Just wanted some idea how to make this to work
Server 1 = Certificate Server
Server 2 = LDAP server (AD)
Realm is configured in a way that the :
1. Primary authentication is the certificate (passport of the user)
2. Secondary authentication is the AD username and password
Now what we want to do is that the user will be only prompted for his AD password and that the rest happens automatically.
The serial of the user's certificate is in the PO Box field in AD.
What we have done so far is :
- configured the LDAP server to find user entries POBox=CertAttr.SerialNumber
- defined the user field in the authentication realm as UserAttr@AUTHSERV2.sAMAccountName
Can you give me some ideas? I cannot really find a lot of info about these fields that you can have customized options, in the Juniper Help pages or the KB.
Thanks for your replies,
That won't be able to work: there is no attribute available for userAttr at the login page.
What value are you setting the username to in your cert server: the same serial? You would be able to use that in the secondary auth field....otherwise, not sure how that will work.
Just wanted to let you know that this finally worked out well.
The only problem was that the user that was testing this for us had provided us with the wrong serial number of his ID card (his passport in this case.) Hence we were not seeing anything in the logs and the comparison between AD and his cert serial returned a NULL value for the userAttr@2NDAUTHSERVER.sAMAccountname
Once we had the correct serial in his POBox field the sAMAccountname was populated correctly and we could use it for SSO.
It has taken me a while but I will never forget this one.
Sorry that it took me so long but I am on vacation in Indonesia and getting on the Net is not that easy here