Patrick-Dussault

Tech Tip : CA Single Sign-On : Authenticate users with this format: domain\username

Discussion created by Patrick-Dussault Employee on Nov 14, 2018

Question:

 

When I'm trying to login the user with domain\userid in an HTML Form,
it doesn't work, but using the userid only works fine and I'd like to
know why ?


Answer:

 

The domain is needed and used when authenticating the
user with Windows Authentication. By this Authentication Scheme,
Policy Server doesn't do the authentication, but the IIS server does.

Configure a Windows Authentication Scheme

 

Note: The IIS web server, not the Policy Server, performs
authentication based on credentials it receives from the Internet
Explorer web browser. Therefore, you cannot use the OnAuthAttempt
authentication event to redirect users who do not exist in the user
store.

 

https://docops.ca.com/ca-single-sign-on/12-8/en/configuring/policy-server-configuration/authentication-schemes/windows-authentication-schemes

 

You might use the GD module :

 

Extended_NTLM Authentication_for CA Single Sign-On

 

According this module documentation :

 

Extended NTLM Authentication for Extended NTLM Authentication for
CA Single Sign-On User Guide

 

"The solution has added capability of validating the user’s password
against an Active Directory User Store (/Ldap Directory User Store) in
which users account is located when the user submits a domain name,
login ID and password via an HTML Form.

In both IWA and Forms modes, the authentication scheme supports
multiple AD Domains, configured as separate CA Single Sign-On User
Directory objects in the CA Single Sign-On policy store, and will
only attempt to disambiguate the user in the User Directory/AD
Instance, that is associated with the <domain> value passed to CA
Single Sign-On by IIS or by the HTML Form. This will allow a user’s
account to be located in the correct AD instance with a single
search, even though the user’s username may exist in multiple AD
Domains."

 

https://support.ca.com/phpdocs/7/5262/Extended_NTLM_Authentication_for_CA_Single_Sign-On_3.0.zip

 

But according the to GD support matrix, the last module version 3.0
seems to be supported only with Policy Server 12.52SP1. You might also
open an Idea certification request to get the module ported for Policy
Server 12.8.

 

Extended NTLM Authentication for CA Single Sign-On

 

| PWP Version | Component | Component Version | Operating System |
|-------------+---------------+-------------------+-----------------------------|
| 3.0 | Policy Server | 12.52 SP1 | Product Supported Platforms |

p.7

 

https://support.ca.com/phpdocs/7/5262/5262_pkgd_work_product_support_matrix.pdf

You might be able also to implement a Custom Authentication Scheme using
Active Directory API's.

 

Managing Users
https://docs.microsoft.com/en-us/windows/desktop/ad/managing-users

 

Querying for Users
https://docs.microsoft.com/en-us/windows/desktop/ad/querying-for-users

 

KB : KB000121203

Outcomes