locked
Custom Login RRS feed

  • Question

  • Is it possible (through programming or otherwise) to roll your own forms based login solution that can be used with TMG?  I realize you can create your own customized FBA pages to adjust the look and feel.  I want to hook into the login process to be able to support more complex scenarios like collecting security questions/answers or redirecting users to a "self-service re-activation site" if their account status is inactive.
    Sunday, September 19, 2010 11:44 PM

Answers

All replies

  • Hi,

     

    Thank you for the post.

     

    As far as I know, there is only so much you can do with the FBA page in TMG as described in http://technet.microsoft.com/en-us/library/bb794733.aspx.  And what you are looking for can be done through UAG.

     

    Forefront Edge Security – Direct Access, UAG and IAG

    http://social.technet.microsoft.com/Forums/en-US/forefrontedgeiag/threads

     

    Regards,


    Nick Gu - MSFT
    Tuesday, September 21, 2010 8:40 AM
    Moderator
  • We have done several custom solutions for this using the IsaScript filter.  Adding such complex logon logic to TMG (which doesn't have asp.net or other scripting, or even a real web server to host them) is non-trivial.  Usually we do a short contract project to meet each customer's different needs.

    But if you have any hot developers who don't mind a deep dive into Lua and the ISA SDK, you can also do this all on your own. 

    For an example of retrieving data out of the FBA page see the isascript.pdf, section "Read data posted to the FBA logon form".  Once you have the username and password you can do an LDAP lookup on the user and get access to information you need to make interesting decisions.

    For adding additional fields: You already know you can change the FBA form, therefore you know how to add fields.  But TMG is too dumb to use those fields for anything.  This is where IsaScript is helpful.  But I'm oversimplifying a bit.  If you are envisioning a multi-step page workflow that has to carry a non-trivial amount of state around, you're very quickly going to get out of your depth.  And this is why we do contract projects to build custom scripts :)

    For one customer we built a process that sets up a security question into AD if it's not present yet, then ask for that information at each logon after they entered the correct password.  (Which seems dumb to me, like just making the one factor password slightly longer) but hey, everyone has their own requirements.  Point being, it's possible to do what you want.

    Another possibility is to include a simple link on your FBA form that punts users to some anonymous-accessible IIS server where you do the heavy lifting of account resetting or whatever else you want to accomplish.  I CAN'T ADVISE this, because allowing anonymous traffic to an IIS server on your LAN running a custom asp.net app is somewhere on the all time top 10 list of "and that's how we got hacked, mr. auditor" replies :P

     

    Saturday, October 2, 2010 1:28 AM