Layer7 Access Management

Tech Tip : CA Single Sign-On : Login with Windows Authentication, only a specific user has to provide credentials.

  • 1.  Tech Tip : CA Single Sign-On : Login with Windows Authentication, only a specific user has to provide credentials.

    Posted 01-10-2018 03:11 AM

    Issue:

     

    We're running Web Agent, and when a specific user tries to login with Windows Authentication, this user needs to provide its credentials manually and it shouldn't.

     

    There's only 1 user affected by this issue.

     

    How can we solve this ?

     

    Cause:

     

    Active Directory has the same CN value for a given computer and user.

     

    If we have a user account and a computer account with the same name and the computer account is created before the user account, then the authentication fails. But if we have a user account and a computer account with the same name, and the user account is created before the computer account, the authentication works without any issue.

     

    From Microsoft documentation, this looks like a known issue :

     

    Using different naming attributes for users to avoid naming collisions to ensure data integrity, Active Directory requires that relative

    distinguished names be unique in a container. By default, the user class uses Common-Name (cn) as the naming attribute, which ties the

    test for uniqueness to the user name. The combination of these two restrictions can result in naming collision problems in large

    deployments. For example, a very large company might want to create user accounts in the same OU where, as a result of the high incidence

    of certain common names, many user objects have identical first and last names and, therefore, identical relative distinguished names. In

    this scenario, it is helpful to be able to use a different naming attribute that guarantees uniqueness, such as an employee ID that is

    created by the human resources department. The inetOrgPerson object class is a general-purpose object class that holds attributes about

    people, and it is defined in RFC 2798, Definition of the inetOrgPerson LDAP Object Class. A solution is provided in the Windows Server 2003

    schema so that administrators can delete inetOrgPerson (which uses cn as the naming attribute in the default schema) and re-create it using

    any attribute as the naming attribute. For example, instead of cn, the attribute emplID can be used as the naming attribute. You can choose

    the attribute and select one that will guarantee that there are no naming collisions. For more information about inetOrgPerson, see

    Active Directory Schema Technical Reference.

     

    How Active Directory Searches Work

    https://technet.microsoft.com/en-us/library/cc755809(v=ws.10).aspx

     

    Resolution:

     

    Configure the authentication on an Attribute for which the same name will note be found in the Computer branch to solve the issue.

     

    KB : TEC1569732