3 Replies Latest reply on Jun 10, 2011 5:56 AM by PhilM

    Version 8 - Active Passport with multiple authenticators


      While this is partly in relation to the other Active Passport discussion I started, I didn't want to overcomplicate matters and have raised this as a separate question.


      When configuring the Passport function, it is possible to select multiple authenticator types (having defined these in advance, of course) but you the must select one of these to be your default.


      What I have found is that the Passport server will only authenticate users belonging to the default authenticator type. If this is set to "Password", attempts to login with Active Directory credentials fail. When I switch the default to my Active Directory authenticator entry, I can then login using AD credentials, but attempts to login using local user credentials fail.


      As a side-note - I found getting AD (or LDAP) to work in the first place something of a chore. In the end, and purely by chance, I discovered the user credentials required to allow the Firewall to talk to the Active Directory server (whether configured as an Active Directory or "Other LDAP" entry) must be entered as a distinguished name (cn=admin,cn=users,dc=domain-name,dc=local, for example). I couldn't see anything in either the product guide, or the context-sensitive help stating that it must be entered in this fashion.

        • 1. Re: Version 8 - Active Passport with multiple authenticators

          You might try this.  You can specify the name of the authenticator to use IN the password box:

          - set the default Passport authenticator to be your AD one and also select Password as a Passport authenticator

          - hit the rule so you get the login/password box.  Type your login name in one box (a username ON the firewall itself), and in the password box type 'Password:yourpassword' (yourpassword is the password of the firewall user you typed in the previous box).


          See if that allows you to use the Password authenticator to generate your Passport when the AD authenticator is the default one.

          • 2. Re: Version 8 - Active Passport with multiple authenticators

            Thanks Sam


            I will give this a try when I get to the office tomorrow morning (UK-time).



            • 3. Re: Version 8 - Active Passport with multiple authenticators

              Yes - that's done the trick.


              For the benefit of others: I have created an Active Directory authenticator, calling it "AD".


              I have assigned this authenticator to the Passport service, but have left "Password" as my default.


              I can log in using a standard Firewall user account and password.


              I can now also log in using my active directory username and entering "AD:<password>". It would seem that the password prefix isn't case sensitive as I have entered "ad:<password>" and that worked also.