If you have selected both password and active directory authenticators in the Passport server and you have specified password as being the default authenticator, when you log into the passport service and wish to use active directory credentials you must prefix the username accordingly.
It's been almost a year since I had to configure this myself, but I think that it is formatted <authenticator>:<username> - where <authenticator> is the name you have given to that authenticator entry on the firewall.
So, if you called the authenticator entry "AD", you would log in as "galaxyus" to use the password credentials and "AD:galaxyus" to force the passport service to check the credentials against active directory. (no " " marks, of course).
Hope that helps.
You have expirienced with MFE like https://community.mcafee.com/message/192865#192865. I meaned when users want to connect to internet they have to authenticate by ID/PW in AD.
My rule : User & Groups: authenticated - Authenticator: AD (replacement Non/Passport) like I configured in Authenticator. But not successful. What need I congfigure more?
What does the audit say? Are you failing authentication? What does the AD server log say when the firewall tries to authenticate?
I missed configure.
It's work great like this link: https://community.mcafee.com/message/192865#192865
We using passive passport and active passort for the rule defined:
- Authenticator : we defined AD (AD IP: port) --- Search: Search in Active Directory Domain (yourdomain.com)
- Passport: Active: Inband mode -- Authencator: AD (defined before)
Rule like this:
- Users & Groups: <Authenticated>
- Authenticator: <None/Passport>
The first time Users using web browser they have to authenticate by AD username/pw.
1 of 1 people found this helpful
It is possible that I may have mislead you in my earlier reply regarding the correct format to use when logging into the active passport service.
I've checked back through the forum for my own enquiry on this subject and it would appear that you need to prefix the password field with the chosen authenticator name not the username field.
So, I originally said that if you wanted to specify your Active Directory authenticator (which I called "AD" in the example) you should log into the passport server using "AD:<username>" and then issue the password when I actually think that you need to login as "<username>" and then enter "AD:<password>" in the password field.