SSL VPN
Reply
Visitor
dcrockett
Posts: 7
Registered: ‎10-15-2009
0
Accepted Solution

SSO using MS CA for authentication

I've configured SSO successfully to citrix and owa for an environment with users authenticating from AD. 

 

Now, we are moving from AD authentication to certificate authentication using the MS certicate authority and SSO is breaking. 

 

Username and password for certificate authentication are the users active directory credentials.  I am using <USERNAME> and <PASSWORD> variables for the SSO (against citrix and owa).

 

I assumed that it was possible to use the same credentials and variables, is that a misunderstanding?  What am I missing?

 

 

Thanks for any advice!

 

 

Distinguished Expert
muttbarker
Posts: 2,363
Registered: ‎01-29-2008
0

Re: SSO using MS CA for authentication

Can you clarify a little? Are you using the certificate for primary authentication and then using the AD username and password for secondary authentication and then trying to pass that on for your SSO purposes?

Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Visitor
dcrockett
Posts: 7
Registered: ‎10-15-2009
0

Re: SSO using MS CA for authentication

Sure, thanks for responding and sorry for not being clearer.

 

I planned on using certificates as primary, AD as secondary.  I would like to use a single sign on page for the login, but enabling AD for secondary seems to bring up a second sign in page. 

 

I'd then like to find a way to have the username and password used for SSO for backend apps like citrix and outlook like we currently use with AD only.

 

Thanks!

Distinguished Expert
muttbarker
Posts: 2,363
Registered: ‎01-29-2008
0

Re: SSO using MS CA for authentication

#1 - Check your sign in page - you should only see a second page if you have enabled the checkbox "prompt the secondary credentials on the second page"

 

#2- you can use the secondary username and password for SSO - but you can't just pass <username> or <password> as that is for primary auth. It is stored as <username[2]> and <password[2]> for the secondary credentials.

 

Hope that this helps!

Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Visitor
dcrockett
Posts: 7
Registered: ‎10-15-2009
0

Re: SSO using MS CA for authentication

Kevin,

 

Thanks for the info and the quick responses.  This didn't directly solve my issue, but it got me thinking enough to realize what the issue was, so thank you!

 

Turns out when you have multiple realms allowed on a single sign in page, and are using different authentication types across the realms, you get a username and password box regardless of what realm you choose and what the authentication type is.  Seems logical.

 

Now this username and password box works well if you chose a realm that is password based as its primary authentication.

 

However, if you are using certs for primary and say AD for secondary, those username boxes actually don't do anything on that initial sign in page and you are brought to a secondary page for your secondary authentication.

 

So by removing the additional realms (they were there for testing only) it reduced my sign on page to just checking for a user cert.  Once the user cert was found it technically went to the secondary sign in page, but really the first sign in page that the user would see that prompts them for credentials.

 

From there, as you said changing the SSO variables to the secondary ones finished up the SSO solution.

 

This is excellent because I was really banging my head on the wall trying to figure out why this wouldn't work!

 

Thanks,

Dave

 

 

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.