Authenticate users with this format: domain\username


Article ID: 121203


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On


When I'm trying to login the user with domain\userid in an HTML Form,
it doesn't work, but using the userid only works fine and I'd like to
know why ?


Release: MSPSSO99000-12.8-Single Sign-On-for Business Users-MSP


The domain is needed and used when authenticating the 
user with Windows Authentication. By this Authentication Scheme, 
Policy Server doesn't do the authentication, but the IIS server does. 

Configure a Windows Authentication Scheme 

Note: The IIS web server, not the Policy Server, performs 
authentication based on credentials it receives from the Internet 
Explorer web browser. Therefore, you cannot use the OnAuthAttempt 
authentication event to redirect users who do not exist in the user 

You might use the GD module : 

Extended_NTLM Authentication_for CA Single Sign-On 

According this module documentation : 

Extended NTLM Authentication for Extended NTLM Authentication for 
CA Single Sign-On User Guide 

"The solution has added capability of validating the user’s password 
against an Active Directory User Store (/Ldap Directory User Store) in 
which users account is located when the user submits a domain name, 
login ID and password via an HTML Form. 

In both IWA and Forms modes, the authentication scheme supports 
multiple AD Domains, configured as separate CA Single Sign-On User 
Directory objects in the CA Single Sign-On policy store, and will 
only attempt to disambiguate the user in the User Directory/AD 
Instance, that is associated with the <domain> value passed to CA 
Single Sign-On by IIS or by the HTML Form. This will allow a user’s 
account to be located in the correct AD instance with a single 
search, even though the user’s username may exist in multiple AD 

But according the to GD support matrix, the last module version 3.0 
seems to be supported only with Policy Server 12.52SP1. You might also 
open an Idea certification request to get the module ported for Policy 
Server 12.8. 

Extended NTLM Authentication for CA Single Sign-On 

| PWP Version | Component     | Component Version | Operating System            |
|         3.0 | Policy Server | 12.52 SP1         | Product Supported Platforms |


You might be able also to implement a Custom Authentication Scheme using 
Active Directory API's. 

Managing Users 

Querying for Users