locked
Using several authentication methods on single trunk RRS feed

  • Question

  • Hi Experts,

    We are publishing Web Application through single UAG trunk, which both internal and external users are using.

    Our plan for authentication is like this:

    -Internal users are using NTLM (in the future Kerberos) SSO. But in first tests it's okay for internal users just type their domain credentials"domain\user". There is a trust between domains which enables internal users to logon.

    -External users have to logon using two-factor authentication (OTP).

    So two Authentication servers are defined on single trunk ("Provide server list at logon is enabled" is checked) (AD and Radius).

    With this we enable external users to logon just using their "domain\user" credentials, and they are not forced to enter One-Time-Password but is straightly redirected to the portal.

    So my question is: Is there a simple solution, or do we need to make some kind of "prevalidate"-script forcing strong authentication for external users?

     

    Thanks!

    -Snendis

    Wednesday, September 8, 2010 3:15 PM

Answers

  • The common approach would be to use to separate trunks, each defined with their own authentication type.
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    • Marked as answer by Erez Benari Wednesday, September 22, 2010 8:39 PM
    Wednesday, September 8, 2010 3:39 PM
  • You cannot have two trunks using the same public URL. Even if you could force UAG to do this, how would the client "know" to which trunk to connect...it's all based on the URL.
    Ben Ari
    Microsoft CSS UAG/IAG Support
    Sammamish, WA
    • Marked as answer by Erez Benari Wednesday, September 22, 2010 8:39 PM
    Wednesday, September 22, 2010 8:39 PM

All replies

  • The common approach would be to use to separate trunks, each defined with their own authentication type.
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    • Marked as answer by Erez Benari Wednesday, September 22, 2010 8:39 PM
    Wednesday, September 8, 2010 3:39 PM
  • Do you know any cases where 2 separate trunks are used, which would be using the same public hostname? Least UAG is not complaining about overlapping trunk public hostnames when activating configuration. Of course this has to be tested but reason why I'm asking this if you are aware of any complications configuring UAG this way...
    Wednesday, September 8, 2010 5:40 PM
  • You cannot have two trunks using the same public URL. Even if you could force UAG to do this, how would the client "know" to which trunk to connect...it's all based on the URL.
    Ben Ari
    Microsoft CSS UAG/IAG Support
    Sammamish, WA
    • Marked as answer by Erez Benari Wednesday, September 22, 2010 8:39 PM
    Wednesday, September 22, 2010 8:39 PM
  • Hi Ben,

    I was just playing around with the idea. But the idea was to use Split Horizon DNS model and session stickiness as we have external load balancer handling load balancing between arrays.

    Anyway Microsoft's official answer was "not supported" as I thought so, and definitely against best practice. And wasn't even tested anyway what this configuration would've caused.


    Thanks!

     

    -Snendis

     

    Thursday, September 23, 2010 4:24 PM