my question is about the configuration of the user authentication process to meet the requirements that the customer would like to implement.
the scenario is a UAC L3 infrastructure, with an IC6000 cluster as infranet controller, some L3 enforcement points (isg1000) and 5000 Windows PCs where an OAC client packet has installed via sw-distribution.
The IC is configured to authenticate the domain users belonging to the AD domain;these users are correctly authenticated and thereÍs no problem about that.
However each PC has a local administrator user and, with the only actual configuration of the UAC, when someone logs in with the Administrator login, the authentication of course fails because thereÍs no sign-in policy + auth realm + auth server configured to manage and authenticate those users.
The result of this failure is a pop-up that frequently and periodically appears and the customers donÍt want it to pop-up at all.
The user canÍt exit from the OAC agent and canÍt disconnect from IC, since weÍve distributed a client packet with a single profile configured to fetch windows login and password so that the end-user have to enter no login and/or password; this profile is the one used by both the domain-user or the Administrator user logging into the PC, because also when a PC-administrator logs in, the customer wants that this login into the IC is transparent for the user.
The profile is also limited as regards profiles-configuration, IC, etc that are all locked so that no end-user can modify the initial settings of the OAC client.
That pop-up resulting from auth-failure is a great problem from the customerÍs point of view, and he asked to me if itÍs possible to configure the OAC client so that when someone logs into a PC, there are two possibilities:
if he is a user-domain, he is correctly authenticated as it happens today and thatÍs ok,
but if heÍs a local user, in particular the Admininistrator user of the PC, it doesnÍt matter if heÍs not authenticated, (since the donÍt want to configure a dedicated auth server and realm to authenticate those users, that are as many as the number of PCs), but at least this admin-user should be able to exit the OAC client, in order to have no more the hated pop-up that asks the authentication login, and eventually this unauthenticated user should be able also to choose to login into the IC as another user, without exiting the user session on the PC with (ctrl+alt+canc) and re-logging into Windows.
I hope to have been able to explain the scenario;
Do you have some suggestion to meet the customerÍs requirements?
IÍm going to do some tests, but IÍd like to have your opinion.
thanks for all your help