The following is directly from a LANDesk support case I have just opened. It is clear what we are looking for is the ability to make an unsupported modification - but the change is rather simple and would generate value as our customer base has no idea of the various UPN (User Principal Name) conventions and simply can get logon correct using this ID.
I am not particularly hopeful - but as I have some pressing requests to get htis functional it is worth asking. The ultimate answer likely lies in setting up a federation server in the DMZ and perhaps at that point Integrated Authentication can be used for external access - but that is outside of out time line. If anyone has experience in either being able to find and modify some of the base code (or can confirm this is not possible - perhaps all delivered in object code vs source) I would appreciate the information. Withe the question and relative priority I expect slow response from Support - perhaps the community can provide information a bit faster.
Thanks!,
Terry
We have a fully operational Internal Server deployment using Integrated Authentication with Active Directory. That deployment is working without issue - however there is some relevant background information (you can also review LANDesk case #00740181 related to the current setup):
* The LANDesk ID is currently setup as the AD User Principal Name (UPN). This user logon format is NOT well known in the general user community.
* The transition to the UPN was required as we support multiple AD domains within a single forest (quite common) and the Pre-W2K login ID is not unique across the domains. Note that the convention of using <Domain>\<Pre-W2K ID> is common across all of the Microsoft AD clients.
This all works well - and with Integrated logon the user doesn't get exposed to the fact that we are using the UPN convention for the ID.
Now, when configuring to allow access to an external facing Web Server we are not able to use the Integrated Authentication (no Federation Services - and of course the internal AD is not open to the DMZ).
So - we have successfully configured the external facing web server to "authenticate against the AD" - by having the user enter their LANDesk ID (Active Directory UPN) and their AD Password. This is functioning correctly as well.
What we would like to do is to be able to slightly modify the SQL that is used in the challenge sequence so that our users could enter their Email Address rather than the UPN (users know their email - and the Pre-W2k ID - nobody knows the UPN structure).
By tracing the logon sequence we are able to identify a pretty simple and contained SQL that is used to get the TPS_GUID fro the user (and this later allows LDSD to find the network logon and complete the authentication). A very simple change to that SQL (adding an or - and matching what the user entered to either the ID or Email address on the TPS_User table would provide the solution).
We understand this would be an unsupported user modification - but I am looking for direction if this is possible and a pointer to where the code is that would need this modification. An example from the current code follows - the first parameter is the UPN of the user, and the 2nd is a constant to only look at current ID's.
SELECT T1.tps_name,T1.tps_account_disabled,T1.tps_guid,T1.tps_title,T1.tps_deleted,T1.tps_user_type_guid FROM tps_user T1 WHERE (T1.tps_name=@0) AND T1.tps_deleted=@1
Parameters:
@0 = spadhi@americas.corp.timex.com
@1 = False
In order to accomplish what we need the SQL where clause would be modified from:
to:
(T1.tps_name=@0 or T1.tps_email_address=@0)
This change looks for any active ID's where either the LANDesk ID or the Email Address for the LANDesk user matches what the user entered for credentials.
As can be seen - the change itself is very minor - and would bring a lot of value to our deployment. Is it possible to find and modify this code at the customer end?
Any assistance would be greatly appreciated.
Thanks,
Terry