none
Can UAG in error use group membership data of a different user to authorise access to applications?

    Question

  • Hi all,

    We have a standalone Forefront UAG server that is authenticating against and using authorisation data from an Active Directory repository. Our Active Directory forest consists of 2 domains with users defined in both (e.g. contoso.com and ad.contoso.com) but the UAG portal and application users will only reside in the latter. Because of the location of the user accounts, the UAG repository configuration uses the LDAP DN root, LDAP account and domain controllers for the domain for the ad.contoso.com domain. UAG is configured to limit access to the application to a single user group in the ad.contoso.com domain using the "Authorisation" tab under the "Application Properties".

    The problem is that for user accounts in the 2 domains that share the same username, the UAG authenticates the user using the account in the ad.contoso.com domain BUT authorises the user based on the associated with the user account in the contoso.com domain even when the user supplies the domain in the authentication response to the browser; it appears to me that it does an LDAP search based on the username without the domain data, finds the first matching user DN (in our case the wrong account) and then does a group search based on that DN.

    To reproduce the issue:

    1. Create the forest and sub domain as above

    2. Create user accounts CONTOSO\user1 and AD\user1 and group AD\group1. Make AD\user1 member of AD\group1.

    3. Create authentication repository, portal and application on UAG and limit access to the application to AD\group1.

    4. Use a web browser to access the UAG application and authenticate as AD\user1. Access to the application is denied. Logs show authentication was successful but authorisation to the application URL failed.

    5. Add CONTOSO\user1 to AD\group1 and retry step 4 still authenticating as AD\user1 - access to the application is allowed.

    Has anyone come across this problem? Is there a fix?

    If not, is there a way I can collect more debugging information? Is the authorisation algorithm implementation customisable like the certificate authentication and the look and feel of UAG pages?

    Thanks,

    Paul

    Thursday, August 15, 2013 12:26 PM