cancel
Showing results for 
Search instead for 
Did you mean: 

How to pass on user name for SSO login with cert and AD account

RadiusWorldwide_
Occasional Contributor

How to pass on user name for SSO login with cert and AD account

Hello,

 

been reading a lot these days about certs and SSO but cannot find a way to configure what is needed:

 

What I want to do

Users log on to their laptops with a cached AD domain user account. the Junos client starts automatically and connects via a user certificate stored on the laptop.

Afterwards some AD role mapping takes place and users can acess files shares, intranet etc without any further need to put in credentials.

 

What I accomplished so far

version 1

Have users login to Junos with AD credentials, get roles mapped, get access to internal ressources.

 

version 2

Get a user cert from our AD cert server and login automatically via Junos client. But access to internal ressources asks for credentials again as the user name in the cert is like "Jane Doe" where I need it to be "jdoe".

 

How do I...

Get the correct user name into the certificate? Tried to put it into the Subject field manually when requesting/issuing the cert, but that just didn't end up in the cert.

 

OR

 

Somehow pass the user credentials from the laptop Windows login on to the Junos client?

6 REPLIES 6
dcvers_
Regular Contributor

Re: How to pass on user name for SSO login with cert and AD account

You can put the user ID in the certificate as an entry in the Subject Alternative Name field. If requesting it manuall the syntax would be:

san:[email protected]

It is also be possible to configure the AD certificate server to add it automatically using templates (don't know the details of how as this is not may area).

 

However, depending upon how the internal resource authenticate this may not help. If they authenticate based on the certificate then it will work of if they just check AD group memberhsip of the passed user ID it may work. But if they require ID and password it won't.

RadiusWorldwide_
Occasional Contributor

Re: How to pass on user name for SSO login with cert and AD account

I'm just requesting the user cert manually via the dialog in an mmc. When I hit details and choose UPN for the alternative subject... no matter what I put into the "Value" field... it will always be the same. [email protected] 

 

This won't work with the ressources I configured like access to fileshares or internal websites. Looking at the user logfiles when I login via AD authentication I see a different notation for the username. It's domain\jdoe. 

 

Maybe I can do it the other way around then? Somehow (how???) pass on the user credentials from the Windows login to pulse client and user AD authentication and role mapping and have host checker check for a valid cert?

 

So far we're not using certificates for users in our AD anywhere. I just want to use it as a means of logging in to the company network while outside our premisses.

filbert_
Frequent Contributor

Re: How to pass on user name for SSO login with cert and AD account

You can accomplish what you want by configuring Pulse to "Start automatically at user login" and then put a certificate restriction on the role you want to use.  Users will have a Pulse branded tile when they go to login and need to just enter their AD creds.

You can't use HostChecker because it can only validate machine certificates.

 

Hope this helps.

RadiusWorldwide_
Occasional Contributor

Re: How to pass on user name for SSO login with cert and AD account

Hi Filbert,

 

thanks for your suggestion. Sounds like this might be exactly what I was looking for. Ticked the "Automatically at user login" in our Junos Pulse Connection and downloaded the client again. Unfortunately nothing at all happens. I just get a normal Windows login and Pulse starts afterwards. Need to troubleshoot this.

 

Also will I still just log in with my cached AD credentials although the login it now branded with Pulse (If I get that to work.)? What if I don't have a internet connection at that moment?

filbert_
Frequent Contributor

Re: How to pass on user name for SSO login with cert and AD account

You may need to reboot your PC after installing Pulse.

Yes, you would just enter your domain credentials in the Pulse branded login tile.

RadiusWorldwide_
Occasional Contributor

Re: How to pass on user name for SSO login with cert and AD account

I installed the Pulse client manually with msiexec providing a config file with the "Automatically at user logon" option enabled and rebooted. Indeed the client tried to connect just after I provided my credentials. The login was still branded with windows though. I wouldn't mind that. But I got an error message from the client saying that the logon server was not available. Of course not, because I wanted to test using the cached credentials. It works fine when I just log on to Windows. Even without any network connection.

 

So how is this done then? I'm confused and frustrated. I just want the client to grab the Windows user credentials provided at log on to the machine, but only try to establish the VPN when the machine has an internet connection. It should not try to connect when there is no connection or a company LAN connection. What can I do?