none
Require domain prefix RRS feed

  • Question

  • I've got UAG configured for AD Auth and it's working fine for login as well as SSO to applications.  The issue I'm having is that in my parent domain (where UAG lives) users do not have to put in the domain prefix.  I would like to force this for consistency with OWA/RDWeb/and other web portals that are currently being authenticated to seperately.

    For a little clarification.

    AD Layout:

    sub1.domain.local [SUB1\JoeUser]

    sub2.sub1.domain.local [SUB2\SallyUser]

     

    UAG Auth:

    JoeUser doesn't have to type SUB1 and can login with just JoeUser/Password - SUB1\JoeUser/Password works fine too.

    SallyUser does have to type SUB2 and has to login with SUB2\SallyUser/Password

     

    I want to force everybody to type the domain prefix, including JoeUser.  Is this possible?

    Friday, May 28, 2010 1:19 PM

Answers

  • Zachary,

    Since the solution is implemented in a script, yes, you can check that the domain submitted has been entered using a specific case, as well as any other check or enforcement you wish.

     

    Here’s what you need to do:

    1.     Locate the file repository.inc in the folder …\InternalSite\samples and copy it to the folder …\InternalSite\inc\CustomUpdate

    2.     Rename the copied file to match the name of your authentication server that you have configured for this trunk. For example, if the authentication server name in UAG is “AD”, rename repository.inc to AD.inc

    3.     Open the file for editing. The file contains 5 functions. Delete all the functions in the file, except the first one: CheckCredentials(user_name, password). Make sure you all leave in the file the ASP tags at the start and the end of the file: <% and %>

    4.     The CheckCredentials(…) function is not the authentication function, this is just a preliminary step used to perform some sanity checks on the credentials submitted by the end-users, so this is the perfect place for you to implement whatever checks you wish. You can leave the original code in there, which ensures the user name and the password do not exceed a certain length limit, and then write some additional VBScript to check if the user_name variable content is in the format domain\user, as well as to ensure that the domain part, if submitted, was in the correct case.

    HTH,

    -Ran

    • Marked as answer by Zachary Cook Tuesday, June 1, 2010 11:52 PM
    Saturday, May 29, 2010 6:30 PM

All replies

  • Hi Zachary,

    This is possible, but it is not a UI-based configuration setting, it would require a little bit of scripting (very simple though). If this is what you want to do, let me know here and I will give you the steps.

     

    -Ran

    Saturday, May 29, 2010 8:34 AM
  • I'm fine with doing some scripting, please provide the steps and I will give them a try.

    Since the solution requires light scripting, can it also be that the domain prefix be forced to a specific case (either upper or lower) for consistency?

    Thank you!

    Saturday, May 29, 2010 5:09 PM
  • Zachary,

    Since the solution is implemented in a script, yes, you can check that the domain submitted has been entered using a specific case, as well as any other check or enforcement you wish.

     

    Here’s what you need to do:

    1.     Locate the file repository.inc in the folder …\InternalSite\samples and copy it to the folder …\InternalSite\inc\CustomUpdate

    2.     Rename the copied file to match the name of your authentication server that you have configured for this trunk. For example, if the authentication server name in UAG is “AD”, rename repository.inc to AD.inc

    3.     Open the file for editing. The file contains 5 functions. Delete all the functions in the file, except the first one: CheckCredentials(user_name, password). Make sure you all leave in the file the ASP tags at the start and the end of the file: <% and %>

    4.     The CheckCredentials(…) function is not the authentication function, this is just a preliminary step used to perform some sanity checks on the credentials submitted by the end-users, so this is the perfect place for you to implement whatever checks you wish. You can leave the original code in there, which ensures the user name and the password do not exceed a certain length limit, and then write some additional VBScript to check if the user_name variable content is in the format domain\user, as well as to ensure that the domain part, if submitted, was in the correct case.

    HTH,

    -Ran

    • Marked as answer by Zachary Cook Tuesday, June 1, 2010 11:52 PM
    Saturday, May 29, 2010 6:30 PM
  • Thanks a bunch - the instructions worked great.

    My AD login for UAG is titled plainly 'ADAuth'

    So here is ADAuth.inc placed in inc\CustomUpdate folder.  I had to brush up on regex for classic asp but it's tested and works fine.

     

    <%
    function CheckCredentials(user_name,password)
      Dim rex
      Set rex = New RegExp
      rex.Pattern = "(.*)\\(.*)"
      Dim match
      match = rex.Test(user_name)
      if match = false then
        CheckCredentials = false
      else
        if len(user_name) > UserNameLimit or len(password) > PasswordLimit then
          CheckCredentials = false
        else
          CheckCredentials = true
        end if
      end if
    end function
    %>

    Tuesday, June 1, 2010 11:54 PM