locked
Disabled AD account and certificate based authentication RRS feed

  • Question

  • Hi All,

    Does anyone have found working solution to deny access to portal for disabled or locked out AD account when authenticatig to UAG with certificates?

    The previous discussion http://social.technet.microsoft.com/Forums/en-US/forefrontedgeiag/thread/8aa83f50-b29c-4789-966e-e4ce7f428a49 seemed to end with nothing.

    I've tried myself to add such functionality in CustomUpdates\<repository>.inc but found that GetUserInformation() function is unable to get "userAccountControl" attribute from GC, while some others attributes it does (e.g. "sn", "displayName","mail"). Further I've found that GetUserInformation() finds only AD attributes which have "INDEX" flag in "searchFlag" attribute set.

    GetUserInformation() calls Session("UserMgrLayer").GetUserInformation (ASP?) method but I couldn't found any documentation about it.

    May be you khow - is there a possibility to make this function search any user attribute, not only indexed? Or the only way to do it is using own ldap search method with wmi or smth. else ?

    Here is the checking code I added to <repository>.inc

    	Const ADS_UF_ACCOUNTDISABLE = &H02
    	Const ADS_UF_LOCKOUT 	    = &H10
    	
    	set param_UAC = Server.CreateObject("UserMgrComLayer.Param")
    	param_UAC.Name = "userAccountControl"
    	set param_vec = GetUserInformation(repository,user_name,"",Array(param_UAC))
    	set param_UAC = Nothing
    	if TypeName(param_vec) = "Nothing" then
    		authenticate_user_out.Success = AUTHENTICATE_FAIL
    		set AuthenticateRepositoryUser = authenticate_user_out
    		LIGHT_TRACE "ERROR: Failed to get user UAC attribute"
    		SendFailToAuthenticateMsg "Failed to get the user params"
    		exit function
    	end if
    	user_UAC = param_vec.ParamVec
    	Set param_vec = Nothing
    	UAC = user_UAC(0).Value
    	
    	LIGHT_TRACE "INFO: array elements count=" & UBOUND(user_UAC)+1 & " user " & user_name & ", " & user_UAC(0).Name & "=" & user_UAC(0).Value
    
    	If (UAC And ADS_UF_ACCOUNTDISABLE) or (UAC And ADS_UF_LOCKOUT) then
    		authenticate_user_out.Success = AUTHENTICATE_FAIL
    		set AuthenticateRepositoryUser = authenticate_user_out
    		LIGHT_TRACE "ERROR: The user [" & user_name & "] account either disabled or locked (UAC=)" & UAC & "]"
    		SendFailToAuthenticateMsg "The user [" & user_name & "] information [" & session_params(j).Name & "] is not session:[" & session_params(j).Value & "]  user:[" & user_params(j).Value & "]"
    		exit function
    	end if
    
    


    Wednesday, November 9, 2011 4:34 PM