Options

Username Domain vs. Email Login

Hi,

we would like all our sslvpn users to authenticate with their full email address like username@domain.com. we configured domain.com as active directory domain.
using the web loging with username + drop-down works fine.

but we want our users always to use their full username@domain.com
(as all other plattforms need it this way and most users can only remember one method)

but here we got stuck, because firebox adds @<default-domain> to the username.
like username@domain.com@domain.com

if they use domain.com\username it works, but we dont want this style (because nobody understands it)

is this a bug (because you just don't match the @ for separating a domain) or is there a setting which i am missing?

(in our world, nearly 2023, nobody really uses the "\" anymore...)

thank you

Comments

  • Options

    you need to change the Login Attribute from the default sAMAccountName to mail.
    You also need to give a DN of Searching User and its password.
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/authentication/active_directory_about_c.html

  • Options

    this does not change the processing of the submitted username.
    I still get the same error:
    admd Authentication of SSLVPN user [username@example.com@default.com] was rejected, user doesn't exist, check your username

    this might work, if your mail-domain equals the default-domain.
    but as we have multiple ADs to authenticate against, this workaround does not solve our problem.

    (again: example.com\username works with no matter which default authentication server)

  • Options

    With multiple AD authentication, I think the only way to do this is with Microsoft NPS Proxy radius.
    i.e. Firebox sends the authentication request to a NPS radius Proxy, that then sends respective domain to the right
    AD and its NPS radius server.

    https://www.youtube.com/watch?v=X_VMAJmotXY

  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    @frankl
    Changing the logon attribute does change how the firewall submits usernames to the AD server. However, the way to specify an alternate domain (domain\user) is how the firewall expects to see alternate domains. It simply doesn't know what to do with the UPN style domain you're adding (the @domain.com part.)

    If you want complete control over what you're doing, RADIUS will probably be the way for you to go, as you can do whatever you like with the username inside of a RADIUS server like NPS.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.