Forum Discussion
NimbostratusAPM sso to vdi rdp sending wrong password variable
Hi. I created an vpe where a user must enter in the password field both password and pin. I extract the password and pin in 2 different variables, en use them to authenticate. that works great. But when i use SSO to the vmware vdi backend the original variable, which contains the password and pin is used. so the backend auth fails. we are using 11.6 HF5
10 Replies
Stanislas_Piro2Cumulonimbus
Hi,
If the user provided password is never used to authenticate, replace variable name in logon page from password to combinedpwd (keep the POST variable to password and define the Session variable with combinedpwd). it will be easier to keep original value and reduce variable assign.
The first variable assign will be:
session.logon.last.password = expr {[string range [mcget -secure {session.logon.last.combinedpwd}] 0 end-6]}The second variable assign will be :
session.logon.last.password = expr {[string range [mcget -secure {session.logon.last.combinedpwd}] end-5 end]}In the second variable assign screenshot, you forgot the secure parameter.
- MrIB_64119
the session.logon.last.password is an fixed variable ? can you change that variable in the logon page ?
to clear again, the authentication which uses the already assigned variables like session.temp.password and session.temp.token are working. in the last step the session.temp.password is assigned at session.logon.last.password and that variable is used to succesful authenticate to radius (ad). after that the variable is nog changed anymore. so i assume this variable is used as a password variable which is send allong with the session.logon.last.username to the vmware vdi backend. but i think my assumption is wrong :-(
- Stanislas_Piro2
I did not read VMware View.
did you try to add secure parameter in the second variable assign?
When logon page variable manipulation, you must limit AD auth "Max Logon Attempts Allowed" to 1 as every boxes between logon page and AD auth box are executed only once.
- MrIB_64119
no problem.
yes i adjusted the secure parameter in the second variable, and the max logon attempts allowed was already on 1.
i don't think the problem is in de variable assing, but in sending the wrong value in session.logon.last.password to the vmware backend.
below is my whole policy, the token auth is removed because for testing purposes it was not required
- Stanislas_Piro2
I think in VMware view logon page, you can use both token and AD Auth with 2 logon pages.
Why do you want users enter both passwords in the same field? (the user will need to enter username in both logon page)
In the SSO in vmware view ressource, try to use session.temp.token instead of session.logon.last.password.
another way is to configure Kerberos SSO.
- MrIB_64119
the reason the user must type the password and pin in one field is an requirement.
InnO+1 to Stanislas, would be the best solution.
Can you share the content of your SSO Credential Mapping box, af any ?
Michael_Koyfma1Cirrus
Session.temp.password should be used as the password source in the SSO Credentials mapping agent.
- MrIB_64119
This i allready used, but it is not working......
- Stanislas_Piro2Vmware view vdi does not use session.sso.token.password but session.logon.last.password if you did not change the default value in Remote desktop ressource.
