Symantec Access Management

  • Private Community
Back to discussions
Expand all | Collapse all

Tech Tip : CA Single Sign-On : Authenticate users with this format: domain\username

  • 1.  Tech Tip : CA Single Sign-On : Authenticate users with this format: domain\username

    Broadcom Employee
    Posted Nov 14, 2018 03:53 AM

    Question:

     

    When I'm trying to login the user with domain\userid in an HTML Form,
    it doesn't work, but using the userid only works fine and I'd like to
    know why ?


    Answer:

     

    The domain is needed and used when authenticating the
    user with Windows Authentication. By this Authentication Scheme,
    Policy Server doesn't do the authentication, but the IIS server does.

    Configure a Windows Authentication Scheme

     

    Note: The IIS web server, not the Policy Server, performs
    authentication based on credentials it receives from the Internet
    Explorer web browser. Therefore, you cannot use the OnAuthAttempt
    authentication event to redirect users who do not exist in the user
    store.

     

    https://docops.ca.com/ca-single-sign-on/12-8/en/configuring/policy-server-configuration/authentication-schemes/windows-authentication-schemes

     

    You might use the GD module :

     

    Extended_NTLM Authentication_for CA Single Sign-On

     

    According this module documentation :

     

    Extended NTLM Authentication for Extended NTLM Authentication for
    CA Single Sign-On User Guide

     

    "The solution has added capability of validating the user’s password
    against an Active Directory User Store (/Ldap Directory User Store) in
    which users account is located when the user submits a domain name,
    login ID and password via an HTML Form.

    In both IWA and Forms modes, the authentication scheme supports
    multiple AD Domains, configured as separate CA Single Sign-On User
    Directory objects in the CA Single Sign-On policy store, and will
    only attempt to disambiguate the user in the User Directory/AD
    Instance, that is associated with the <domain> value passed to CA
    Single Sign-On by IIS or by the HTML Form. This will allow a user’s
    account to be located in the correct AD instance with a single
    search, even though the user’s username may exist in multiple AD
    Domains."

     

    https://support.ca.com/phpdocs/7/5262/Extended_NTLM_Authentication_for_CA_Single_Sign-On_3.0.zip

     

    But according the to GD support matrix, the last module version 3.0
    seems to be supported only with Policy Server 12.52SP1. You might also
    open an Idea certification request to get the module ported for Policy
    Server 12.8.

     

    Extended NTLM Authentication for CA Single Sign-On

     

    | PWP Version | Component | Component Version | Operating System |
    |-------------+---------------+-------------------+-----------------------------|
    | 3.0 | Policy Server | 12.52 SP1 | Product Supported Platforms |

    p.7

     

    https://support.ca.com/phpdocs/7/5262/5262_pkgd_work_product_support_matrix.pdf

    You might be able also to implement a Custom Authentication Scheme using
    Active Directory API's.

     

    Managing Users
    https://docs.microsoft.com/en-us/windows/desktop/ad/managing-users

     

    Querying for Users
    https://docs.microsoft.com/en-us/windows/desktop/ad/querying-for-users

     

    KB : KB000121203