Friday, June 12, 2009
Credential Mapping Error
Setting up IWA is a fairly straight forward task. All you need are an OAM environment, an IIS server with WebGate installed and special IWA Authentication Scheme. The IWA specific authentication scheme requires a credential mapping plugin to map the REMOTE_USER HTTP header variable set by IIS to a user attribute in the OAM user directory. WebGate even takes care of parsing the domain name from REMOTE_USER for you, what could be easier?
So assuming you followed all of hte instructions and everything is set up perfectly, or at least you think it is, what do you do if you still have a problem. Specifically, what could be wrong if are getting a credential mapping error in the web browser and the access server oblog.log file.
I recently encountered just such a problem. I used the search base and filter from the credential mapping plugin and conducted my own search against the directory as the OAM service account and it worked perfectly. This was so puzzling. I looked for trailing spaces in the credential mapping plugin because I know that can occur with resource patterns and ldap urls in other parts of Policy Manager. I finally compared a working credential mapping plugin to the IWA one. The different was in the quotation marks. The IWA credential mapping had been copied and pasted from the Metalink article discussing how to set up IWA in OAM. They were obviously from the wrong character set. Replacing the quotation marks solved the problem.
So assuming you followed all of hte instructions and everything is set up perfectly, or at least you think it is, what do you do if you still have a problem. Specifically, what could be wrong if are getting a credential mapping error in the web browser and the access server oblog.log file.
I recently encountered just such a problem. I used the search base and filter from the credential mapping plugin and conducted my own search against the directory as the OAM service account and it worked perfectly. This was so puzzling. I looked for trailing spaces in the credential mapping plugin because I know that can occur with resource patterns and ldap urls in other parts of Policy Manager. I finally compared a working credential mapping plugin to the IWA one. The different was in the quotation marks. The IWA credential mapping had been copied and pasted from the Metalink article discussing how to set up IWA in OAM. They were obviously from the wrong character set. Replacing the quotation marks solved the problem.
Labels: Authentication Scheme, Credential Mapping Error, Integrated Windows Authentication
Permalink posted by Dave Bennett @ 10:16 a.m. 
Comments:
<< Home
I was wondering if you have tried setting up webgate to perform IWA authentication with Apache on Linux using mod_auth_kerb module? It's something we are going to try to setup. If you have done it before, it would be great if you could post the details.
# posted by 
: 12:29 p.m.
: 12:29 p.m.
No, we've not tried that.
We've done some creative things with IWA like pulling at least one resource for a form login page from an IWA protected IIS server to seamlessly log the use in if possible.
Post a Comment
We've done some creative things with IWA like pulling at least one resource for a form login page from an IWA protected IIS server to seamlessly log the use in if possible.
<< Home
