How to convert UPN logon name (username@domain) to 'domain\username'.

How to convert UPN logon name (username@domain) to 'domain\username'.

book

Article ID: CTX231435

calendar_today

Updated On:

Description

Desired configuration is that the user can use both full UPN (username@domain) and domain\username to authenticate, and have SSO to the RDP server. 
Case 1: If user enters UPN i.e (username@domain) to login, it needs to be converted to 'domain\username' & given to the RADIUS server.
Case 2: If user already enters 'domain\username' to login, no change has to be made. 
Case 3: If user just enters username to login, it is not the desired configuration.

Instructions

Resolution:
Achieved using n-factor, following are the configurations that are performed:

1.Configure Authentication Vserver:

  • add authentication vserver nFactor_Radius

2.Configure Authentication Profile:

  • add authnProfile nfactor_prof -authnVsName nFactor_Radius

3.Set the vpn server with the profile:

  • set vpn vserver <> -authnprofile nfactor_prof

4.Configure two Authentication policies: upn_no_auth (to take care of Case 1) and Radius_Pol (to take care of Case2).
upn_no_auth

  • add authentication Policy upn_no_auth -rule "HTTP.REQ.BODY(1000).TYPECAST_NVLIST_T(\'=\',\'&\').VALUE(\"login\").CONTAINS(\"%40\")" -action NO_AUTHN
  • bind authentication vserver nFactor_Radius -policy upn_no_auth -priority 90 -nextFactor second_factor_Radius -gotoPriorityExpression NEXT

Radius_pol

  • add authentication radiusPolicy Radius_Policy ns_true Radius_server
  • add authentication Policy Radius_Pol -rule true -action Radius_server
  • bind authentication policylabel second_factor_Radius -policyName Radius_Pol -priority 100 -gotoPriorityExpression NEXT
  • bind authentication vserver nFactor_Radius -policy Radius_Pol -priority 100 -gotoPriorityExpression NEXT

second_factor_Radius

  • add authentication policylabel second_factor_Radius -loginSchema second_factor_schema
  • bind authentication policylabel second_factor_Radius -policyName Radius_Pol -priority 100 -gotoPriorityExpression NEXT
  • bind authentication vserver nFactor_Radius -policy upn_no_auth -priority 90 -nextFactor second_factor_Radius -gotoPriorityExpression NEXT

Note:

  • ‘upn_no_auth’ policy is to bypass authentication to the next factor if user enters UPN i.e in case1. Configured upn_no_auth policy is checking for '%40' as '@' is being encoded by browser.
  • Radius_Pol is the first factor (case2).
  • Second_factor_Radius is the second factor and will be used for UPN.

Powered by Wolken Software