none
How to bypass UAG 2010 authentication when publishing generic website using AAM RRS feed

  • Question

  • We are publishing generic Website with format FQDN/folder using UAG 2010 AAM. Site is published but Authentication is not working. There is login button on the site. It will ask AD username and password to authentication. IIS site at backend is configurared using Window authentication.

    Working with UAG authentication page

    If authentication from Advanced trunk configuration and SSO are both enabled, AD User can log in without typing the username and password

    If only SSO is enabled, AD User can also log in with username and password

    Not working without UAG authentication page

    If only authentication from Advanced trunk configuration ,AD User can not log in

    If authentication is not enabled from Advanced trunk configuration, AD user can not log in

    No warning and error show in the web monitor.

    Goal is not using UAG authentication page. Currently website is published using ISA2004 and we are migration to UAG.

    Please help and appreciate it


    Daniel

    Tuesday, May 22, 2012 8:38 PM

All replies

  • If I understand you correctly, you want UAG to use pass-through authentication to a Windows integrated web site?

    If so you need this registry key: HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\e-Gap\von\UrlFilter\FullAuthPassthru as discussed here: http://technet.microsoft.com/en-us/library/ee809087.aspx

    You may also need the HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\e-Gap\von\UrlFilter\KeepClientAuthHeader key.

    Be sure to activate after adding the registry key to add the setting to the UAG configuration.

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk


    Tuesday, May 22, 2012 10:25 PM
    Moderator
  • Thank you I will give it try in the lab and let you know.


    Daniel

    Wednesday, May 23, 2012 2:11 AM
  • By default FullAuthPassthru is set to 1. (UAG version  SP1 with hotfix ). It is changed to 0  follow up with IIS reset and activiation and it works (There is no KeepClientAuthHeader key and I did not create it).

    User will see a bit different login window than before. It shows  "The server test.domain.com at UAG-435XXXX.... requires a username and password" in the login window vs "Connection to test.domain.com" previously. I guess it may be just way how UAG passthru works. (there is login button on the home webpage not UAG page)

    Thanks for the help


    Daniel

    Wednesday, May 23, 2012 7:28 PM
  • I hope that there is way to remove the following message which is actual text from login window. It is easy to know that UAG is used for this website

    The server test.domain.com at UAG-4335304636423333383941363434424438373741374346423439413442363233_E13F0DAB-DAD5-4C72-BB00-057F8EEB1F65 requires a username and password.


    Daniel

    Thursday, May 24, 2012 12:20 AM