nickvandermeijd Absent Member.
Absent Member.
250 views

Kerberos Fallback method


Hi there,

We are currently setting up Kerberos authentication in NAM 4.1. We want
to configure a Fallback method, when there is no kerberos ticket. We
want to users to login by username/password when the kerberos mechanism
fails.

Also the kerberos mechanism is using the AD as the ID source. We want
the fallback mechanism to use the AD and eDirectory. So basically we
want to use a method as fallback mechanism.

Is this possible?


--
nickvandermeijde
------------------------------------------------------------------------
nickvandermeijde's Profile: https://forums.netiq.com/member.php?userid=8288
View this thread: https://forums.netiq.com/showthread.php?t=54326

0 Likes
3 Replies
6498166 Absent Member.
Absent Member.

Re: Kerberos Fallback method


Hi,
yes, check the documentation: http://tinyurl.com/q3gcx79

You can set eDirectory in kerberos method as secondary UserStore, so if
kerberos works, the user is located in AD (as first User Store), if
don't works, the fallback method is claim and the user can insert the
credential in a Form-Based class. the method try to find the user in AD
first and in eDirectory after.

HTH

Cheers
Maurizio


--
6498166
------------------------------------------------------------------------
6498166's Profile: https://forums.netiq.com/member.php?userid=554
View this thread: https://forums.netiq.com/showthread.php?t=54326

0 Likes
Knowledge Partner
Knowledge Partner

Re: Kerberos Fallback method

6498166 wrote:

>
> yes, check the documentation: http://tinyurl.com/q3gcx79
>
> You can set eDirectory in kerberos method as secondary UserStore, so if
> kerberos works, the user is located in AD (as first User Store), if
> don't works, the fallback method is claim and the user can insert the
> credential in a Form-Based class. the method try to find the user in AD
> first and in eDirectory after.


If you know that you have all the users in eDirectory and you have (or can easily create) an attribute in eDirectory which is the same as the UPN in AD, then you don't need the two user store part.

Just use eDirectory as the user store and specify the attribute used for UPN in eDirectory.
Configure fallback to a form based login as per the doc for Kerberos.

Works just fine. Plus you get the benefit of password retrieval from eDirectory (if you need that)
Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Kerberos Fallback method

Alex McHugh wrote:


> Works just fine. Plus you get the benefit of password retrieval from
> eDirectory (if you need that)


You can still have password retrieval when using AD for the kerberos
authentication and then eDir to do the password retrieval.

--
Cheers,
Edward
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.