cancel
Showing results for 
Search instead for 
Did you mean: 

Certificate + AD Sign in

Highlighted
Contributor

Certificate + AD Sign in

Hi all,

Just wanted some idea how to make this to work

Server 1 = Certificate Server

Server 2 = LDAP server (AD)

Realm is configured in a way that the :

1. Primary authentication is the certificate (passport of the user)

2. Secondary authentication is the AD username and password

Now what we want to do is that the user will be only prompted for his AD password and that the rest happens automatically.

The serial of the user's certificate is in the PO Box field in AD.

What we have done so far is :

- configured the LDAP server to find user entries POBox=CertAttr.SerialNumber

- defined the user[2] field in the authentication realm as UserAttr@AUTHSERV2.sAMAccountName

Can you give me some ideas? I cannot really find a lot of info about these fields that you can have customized options, in the Juniper Help pages or the KB.

Thanks for your replies,

Kristof

4 REPLIES 4
Highlighted
Respected Contributor

Re: Certificate + AD Sign in

That won't be able to work: there is no attribute available for userAttr at the login page.

What value are you setting the username to in your cert server: the same serial? You would be able to use that in the secondary auth field....otherwise, not sure how that will work.

Highlighted
Contributor

Re: Certificate + AD Sign in

He Guys,

Just wanted to let you know that this finally worked out well.

The only problem was that the user that was testing this for us had provided us with the wrong serial number of his ID card (his passport in this case.) Hence we were not seeing anything in the logs and the comparison between AD and his cert serial returned a NULL value for the userAttr@2NDAUTHSERVER.sAMAccountname

Once we had the correct serial in his POBox field the sAMAccountname was populated correctly and we could use it for SSO.

It has taken me a while but I will never forget this one.

Sorry that it took me so long but I am on vacation in Indonesia and getting on the Net is not that easy here Smiley Happy

Kind regards,

Kristof

Highlighted
Respected Contributor

Re: Certificate + AD Sign in

Very nice; thank you for sharing. Enjoy your vacation. Smiley Happy
Highlighted
Valued Contributor

Re: Certificate + AD Sign in

Hey Kristof - pretty slick! Thanks for posting this.