When I'm trying to login the user with domain\userid in an HTML Form,it doesn't work, but using the userid only works fine and I'd like toknow why ?
The domain is needed and used when authenticating theuser with Windows Authentication. By this Authentication Scheme,Policy Server doesn't do the authentication, but the IIS server does.
Configure a Windows Authentication Scheme
Note: The IIS web server, not the Policy Server, performsauthentication based on credentials it receives from the InternetExplorer web browser. Therefore, you cannot use the OnAuthAttemptauthentication event to redirect users who do not exist in the userstore.
You might use the GD module :
Extended_NTLM Authentication_for CA Single Sign-On
According this module documentation :
Extended NTLM Authentication for Extended NTLM Authentication forCA Single Sign-On User Guide
"The solution has added capability of validating the user’s passwordagainst an Active Directory User Store (/Ldap Directory User Store) inwhich users account is located when the user submits a domain name,login ID and password via an HTML Form.
In both IWA and Forms modes, the authentication scheme supportsmultiple AD Domains, configured as separate CA Single Sign-On UserDirectory objects in the CA Single Sign-On policy store, and willonly attempt to disambiguate the user in the User Directory/ADInstance, that is associated with the <domain> value passed to CASingle Sign-On by IIS or by the HTML Form. This will allow a user’saccount to be located in the correct AD instance with a singlesearch, even though the user’s username may exist in multiple ADDomains."
But according the to GD support matrix, the last module version 3.0seems to be supported only with Policy Server 12.52SP1. You might alsoopen an Idea certification request to get the module ported for PolicyServer 12.8.
Extended NTLM Authentication for CA Single Sign-On
| PWP Version | Component | Component Version | Operating System ||-------------+---------------+-------------------+-----------------------------|| 3.0 | Policy Server | 12.52 SP1 | Product Supported Platforms |p.7
You might be able also to implement a Custom Authentication Scheme usingActive Directory API's.
Querying for Usershttps://docs.microsoft.com/en-us/windows/desktop/ad/querying-for-users
KB : KB000121203