cancel
Showing results for 
Search instead for 
Did you mean: 
jacobrush
Level 7

Prompt for alternate credentials if users are in a certain group

I'm in the process of setting up a MWG7.1 box.

Were using wccp

and Active directory transparent authenticaiton as outlined in this thread https://community.mcafee.com/thread/29947?tstart=0

I have all that working. I'm transparently authenticating users.

Now it gets a little tricky though. I have some accounts that are a generic shared PC account.

I want to detect these users and put up a login prompt of some sort to have them enter their specific AD credentials.

I'm able to detect these users easily enough by adding a property of Authentication.UserGroups contains "Shared User"

But I'm a little lost as to what to do now..

Any pointing in the right drection would be helpful.

Thanks in advance!

-Jacob

0 Kudos
7 Replies
jont717
Level 12

Re: Prompt for alternate credentials if users are in a certain group

Sounds a little strange.  If you want them to sign into the internet with their normal AD credentials, then why have them sign into the computer with the shared account at all?  Shared account in an AD environment are never a good idea anyway.  

Doing this would be pretty tricky. 

0 Kudos
jacobrush
Level 7

Re: Prompt for alternate credentials if users are in a certain group

Oh, Yah. Shared accounts are a terrible idea. And breaks so many things..

But thats the enviornment at this customer. I'm just trying to get it to work as best as I can for them.

I think if I do some more research into how the various authentication systems work I can actaully get this to do what I want. Just cuious is anybody else has figured out a solution before I go and re-invent the wheel.

0 Kudos
jont717
Level 12

Re: Prompt for alternate credentials if users are in a certain group

If you want to do it by user group "Shared User", then obviously the account will have to authenticate first to pull the groups. 

I would make a rule in the authentication rule set that says, if authentication.UserGroups = "Shared Users", than set it up to somehow use Try-Auth.  Put this before the Redirect back from authentication server.  

Or maybe even a top level rule set after your Authentication rule set that is only Enabled if authentication.UserGroups = "Shared Users"  Then in there put the Try-Auth rules. 

I have not done this, but it seems like it would work.  Try-Auth will pop up a log in box. 

0 Kudos
jacobrush
Level 7

Re: Prompt for alternate credentials if users are in a certain group

Sounds good. I'll give that a go.

Just as a test I had a rule just where you said before the redirect back. I set it to authentication.UserGroups = "Shared Users" and action of block and it would block the users so I know the rule is firing. I Just wasn't quite sure where to go from there.

Thanks!

0 Kudos
jont717
Level 12

Re: Prompt for alternate credentials if users are in a certain group

Let me know if you have any success.

0 Kudos
bayswater
Level 9

Re: Prompt for alternate credentials if users are in a certain group

Hi Jacob, just wondering if you had any luck with this?

I am in the same situation whereby I have a number of staff using a shared account on a few computers and I wish to prompt for additional authentication when they open a browser. There are a few staff that need more access than the rest of the staff and making them authenticate again would allow me to give them this additional access.

0 Kudos
jacobrush
Level 7

Re: Prompt for alternate credentials if users are in a certain group

Not quite yet. I had some other projects come up and have not been able to make progress on this lately. I hope to have something either working or give up on it next week. : )

-Jacob

0 Kudos