locked
Default domain is considered as the IAS server membership domain RRS feed

  • Question

  • Hi,

    We currently have a Winodws 2003 IAS server which we are using for SSL VPN authentication. We have multiple domains and this IAS server is part of the child domain

    Parent domain

    Child domain 1

    Child domain 2

    Child domain 3

    Child domain 4

    IAS server is part of Child domain 1

    When user logs in from child domain 1 it users the default domain name of that server which is by design and user authenticated successfully. I think the same doesn't happen when user logs in from child domain 2. Still it adds the defautl domain name of Child domain 1 so authentication fails as the user doesn't exist in Child domain 1

    is there a way we can look for different domains and authenticate properly and i did find we can add defaultDomain registry key but that will not help for multiple domains

    Is there any policy or configuration that can be done on IAS server so that users in all domains are authenticated without putting in domainname\username?

    Our goal is to not add domain name field when user logs in. I am sure there should be a way we can get this done

    Tuesday, May 31, 2011 3:13 PM

All replies

  • Hi,

    We currently have a Winodws 2003 IAS server which we are using for SSL VPN authentication. We have multiple domains and this IAS server is part of the child domain

    Parent domain

    Child domain 1

    Child domain 2

    Child domain 3

    Child domain 4

    IAS server is part of Child domain 1

    When user logs in from child domain 1 it users the default domain name of that server which is by design and user authenticated successfully. I think the same doesn't happen when user logs in from child domain 2. Still it adds the defautl domain name of Child domain 1 so authentication fails as the user doesn't exist in Child domain 1

    is there a way we can look for different domains and authenticate properly and i did find we can add defaultDomain registry key but that will not help for multiple domains

    Is there any policy or configuration that can be done on IAS server so that users in all domains are authenticated without putting in domainname\username?

    Our goal is to not add domain name field when user logs in. I am sure there should be a way we can get this done

    Tuesday, May 31, 2011 3:13 PM
  • Hi Chandyk,

     

    Thanks for posting here.

     

    You may achieve the goal by setting Realm Replacement Rules in this scenario , see the introductions in the article below:

     

    HOW TO: Set Up the Internet Authentication Service for Multiple Domain Logon Sessions by Using the Realm Replacement Rules

    http://support.microsoft.com/kb/296094

     

    You may also consider deploying RADUIS proxy server to forward the connection request to RADIUS server of proper child domain:

     

    IAS as a RADIUS proxy

    http://technet.microsoft.com/en-us/library/cc785693(WS.10).aspx

     

    Thanks.

     

    Tiger Li


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Wednesday, June 1, 2011 6:57 AM
  • Thanks Tiger Li!!

    I tried adding the Realm Replacement rule in Windows 2003 IAS Radius server in the Connection Request Policies which has the default rule in place (Use Windows authentication for all users)

    When i add the below to the attribute it doesn't work

    Find: $

    Repalce: @forestdomain.com

    What happens now is that it is adding the default domain name and getting rejected

    childomaina\Username@forestdomain.com

    Can we get rid of the default childdomain name getting added?

    Will adding this @forestdomain.com will search the GC for all the domains and authenticate user? I have Radius installed on GC server

    I think Radius proxy will not be a best option but if you think this will work better let me know

    Thanks! 

    Chandy

    Thursday, June 2, 2011 5:44 AM