locked
Limit Access to UAG portal RRS feed

  • Question

  • Hi all,

    I am very new to UAG and trying to figure out how to limit acces to uag portal so only users that belong to allowed security group can access to UAG portal.

    Thank you in advance
    FB
      
    Thursday, February 18, 2010 6:30 PM

Answers

  • Hi Amigo. I am not sure that changing the Base DN will work. I think that the base limits the group membership querying when using the authorization tab, but I think that it doesn't limit the authentication process. I will double check anyway.

    Sorry for saying again the samen, but why don't you use the option to put authorization in the "portal" application (the web application itself, the one called "portal"). The user will be presented the authentication form and then he will receive a message saying "you are not authorized". Isn't it what you want?

    Nice weekend
    // Raúl - I love this game
    • Marked as answer by FB1907 Friday, February 19, 2010 6:31 PM
    Friday, February 19, 2010 10:31 AM

All replies

  • Hi Amigo. The most straight forward way to do it is configuring the Authorization tab of the "portal" application to only those users allowed to access

    Hope it helps
    // Raúl - I love this game
    Thursday, February 18, 2010 6:36 PM
  • Hey Raul,

    Thanks for quick response.

    I already got that but I dont want all of my AD users to be able to login to UAG portal even though only some of them are going to see published "portal applications."

    Is there anyway that I can only allow select users to log in UAG portal?
    Thursday, February 18, 2010 6:40 PM
  • Your only option is to have the users in a particular OU and update the Base DN for your Authentication Server to be limited to those users.  For example:

    Create an OU called 'Remote Users' in your OU structure and change the Base DN to match: OU=Remote Users, OU=Users,OU=My Company,DC=domain,DC=local

    I do agree it would be nice to restrict access to the portal trunk entirely based on group membership.  We now have to come up with a custom process to move users to such an OU when they are given rights for remote access.

    David
    Thursday, February 18, 2010 7:44 PM
  • Hi Amigo. I am not sure that changing the Base DN will work. I think that the base limits the group membership querying when using the authorization tab, but I think that it doesn't limit the authentication process. I will double check anyway.

    Sorry for saying again the samen, but why don't you use the option to put authorization in the "portal" application (the web application itself, the one called "portal"). The user will be presented the authentication form and then he will receive a message saying "you are not authorized". Isn't it what you want?

    Nice weekend
    // Raúl - I love this game
    • Marked as answer by FB1907 Friday, February 19, 2010 6:31 PM
    Friday, February 19, 2010 10:31 AM
  • True, your authorization groups would need to be under the same Base DN.  Definitely not a great solution, especially if you even have a marginally complex AD structure.

    My logic for this is to prevent accidental exposure, for instance if an administrator forgets to de-select 'All Users Are Authorized' (which is default) during publishing.
    Friday, February 19, 2010 2:39 PM
  • Hey, this absolutely works fine for me. I was initally confused because I also have Shareoint portal published thru UAG and I didnt pay to much attention to "portal" application.

    anyway, thanks again

    FB

    Friday, February 19, 2010 6:11 PM
  • You are very welcome :)
    // Raúl - I love this game
    Monday, February 22, 2010 11:27 AM