Martin Kramps1709161707 Posted November 16, 2021 Share Posted November 16, 2021 hello, netscaler 13.0 i have 2 domains. domain A uses ldap and radius. domain b uses ldap and radius both use the same logonpoint on the netscaler. users need to logon with domain\username. i need to use nfactor because off the domain\username. but how can i set this up ? i asume i need to make a decision rule if you are from domain a go to ldap server and radius server. i have tryed several step by steps, but because it is for access to storefront there are also exceptions.. can someone point me in the right direction ? let me know if i need to give more info, i will be working on the issue tomorrow. Link to comment Share on other sites More sharing options...
Bendeguz Tiba Posted November 16, 2021 Share Posted November 16, 2021 Hello, have you ever thought of using a domain drop-down schema for login, and evaluate the next steps on the nFactor flow based on the selection? Link to comment Share on other sites More sharing options...
Rhonda Rowland1709152125 Posted November 17, 2021 Share Posted November 17, 2021 There's multiple ways to do what you want, but a little more info would narrow down options to make it better for you. Are there just two scenarios OR within each domain additional groups that need to go to different storefront urls.... Also, which references are you stitching together. There may be easier ways to solve your problem. You are solving two problems: a) How to login users from either domain using the "domain\username" format. OR switch to domain drop down or upn logon formats to distinguish domaina from domainb users. Once we can distinguish users or groups, the next part is usually straight forward. b) Based on domain OR group membership identify the correct storefront session policy to invoke (related and how to pass domain to storefront which is session policy OR traffic policy). If you haven't solved (a) first, then looking at whether you have to stay in domain\username or switch to domain drop down list or other mechanism to just do the multi domain login is the first thing to decide. And domain drop down is easiest. If you have solved (a) and just need to solve (b), then this is usually group membership or we use something called an authentication group (in some cases an authorization gorup) assigned during completion of the authentication policy. Once we know which group or groups are involved and how to distinguish them, then you just trigger different session policies (and maybe traffic poilcies) to invoke correct store and correct sson domain. Link to comment Share on other sites More sharing options...
Martin Kramps1709161707 Posted November 17, 2021 Author Share Posted November 17, 2021 hello, i am missing a bit off basic stuff i think... i am getting it to work with a dropdown logon schema but only for one domain.. i have 2 ldap policy based on samaccountname, thats question 1 can i use this ? 1 policy goes to domain A 1 policy to domain B. then i have a desicion block when i use the expression. HTTP.REQ.BODY(500).AFTER_STR("domain=").CONTAINS("domainA") it does not work ! my understanding is that if this decission is true it will go to the next step a radius auth. Link to comment Share on other sites More sharing options...
Martin Kramps1709161707 Posted November 17, 2021 Author Share Posted November 17, 2021 oke i now have this setup... how can i only let domain B check on domain B, now users fdrom domain B will first be checked on domain A, if the users is not authecticated then it will look atr domain B. all expressions are set at TRUE. Link to comment Share on other sites More sharing options...
Martin Kramps1709161707 Posted November 23, 2021 Author Share Posted November 23, 2021 On 11/17/2021 at 1:53 AM, Rhonda Rowland1709152125 said: There's multiple ways to do what you want, but a little more info would narrow down options to make it better for you. Are there just two scenarios OR within each domain additional groups that need to go to different storefront urls.... Also, which references are you stitching together. There may be easier ways to solve your problem. You are solving two problems: a) How to login users from either domain using the "domain\username" format. OR switch to domain drop down or upn logon formats to distinguish domaina from domainb users. Once we can distinguish users or groups, the next part is usually straight forward. b) Based on domain OR group membership identify the correct storefront session policy to invoke (related and how to pass domain to storefront which is session policy OR traffic policy). If you haven't solved (a) first, then looking at whether you have to stay in domain\username or switch to domain drop down list or other mechanism to just do the multi domain login is the first thing to decide. And domain drop down is easiest. If you have solved (a) and just need to solve (b), then this is usually group membership or we use something called an authentication group (in some cases an authorization gorup) assigned during completion of the authentication policy. Once we know which group or groups are involved and how to distinguish them, then you just trigger different session policies (and maybe traffic poilcies) to invoke correct store and correct sson domain. do you need more information ? Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now