Username Domain vs. Email Login
Hi,
we would like all our sslvpn users to authenticate with their full email address like username@domain.com
. we configured domain.com
as active directory domain.
using the web loging with username + drop-down works fine.
but we want our users always to use their full username@domain.com
(as all other plattforms need it this way and most users can only remember one method)
but here we got stuck, because firebox adds @<default-domain>
to the username.
like username@domain.com@domain.com
if they use domain.com\username
it works, but we dont want this style (because nobody understands it)
is this a bug (because you just don't match the @ for separating a domain) or is there a setting which i am missing?
(in our world, nearly 2023, nobody really uses the "\" anymore...)
thank you
Comments
you need to change the Login Attribute from the default sAMAccountName to mail.
You also need to give a DN of Searching User and its password.
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/authentication/active_directory_about_c.html
this does not change the processing of the submitted username.
I still get the same error:
admd Authentication of SSLVPN user [username@example.com@default.com] was rejected, user doesn't exist, check your username
this might work, if your mail-domain equals the default-domain.
but as we have multiple ADs to authenticate against, this workaround does not solve our problem.
(again: example.com\username works with no matter which default authentication server)
With multiple AD authentication, I think the only way to do this is with Microsoft NPS Proxy radius.
i.e. Firebox sends the authentication request to a NPS radius Proxy, that then sends respective domain to the right
AD and its NPS radius server.
https://www.youtube.com/watch?v=X_VMAJmotXY
@frankl
Changing the logon attribute does change how the firewall submits usernames to the AD server. However, the way to specify an alternate domain (domain\user) is how the firewall expects to see alternate domains. It simply doesn't know what to do with the UPN style domain you're adding (the @domain.com part.)
If you want complete control over what you're doing, RADIUS will probably be the way for you to go, as you can do whatever you like with the username inside of a RADIUS server like NPS.
-James Carson
WatchGuard Customer Support