Using the Microsoft Protocol Transition Policy
Learn how use the Microsoft Protocol Transition Policy to automatically transition inbound identities into outbound Windows security identities within a Microsoft Windows security environment.Managing Policies Intermediary for Microsoft Policies
Table of Contents
The "Microsoft Protocol Transition Policy" is an Intermediary for Microsoft operational policy that is installed to the Policy Manager Management Console as part of the Intermediary for Microsoft product installation.
With this policy, you can enable and specify details for Microsoft's protocol transition feature. With protocol transition, an API gateway can automatically transition inbound identities into outbound Windows security identities within a Microsoft Windows security environment. By default, a service or service operation without a Protocol Transition policy attached will not support protocol transition.
To install this policy, see Chapter 3: Installing SOA Software Intermediary for Microsoft Policy Manager Policy section of the SOA Software Intermediary for Microsoft® Install Guide for installation instructions.
Constrained delegation (use any authentication protocol) must be enabled in Active Directory for the Application pool account. (If the application pool user is NETWORK SERVICE or LOCAL SYSTEM, the account is the machine account).
Note: The application pool account IMS runs under must have “Act as part of the operating system” privilege selected.
Let's take a quick walkthrough of the Microsoft Protocol Transition Policy configuration process to get your started.
Step 1: Add Policy
You can create a Microsoft Protocol Transition Policy instance using Add Policy in the Policies > Operational Policies section. The summary screen will look like this:
Step 2: Modify Policy
When you Modify the Microsoft Protocol Transition Policy on the Policy Details page the initial policy will look like this:
Step 3: Configure Policy
Configure the Microsoft Protocol Transition Policy as follows:
Source Subject Category
- Consumer - This protocol transition policy will only affect identities with consumer subject categories.
- End-User - This protocol transition policy will only affect identities with end-user subject categories.
- User-Defined - This protocol transition policy will only affect identities with the provided user defined subject categories.
Credential Options > Username/Password
- Authenticated Credentials - Determines how username credentials previously authenticated by the API Gateway are handled. If Transition is selected, then they will be transitioned to Windows security, If Login is selected, then a Windows login will occur to produce a Windows security token.
- Unauthenticated Credentials - Determines how username credentials not previously authenticated by the API Gateway are handled. If Transition is selected, then they will be transitioned to Windows security. If Login is selected, then a Windows login will occure to product a Windows security token. If Reject is selected, then the transaciton will fail.
Step 4: Attach Policy
After you have saved your policy you can attach it to an Intermediary for Microsoft virtual Service in Policy Manager or you can attach the policy at the Organization level and the policy will be active for all services defined within the organization.
Step 5: Test Policy
After you attached the Microsoft Protocol Transition Policy to a virtual service, send a request to your service and view the results in your client. You can also go to the Services > Monitoring section to view the results for Logs (i.e., View Usage Record Details), Real Time Charts, and Historical Charts. Refer to the Policy Manager Online Help (i.e., Help button) for more information on the using the monitoring functions.
If you receive errors, review the log information for details. In most cases, errors are typically associated with Active Directory setting or IMS Application Pool User permission. Update the settings and retry.
For use case information on this policy refer to the following topic on the Akana Customer Support site: