Using the Microsoft Protocol Transition Policy

Learn how use the Microsoft Protocol Transition Policy to automatically transition inbound identities into outbound Windows security identities within a Microsoft Windows security environment.

Table of Contents

Introduction

The Microsoft Protocol Transition Policy is an Intermediary for Microsoft operational policy that is installed to the Policy Manager Management Console as part of the Intermediary for Microsoft product installation.

With this policy, you can enable and specify details for Microsoft's protocol transition feature. With protocol transition, an API gateway can automatically transition inbound identities into outbound Windows security identities within a Microsoft Windows security environment. By default, a service or service operation without a Protocol Transition policy attached will not support protocol transition.

Constrained Delegation

Constrained delegation (use any authentication protocol) must be enabled in Active Directory for the Application pool account. (If the application pool user is NETWORK SERVICE or LOCAL SYSTEM, the account is the machine account).

Note: The application pool account IMS runs under must have “Act as part of the operating system” privilege selected.

Configuration

Let's take a quick walkthrough of the Microsoft Protocol Transition Policy configuration process to get you started.

Step 1: Add Policy

You can create a Microsoft Protocol Transition Policy instance using Add Policy in the Policies > Operational Policies section. The summary screen will look like this:

Step 2: Modify Policy

When you Modify the Microsoft Protocol Transition Policy on the Policy Details page, the initial policy will look like this:

Step 3: Configure Policy

Configure the Microsoft Protocol Transition Policy as follows:

Source Subject Category

  • Consumer—This protocol transition policy will only affect identities with consumer subject categories.
  • End-User—This protocol transition policy will only affect identities with end-user subject categories.
  • User-Defined—This protocol transition policy will only affect identities with the provided user defined subject categories.

Credential Options > Username/Password

  • Authenticated Credentials—Determines how username credentials previously authenticated by the API Gateway are handled. If Transition is selected, then they will be transitioned to Windows security, If Login is selected, then a Windows login will occur to produce a Windows security token.
  • Unauthenticated Credentials—Determines how username credentials not previously authenticated by the API Gateway are handled. If Transition is selected, then they will be transitioned to Windows security. If Login is selected, then a Windows login will occur to product a Windows security token. If Reject is selected, then the transaction will fail.

Step 4: Attach Policy

After you have saved your policy you can attach it to an Intermediary for Microsoft virtual Service in Policy Manager or you can attach the policy at the Organization level and the policy will be active for all services defined within the organization.

Step 5: Test Policy

After you attached the Microsoft Protocol Transition Policy to a virtual service, send a request to your service and view the results in your client. You can also go to the Services > Monitoring section to view the results for Logs (View Usage Record Details), Real Time Charts, and Historical Charts.

If you receive errors, review the log information for details. In most cases, errors are typically associated with Active Directory setting or IMS Application Pool User permission. Update the settings and retry.