My company is looking at trying to protect resources with Windows Authentication Schemes that are interna.
Issue is, the scheme to use would depend on where the client is coming in from, not the resource.
has anyone made or even attempted to make a page that tries this and logically selects the authentication scheme to use?
Not exactly that. But we have centralized credential collectors that do all the authentications. So on those servers, I have an incoming proxy rule to determine if it's coming from an "internal" subnet and if so then it redirects to an IWA protected scheme. If it's not a known internal subnet, then it redirects to a forms based scheme.
Ahh, this is for our internal solution .. the issue is that differnet regions need different look up schemes.
say one for Europe and one for North America ...
I understand you've been working with a support engineer on this question. His closest to "out of the box suggestion" is to add script to page that is able to determine where the user came from and have it determine which resource to access and hence the needed authentication scheme. Unfortunately we do not have any examples implementing this functionality but you can reach out to Global Development to contract their services if help is needed.
Thank you. i forgot to come back to this and add our solution, as suggested by Pete Burant of CA Support.
We have an aspx page that collects credentials as IWA would and examines the domain. based upon the domain it sends them to a protected resource that uses the correct authentication scheme to get them logged in. the resource takes the target (sent form the selector page), and decodes it, forwarding them back to their starting point.
We had to use an small group for testing, but it is working well. We are working to expand the test group.
Super! Thanks for following up and letting us know that Pete's suggestion is working.