Question: Can I configure UTM to LDAP lookup different AD attributes, to allow for users who provide credentials in different formats? eg. allow users to provide domain\username, username, username@domain or useremail@domain, and have any of these successfully authenticate the user.
Scenario: We are migrating multiple services from TMG to UTM. I am currently working on Exchange services like ActiveSync and EWS. Pre-authentication at the UTM using UPN (username@domain) works well. However, this requires users to modify the login credentials of their mobile device from username or domain\username to username@domain. Whilst this can be communicated to users, it will affect several hundred people... many of whom will request Help Desk assistance (something I would like to minimise).
More information: Unfortunately, our AD user accounts do not have the same username and email address. ie. UPN is username@domain while email is useremail@domain. Communicating this is possible, but may create confusion for some users (something I would like to minimise). I am also struggling with Lync access to Exchange EWS URL (ie. for calendar, etc integration). Again, on a mobile device, changing the advanced login details from domain\username to username@domain works fine. But the desktop Lync client is giving me more grief... I believe it is trying to authenticate using the user's email/SIP address (ie. the user's sign-in address), which wont work with UTM's LDAP UPN lookup (I am still testing this, so don't believe everything I say just yet). But this Lync issue is off topic... please focus on my original question only.
I have recently upgraded our UTM to 9.304-9 and can see the prefix and suffix options for the WAF reverse authentication. However, my understanding is that this will not help in this situation because that prefix/suffix modification only applies to username details passed to the backend/real server. What I (almost) need is some sort of prefix/suffix sanitisation of usernames before they are passed to the LDAP lookup server. Should that be a feature request? [;)]
Anyway, please stay on topic... now that I've given more information, please go back to the top to my original question.
And, yes, I already tried creating multiple LDAP servers profiles to see what would happen; one that looks up the userPrincipalName and another that looks up the sAMAccountName... but it didn't work as intended. Maybe I did something wrong...
Thanks
This thread was automatically locked due to age.
