locked
Duel Authentication - Certificate and Password at Login RRS feed

  • Question

  • I currently have client certificate authentication on the portal which is working fine but since I am also trying to use RemoteApp it then prompts for a login to the Terminal Server.

    What I want to do is check that the user has a valid certificate and then present the login prompt to capture the details required for SSO.

    Has anyone else done this already or have a suggestion on how to implement?

    The issue I have is that when presented for the login prompt (due to no SSO available) at the terminal server the screen resolution is really small, is there anyway to make this login screen larger.

     

    Cheers

    Tim

    Monday, November 15, 2010 8:39 AM

Answers

  • Ok I think I understand now.  I can turned on certifed endpoint but it is only a request to go and check for a certificate, the user will still get to the portal but the flag for whether they had a valid certificate is either true or false.

     

    In the access policy for UAG there is a privileged access policy (but this is around firewall, AV, etc) but nothing about certifed endpoints.  Are there any points in how to create an access policy so only people with valid certificates can view the applications.

     

    Regards

    • Marked as answer by Tim Clarkson Wednesday, November 17, 2010 11:08 AM
    Wednesday, November 17, 2010 10:43 AM

All replies

  • Hi Amig@. You can askt the user for password and certificate in the initial authenticaction to the portal. Use FBA to authenticate and then mark the "use certified endpoints" in the Session tab (or the Authentication tab, I don´t rememeber well right now) of the properties of the trunk. This way the user will be presented a form with username/password and if he succeeds to authenticate he will be requested a certificate. If he doesn't present the certificate you can use an endpoint policy to deny access to the application. The order is the opposite to the one you currently have but this is the most simple way to do it.

    Hope it helps


    // Raúl - I love this game
    Monday, November 15, 2010 10:11 AM
  • Are there any know issues with "use certified endpoint", I have turned it on (the computer has no certificates). After I login it redirects me to the portal home page which is not what I was expected since it is not a certified endpoint.

    I have tried to re-activate and I have also rebooted the UAG server after making the changes.

    Cheers

    Tim Clarkson

    Wednesday, November 17, 2010 12:39 AM
  • UAG SP1 fixes the double authentication issue with UAG and remote apps u can login with just username at the start then it will fix up everything when u loginto the remoteapp works a treat.
    Wednesday, November 17, 2010 2:33 AM
  • Hi Amigo. There is no issue with certified endpoints. It is the same that "privileged endpoints". If the user has no certificate, then he will not be a "certified endpoint". If you use the "certified endpoint" in an application access policy then you can control who gain access to applications based on having or not a certificate. If you apply the acces policy to the "portal" application then the user will be blocked even though the authentication against AD is succesful.

    Hope it helps


    // Raúl - I love this game
    Wednesday, November 17, 2010 8:34 AM
  • Ok I think I understand now.  I can turned on certifed endpoint but it is only a request to go and check for a certificate, the user will still get to the portal but the flag for whether they had a valid certificate is either true or false.

     

    In the access policy for UAG there is a privileged access policy (but this is around firewall, AV, etc) but nothing about certifed endpoints.  Are there any points in how to create an access policy so only people with valid certificates can view the applications.

     

    Regards

    • Marked as answer by Tim Clarkson Wednesday, November 17, 2010 11:08 AM
    Wednesday, November 17, 2010 10:43 AM
  • Hi Amigo. If you enter to create an advanced policy you will see an expression -or variable, I don' remeber now- that is called certified endpoint. You can include it in your custom policy as a requisite. The policy shouldn't be used as a Session policy because the certified endpoint is evaluated AFTER login and the Session policy is evaluated BEFORE login, so, an endpoint is never a certified one before login so the policy always returns False. That is why I suggested you to apply the policy for application access, including the "portal" in case you want to limit the access to the portal even though the authentication is successful.

    Cheers


    // Raúl - I love this game
    Wednesday, November 17, 2010 11:11 AM