicated:
com.iplanet.services.debug.level = message
You must change this value back to its original value at the completion of this step.
Save and close the file.
Start Access Manager.
Log in to Access Manager Console.
Again use amadmin.
Click Log Out to immediately log out of the Access Manager Console.
Change directories to the Access Manager debug log files.
The default location of the debug log files is /var/opt/SUNWam/debug.
Verify the existence of a file named ReplayPasswd.
The existence of this file indicates the successful deployment of the post-authentication plug-in.
Reset the debug value to its original value.
Restart Access Manager.
This task is performed in Microsoft IIS 5.0 server.
Start the Internet Services Manager.
Right click the web site that is protected by the agent.
Select Properties from the drop-down list.
Select Directory Security.
Select Edit in Authentication and access control.
By default, “Enable anonymous access” is selected.
Uncheck the “Enable anonymous access” box.
Check the box Basic Authentication.
Click OK to save the changes.
Restart the web site.