Version Affected: All
Description:
When our WSTrust endpoint receives a password verification request, we will chop off the UPN suffix and try to look up the SamAccountName.
Eg, if awood@example.com we'd remove the @example.com and look up the user as SamAccountName=awood
However, sometimes the UPN and SamAccountName don't match. For example, if the UPN was andrew.wood@example.com and the SamAccountName was awood simply removing the UPN suffix would not be enough to find the User.
Cause:
Default setting to allow SamAccountName lookup isn't always helpful.
Resolution:
Depending on your environment, you may need to disable this feature so that we do search the User using the UPN as we receive it.
This is a 2 step process. 1st you need to update your Datastore to look for UPN and second, you'd want to edit the Web.config so that we do not remove the UPN suffix.
1. Edit the Datastore that the realm uses and change the Search Filter. For example, if it is currently using SamAccoutName and you wish to make it check both SamAccountName and UPN, you'd make the search filter as follows
(&(objectclass=user)(|(samAccountName=%v)(userPrincipalName=%v)))
2. In the Advanced Settings, Click Tools | Decrypt Web.config
3. Select the realm in question and click decrypt
4. Navigate to the web.config Eg. D:\SecureAuth\SecureAuthx\Web.config and open in your favourite editor
5. Find <add key="WSTrustValidateWithSamAccountName" value="True" />
6. Change this to <add key="WSTrustValidateWithSamAccountName" value="False" />
SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.
Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.
Comments
Please sign in to leave a comment.