In essence the Captivate plugin allows you to force authentication for a NAT user. Normally this would be using Forms Based Authentication (FBA) against Windows (Active Directory) This requires the TMG server to be a member of that domain.
In this article I will go through the steps required to set up a secondary domain to authenticate guests against. This allows to authenticate users against either domain. This allows you to cater for Corporate users with corporate domain accounts on un-trusted devices such as iPad and Android tablets. And for true guests that do not require access to any of your corporate domain resources. You can do all this while still keeping the TMG server on your corporate domain.
First up I tried for a long time to get this working with ADLDS with no luck. So I am using a separate Guest Domain on a separate domain controller.
Step 1 Build a guest domain controller
For the purposes of this guest network, I do not need anything other than a place to create and expire users. I will either be allowing an authenticated user or dropping the request. Based on this very basic requirement I built a stand alone domain controller and edit the domain policy.
Policies - Windows Settings - Security Settings - Account Policies / Password Policies
Here you have the options to make the password requirement simple or more complex. The one setting here will affect the ability to change password through the forms. Minimum Password Age. By default it is set to 1. This means that a password can only be changed by a user ever 24 hours. So set it to 0
In the case of the guest network you might want to request or ask a user to change the password at the first log in. If however the password is less then 24 hours old they will not be able to change it....
Step 2 Configure Authentication Server Settings
Here we are going to configure using LDAP as opposed to Windows (Active Directory) Because of this we will have to manually specify the settings.
- Form the console tree Expand the array
- Select Firewall Policy
- On the task pane on the right hand side scroll down an open Configure Authentication Server Settings
- Select the LDAP Servers tab
- Create an LDAP server set
- Click add
- Specify the LDAP server set name
- Add the AD server you want to use and chnage the order if required
- Specify the domain FQDN
Important - If you want to enable password management through the Authentication Form the following must be set
- Un-check Use Global Catalog
- Check Connect LDAP server over secure connection
- Specify a username and password that is authorized to change passwords on that domain.
- Repeat the steps for the Corporate but of course specifying the guest domain servers and names
Configure Login Expressions
The login expression defines how the credentials will be formatted. It can be either
- domain\username - guest\*
- firstname.lastname@example.org - *@guest.co.za
Since in this case they are both Active Directory you can use domain\*
So you would have two entries:
corporate\* - Going to the Corporate LDAP server set
guest\* - Going to the Guest LDAP server set
Step 3 Validate LDAP connectivity
Since during the normal operation of this you dont really see what is going on, you will want confirm that both LDAP sources are working as expected.
- On the TMG server Run LDP.exe
- Form the connection menu select Connect
- Specify the name of the FQDN of LDAP server
- Change the port to 636
- Check SSL
At this point you have sent a connection request but you have not bound to it use a credential, so next up
- Form the connection menu select Bind
- Click the Advanced Button
- Select Digest
- Select Advanced (Digest) in the Bind type
- Specify the credentials you used when setting up the LDAP server set
Step 4 Limitations to be aware of
If you are using forms-based authentication with LDAP like I have set out here, TMG is not able to check if the password is valid or expired. So unlike authenticating a against Windows (Active Directory) you will not automatically be redirected to the change password screen. The user will just get and invalid credentials error.
The account cannot be marked with "User must change password at next logon" in active directory, if it is authentication will fail.
The ability to authenticate again multiple domains can be used to cater for specific user scenarios like this one. You can enable a corporate user to use his private device without having to create a dedicated guest domain user, and likewise you can enable a guest user to use your corporate internet without having to create a corporate domain user just for this.