Hey cK - 1st of all KUDOS to DCVERS. This is pretty slick. I just finished testing it in my lab.

In terms of getting it working. What I would do is just have an outside user login to the regular domain. Perhaps you are having some kind of error with your address mapping. The user log will then show you what IP you want to use for your auth validation. In my case I have a Juniper firewall in front of my SA box so everything comes in with a MIP address that is the external IP of the SA box. So I just have a one line allow entry in my auth policy with no deny for my external.

If the user fails the auth test on the source IP you don't see anything in the user log. It is tricky to check the policy trace cause you are in a multi-realm scenario and I am not 100% sure what realm to check without some more testing. But if you capture the IP "normally" you should be able to get it figured out.

Hope this makes some kind of sense and helps!

I was hoping this would generalize so that it worked with certificates as well, but I can't get that to work.

My use case is that we are considering moving from RSA PIN+token authentication to authentication via certificate and password. Of course, I can get both to work, but the problem is the transition. I'd really like my users to be able to access the SA on a single URL, and use the presence or absence of a certificate to decide how to authenticate them, and what custom sign-in page to show them.

So, I built two realms, one with certificates required (called Cert) and one with certificates not required (RSA). When I accessed my login URL, I got a login page with a drop-down box for the Realm even when I logged in from a machine with no certificate loaded. No joy!

Has anyone else tried something like this? Got any ideas?

Ken

Hi Ken -

We are also looking to do the certificate authentication absence/presence use case you mentioned above. Did you ever get it to work?

Thanks!

i've had that woking. can you post the xml output for the two realms and sign-in policy?