locked
Single sign on problem RRS feed

  • Question

  • I am still in the testing stages of UAG and remote apps, and the problem arises when launching a remote app from the UAG portal.  single sign on is enable, however our domain usernames are of the form firstname<space>lastname, and this is replaced by firstname+lastname, eg. "domain\john smith" becomes "domain\john+smith" when trying to authenticate to the RDS server.  this inevitably fails and i have to log in manually, which kind of defeats the purpose of single sign on.

     

    is it possible to change this behaviour, and if so, how?

     

    thanks

    Wednesday, November 2, 2011 3:02 PM

Answers

  • thanks peter.  i'm going to change all my users' usernames.  it's going to get too messy like this, and i don't know why UAG doesn't support it.  i'll be getting it to do more in the future, so i'd rather just have it work out the box.

     

    thanks for the help

    • Marked as answer by dgwd Wednesday, November 23, 2011 11:14 AM
    Wednesday, November 23, 2011 11:14 AM

All replies

  • Hi DGWD,

    did you update to the latest UAG SP1 Update 1? In this update the UAG Team has fixed some bugs concerning credential encoding for RDP-SSO scenarios.

    Refer to this post for more information...

    http://social.technet.microsoft.com/Forums/en-US/forefrontedgeiag/thread/5189fc0d-bc96-4e67-b847-e26c6038bc5f

    -Kai


    This posting is provided "AS IS" whithout any warranties. Kai Wilke | ITaCS GmbH | GERMANY, Berlin | www.itacs.de
    Friday, November 4, 2011 10:08 AM
  • Hi Kai

    thanks for the reponse.  i read the list of fixes included in the update, and i think the one that you are refrring to is for, "Users cannot log on if password includes the plus character (+)", which is not exactly what the problem is.  Regardless, i installed the update and it made no difference.

    actually, i like the idea of your customisation of the login page, and i think that would work, but i have no idea where the function is that passes the credentials forward from the UAG machine to the RDS machine.  Given that it replaces a space with a plus, i suspect that it is some form of URL encoding that needs to be curtailed.  i also understand that i can customise UAG to use the UPN as the passed credential, but this has a space in it, too ("first last@domain").  i'm a bit stuck here, unfortunately

    thanks again

    brian

    Friday, November 4, 2011 3:20 PM
  • We've had similar problems to you with the user names UAG is passing through to applications we publish via the trunk. The way we get around these issues is to create our own dummy authentication server (admin->authentication and authorisation servers) and then adding a file to \von\InternalSite with the naming format name of trunk+1 for SSL 0 for non-ssl) +PostPostValidate eg if your trunk is called contoso and running ssl the file name would be contoso1PostPostValidate.inc. in this file you can then manipulate the current user name and replace it with what you require and store it in the session for the dummy authentication server. The file uses vb script and the script below assumes you called the dummy authentication server 'X"

    <%

    //get logged on name and password

    set LeadUserObj = GetSessionLeadUser(g_cookie)
    LeadUserName = LeadUserObj.User

    set LeadUserObj = Nothing

    Session_Password=Session("password"&num)

    //modify name

    Modifieduser=Replace(LeadUserName,"+"," ")

    //add to dummy authentication server

    AddSessionUser(g_cookie,Modifieduser,Session_Password,"X")

    %>

    For the app you are publishing use the "X" authentication server rather than the domain one. I haven't tested this script at all but hopefully it might point you in a direction that will solve your problem.

    Many thanks,

    Peter

     

     

    Monday, November 14, 2011 2:30 PM
  • thanks peter.  i'm going to change all my users' usernames.  it's going to get too messy like this, and i don't know why UAG doesn't support it.  i'll be getting it to do more in the future, so i'd rather just have it work out the box.

     

    thanks for the help

    • Marked as answer by dgwd Wednesday, November 23, 2011 11:14 AM
    Wednesday, November 23, 2011 11:14 AM