asp.net pdf reader : Change font size pdf form reader Library application class asp.net windows .net ajax j-sa-sslvpn-7.1-adminguide18-part735

Youmaychoosetouseanonymousauthenticationifyouthinkthattheresourcesonthe
SASeriesSSLVPNAppliancedonotrequireextremesecurity,orifyouthinkthatother
securitymeasuresprovidedthroughtheSASeriesSSLVPNAppliancearesufficient.For
example,youmaycreateauserrolewithlimitedaccesstointernalresources,andthen
authenticatethatrolewithapolicythatonlyrequiresuserstosigninfromanIPaddress
thatresideswithinyourinternalnetwork.Thismethodpresumesthatifausercanaccess
yourinternalnetwork,s/heisqualifiedtoviewthelimitedresourcesprovidedthrough
theuserrole.
AnonymousServerRestrictions
Whendefiningandmonitoringananonymousserverinstance,notethat:
Youcanonlyaddoneanonymousserverconfiguration.
Youcannotauthenticateadministratorsusingananonymousserver.
Duringconfiguration,youmustchoosetheanonymousserverasboththeauthentication
serverandthedirectory/attributeserverintheUsers>UserRealms>Generaltab.
WhencreatingrolemappingrulesthroughtheUsers>UserRealms>RoleMapping
tab,theSASeriesSSLVPNAppliancedoesnotallowyoutocreatemappingrulesthat
applytospecificusers(suchas“Joe”),sincetheanonymousserverdoesnotcollect
usernameinformation.Youcanonlycreaterolemappingrulesbasedonadefault
username(*),certificateattributes,orcustomexpressions.
Forsecurityreasons,youmaywanttolimitthenumberofuserswhosigninthrough
ananonymousserveratanygiventime.Todothis,usetheoptionontheUsers>User
Realms>[Realm]>AuthenticationPolicy>Limitstab(where[Realm]istherealm
thatisconfiguredtousetheanonymousservertoauthenticateusers).
YoucannotviewanddeletethesessionsofanonymoususersthroughaUserstab(as
youcanwithotherauthenticationservers),becausetheSASeriesSSLVPNAppliance
cannotdisplayindividualsessiondatawithoutcollectingusernames.
Related
Documentation
TaskSummary:ConfiguringAuthenticationServersonpage143
DefininganAnonymousServerInstanceonpage145
DefininganAnonymousServerInstance
Todefineananonymousserver:
1.
Intheadminconsole,selectAuthentication>Auth.Servers.
2.
Dooneofthefollowing:
TocreateanewserverinstanceontheSASeriesSSLVPNAppliance,select
AnonymousServerfromtheNewlist,andthenclickNewServer.
Toupdateanexistingserverinstance,clicktheappropriatelinkinthe
Authentication/AuthorizationServerslist.
3.
Specifyanametoidentifytheserverinstance.
145
Copyright©2012,JuniperNetworks,Inc.
Chapter8:AuthenticationandDirectoryServers
Change font size pdf form reader - Compress reduce PDF size in C#.net, ASP.NET, MVC, Ajax, WinForms, WPF
C# Code & .NET API to Compress & Decompress PDF Document
change font size on pdf text box; change font size in fillable pdf form
Change font size pdf form reader - VB.NET PDF File Compress Library: Compress reduce PDF size in vb.net, ASP.NET, MVC, Ajax, WinForms, WPF
VB.NET PDF Document Compression and Decompression Control SDK
pdf edit text size; pdf page size may not be reduced
4.
ClickSaveChanges.
5.
Specifywhichrealmsshouldusetheservertoauthorizeusers.
Related
Documentation
AboutAnonymousServersonpage144
TaskSummary:ConfiguringAuthenticationServersonpage143
UsinganRSAACE/Server
WhenauthenticatinguserswithanRSAACE/Server,usersmaysigninusingtwomethods:
UsingahardwaretokenandthestandardSASeriessign-inpage—Theuserbrowses
tothestandardSASeriessign-inpage,thenenterstheusernameandpassword
(consistingoftheconcatenationofthePINandtheRSASecurIDhardwaretoken’s
currentvalue).TheSASeriesSSLVPNAppliancethenforwardstheuser’scredentials
toACE/Server.
UsingasoftwaretokenandthecustomSoftIDSASeriessign-inpage—Theuser
browsestotheSoftIDcustomsign-inpage.Then,usingtheSoftIDplug-in,theuser
enterstheusernameandPIN.TheSoftIDplug-ingeneratesapassphraseby
concatenatingtheuser’sPINandtokenandpassesthepassphrasetotheSASeries
SSLVPNAppliance.ForinformationaboutenablingtheSoftIDcustomsign-inpages,
seetheCustomSign-InPagesSolutionGuide.
IftheACE/Serverpositivelyauthenticatestheuser,theusergainsaccesstotheSASeries
SSLVPNAppliance.Otherwise,theACE/Server:
Deniestheuseraccesstothesystemiftheuser’scredentialswerenotrecognized.
PromptstheusertogenerateanewPIN(NewPINmode)iftheuserissigningintothe
SASeriesSSLVPNApplianceforthefirsttime.Usersseedifferentpromptsdepending
onthemethodtheyusetosignin.IftheusersignsinusingtheSoftIDplug-in,theysee
theRSApromptsforcreatinganewpin;otherwisetheuserseestheSASeriesSSL
VPNApplianceprompts.
Promptstheusertoenterthenexttoken(NextTokenmode)ifthetokenenteredby
theuserisoutofsyncwiththetokenexpectedbyACE/Server.NextTokenmodeis
transparenttouserssigninginusingaSoftIDtoken.TheRSASecurIDsoftwarepasses
thetokenthroughtheSASeriesSSLVPNAppliancetoACE/Serverwithoutuser
interaction.
RedirectstheusertothestandardSASeriessign-inpage(SoftIDonly)iftheusertries
tosign-intotheRSASecurIDAuthenticationpageonacomputerthatdoesnothave
theSecurIDsoftwareinstalled.
WhenauserenterstheNewPINorNextTokenmode,theyhavethreeminutestoenter
therequiredinformationbeforetheSASeriesSSLVPNAppliancecancelsthetransaction
andnotifiestheusertore-entertheircredentials.
TheSASeriesSSLVPNAppliancecanhandleamaximumof200ACE/Servertransactions
atanygiventime.Atransactiononlylastsaslongasisrequiredtoauthenticateagainst
Copyright©2012,JuniperNetworks,Inc.
146
JunosPulseSecureAccessServiceAdministrationGuide
C# PDF insert text Library: insert text into PDF content in C#.net
without adobe reader installed in ASP.NET. Powerful .NET PDF edit control allows modify existing scanned PDF text. Ability to change text font, color, size and
change font size pdf form; adjusting page size in pdf
C# PDF Annotate Library: Draw, edit PDF annotation, markups in C#.
reader installed. Support to add text, text box, text field and crop marks to PDF document. Able to edit and change PDF annotation properties such as font size
batch pdf compression; change file size of pdf document
theACE/Server.Forexample,whenausersignsintotheSASeriesSSLVPNAppliance,
theACE/Servertransactionisinitiatedwhentheusersubmitstherequestfor
authenticationandendsoncetheACE/Serverhasfinishedprocessingtherequest.The
usermaythenkeeptheirSASeriessessionopen,eventhoughherACE/Servertransaction
isclosed.
TheSASeriesSSLVPNAppliancesupportsthefollowingACE/Serverfeatures:NewPIN
mode,NextTokenmode,DES/SDIencryption,AESencryption,slaveACE/Serversupport,
namelocking,andclustering.TheSASeriesSSLVPNAppliancealsosupportstheNew
PINandNextTokenmodesofRSASecurIDthroughtheRADIUSprotocol.
DuetoUNIXlimitationsoftheACE/Serverlibrary,youmaydefineonlyoneACE/Server
configuration.
TheSASeriesSSLVPNAppliancedoesnotsupportcustomizingtheloadbalancing
algorithm.
Related
Documentation
DefininganACE/ServerInstanceonpage147
TaskSummary:ConfiguringAuthenticationServersonpage143
DefininganACE/ServerInstance
TodefineanACE/Server:
1.
GenerateanACE/Agentconfigurationfile(sdconf.rec)fortheSASeriesSSLVPN
ApplianceontheACEserverasfollows:
a.
StarttheACE/ServerConfigurationManagementapplicationandclickAgentHost.
b.
ClickAddAgentHost.
c.
ForName,enteranamefortheSASeriesagent.
d.
ForNetworkAddress,entertheIPaddressoftheSASeriesSSLVPNAppliance.
e.
EnteraSiteconfiguredonyourACEserver.
f.
ForAgentType,selectCommunicationServer.
g.
ForEncryptionType,selectDES.
h.
VerifythatSentNodeSecretisnotselected(whencreatinganewagent).
ThefirsttimethattheACEserversuccessfullyauthenticatesarequestsentbythe
SecSASeriesSSLVPNApplianceice,theACEserverselectsSentNodeSecret.If
youlaterwanttheACEservertosendanewNodeSecrettotheSASeriesSSL
VPNApplianceonthenextauthenticationrequest,dothefollowing:
i.
ClicktheSentNodeSecretcheckboxtouncheckit.
ii.
SignintotheadminconsoleandchooseAuthentication>Auth.Servers.
147
Copyright©2012,JuniperNetworks,Inc.
Chapter8:AuthenticationandDirectoryServers
C# PDF Sticky Note Library: add, delete, update PDF note in C#.net
enable users to annotate PDF without adobe PDF reader control installed. Able to add notes to PDF using C# source Able to change font size in PDF comment box.
best pdf compression; best way to compress pdf
C# PDF Field Edit Library: insert, delete, update pdf form field
Able to add text field to specified PDF file position in C#.NET class. Support to change font size in PDF form. Able to delete form fields from adobe PDF file.
best compression pdf; can a pdf be compressed
iii.
ClickthenameoftheACEserverintheAuthentication/AuthorizationServers
list.Ifthisistheinitialconfigurationoftheserver,seeinstructionsforcreating
theACEserverinstancethatfollowthisprocedure..
iv.
UnderNodeVerificationFile,selecttheappropriatecheckboxandclickDelete.
ThesestepsensurethattheSASeriesSSLVPNApplianceandACEserverare
insync.Likewise,ifyoudeletetheverificationfilefromtheSASeriesSSLVPN
Appliance,youshouldunchecktheSentNodeSecretcheckboxontheACE
server.
IfyouuseRSAACE/ServerauthenticationandchangetheSASeriesSSLVPN
ApplianceIPaddress,youmustdeletethenodeverificationfileontheSecure
AccessforACE/Severauthenticationtowork.Also,deselecttheSentNode
VerificationsettingontheACE/ServerfortheSASeriesSSLVPNAppliance.
i.
ClickAssignActingServersandselectyourACEserver.
j.
ClickGenerateConfigFile.WhenyouaddtheACEservertotheSASeriesSSL
VPNAppliance,youwillimportthisconfigurationfile.
2.
IntheadminconsolechooseAuthentication>Auth.Servers.
3.
Dooneofthefollowing:
TocreateanewserverinstanceontheSASeriesSSLVPNAppliance,selectACE
ServerfromtheNewlist,andthenclickNewServer.
Toupdateanexistingserverinstance,clicktheappropriatelinkinthe
Authentication/AuthorizationServerslist.
4.
Specifyanametoidentifytheserverinstance.
5.
SpecifyadefaultportintheACEPortfield.NotethattheSASeriesSSLVPNAppliance
onlyusesthissettingifnoportisspecifiedinthesdconf.recfile.
6.
ImporttheRSAACE/Agentconfigurationfile.MakesuretoupdatethisfileontheSA
SeriesSSLVPNApplianceanytimeyoumakechangestothesourcefile.Likewise,if
youdeletetheinstancefilefromtheSASeriesSSLVPNAppliance,gototheACE
ServerConfigurationManagementapplication,
7.
ClickSaveChanges.Ifyouarecreatingtheserverinstanceforthefirsttime,the
SettingsandUserstabsappear.
8.
Specifywhichrealmsshouldusetheservertoauthenticateandauthorize
administratorsandusers.
Youcanmonitoranddeletethesessionsofuserswhoarecurrentlysignedinthroughthe
serverthroughtheSystem>Status>ActiveUserspage.
Related
Documentation
TaskSummary:ConfiguringAuthenticationServersonpage143
UsinganRSAACE/Serveronpage146
Copyright©2012,JuniperNetworks,Inc.
148
JunosPulseSecureAccessServiceAdministrationGuide
C# PDF Convert to Word SDK: Convert PDF to Word library in C#.net
PDF document, keeps the elements (like images, tables and chats) of original PDF file and maintains the original text style (including font, size, color, links
pdf compression settings; change pdf page size
Generate Barcodes in Web Image Viewer| Online Tutorials
Set barcode orientation and rotation angle; Change barcode image width & height; Colorize Set human-readable text font style, color, size; Resize barcode
change page size of pdf document; pdf reduce file size
UsingActiveDirectoryorNTDomains
WhenauthenticatinguserswithanNTPrimaryDomainController(PDC)orActive
Directory,userssignintotheSASeriesSSLVPNApplianceusingthesameusername
andpasswordtheyusetoaccesstheirWindowsdesktops.TheSASeriesSSLVPN
AppliancesupportsWindowsNTauthenticationandActiveDirectoryusingNTLMor
Kerberosauthentication.
IfyouconfigureanativeActiveDirectoryserver,youmayretrievegroupinformationfrom
theserverforuseinarealm’srolemappingrules.Inthiscase,youspecifytheActive
Directoryserverastherealm’sauthenticationserver,andthenyoucreatearolemapping
rulebasedongroupmembership.TheSASeriesSSLVPNAppliancedisplaysallgroups
fromtheconfigureddomaincontrolleranditstrusteddomains.
TheSASeriesSSLVPNApplianceprovidesseparatecheckboxesforeachoftheprimary
authenticationprotocols:Kerberos,NTLMv2,andNTLMv1,allowingyoutoselectorignore
eachoftheseprotocolsindependentofoneanother.Thismoregranularcontrolofthe
authenticationprocessavoidsunnecessarilyraisingthefailedlogincountpolicyinActive
Directoryandletsyoufine-tunetheprotocolsbasedonyoursystemrequirements.
NOTE:
TheSASeriesSSLVPNAppliancehonorstrustrelationshipsinActive
DirectoryandWindowsNTenvironments.
WhensendingusercredentialstoanActiveDirectoryauthenticationserver,
theSASeriesSSLVPNApplianceuseswhicheverauthentication
protocol(s)youspecifyontheNewActiveDirectory/WindowsNTpage.
TheSASeriesSSLVPNAppliancedefaultstotheauthenticationprotocols
inorder.Inotherwords,ifyouhaveselectedthecheckboxesforKerberos
andNTLMv2,theSASeriesSSLVPNAppliancesendsthecredentialsto
Kerberos.IfKerberossucceeds,theSASeriesSSLVPNAppliancedoesnot
sendthecredentialstoNTLMv2.IfKerberosisnotsupportedorfails,the
SASeriesSSLVPNApplianceusesNTLMv2asthenextprotocolinorder.
Theconfigurationsetsupacascadingeffectifyouchoosetouseitby
settingmultiplecheckboxes.
TheSASeriesSSLVPNAppliancesupportsDomainLocalGroups,Domain
GlobalGroups,andUniversalGroupsdefinedintheActiveDirectoryforest.
TheSASeriesSSLVPNApplianceallowsonlyActiveDirectorysecurity
groups,notdistributiongroups.Securitygroupsallowyoutouseonetype
ofgroupfornotonlyassigningrightsandpermissions,butalsoasa
distributionlistforemail.
IfmultipleActiveDirectoryserversareconfiguredontheSASeriesSSL
VPNAppliance,eachoftheserversmustbeassociatedwithadifferent
anduniquemachineaccountname.Thesamemachineaccountname
shouldnotbeusedforallservers.
149
Copyright©2012,JuniperNetworks,Inc.
Chapter8:AuthenticationandDirectoryServers
VB.NET Image: Visual Basic .NET Guide to Draw Text on Image in .
Please note that you can change some of the example, you can adjust the text font, font size, font type (regular LoadImage) Dim DrawFont As New Font("Arial", 16
change font size in pdf; pdf compression
Generate Image in .NET Winforms Imaging Viewer| Online Tutorials
Change Barcode Properties. barcode rotation angle; Click "Width" and "Height" to set barcode size; Click "Font" to choose human-readable text font style, color
adjust file size of pdf; best pdf compressor online
Related
Documentation
DefininganActiveDirectoryorWindowsNTDomainServerInstanceonpage150
AboutBasic,NTLMandKerberosResourcesonpage435
DefininganActiveDirectoryorWindowsNTDomainServerInstance
TodefineanActiveDirectoryorWindowsNTDomainserver:
1.
Intheadminconsole,chooseAuthentication>Auth.Servers.
2.
Dooneofthefollowing:
TocreateanewserverinstanceontheSASeriesSSLVPNAppliance,selectActive
Directory/WindowsNTfromtheNewlistandthenclickNewServer.
3.
Toupdateanexistingserverinstance,clicktheappropriatelinkinthe
Authentication/AuthorizationServerslist.
4.
Specifyanametoidentifytheserverinstance.
5.
SpecifythenameorIPaddressfortheprimarydomaincontrollerorActiveDirectory
server.
6.
SpecifytheIPaddressofyourback-updomaincontrollerorActiveDirectoryserver.
(optional)
7.
EnterthedomainnameoftheActiveDirectoryorWindowsNTdomain.Forexample,
iftheActiveDirectorydomainnameisus.amr.asgqa.netandyouwanttoauthenticate
userswhobelongtotheUSdomain,enterUSinthedomainfield.
8.
Ifyouwanttospecifyacomputername,enteritintotheComputerNamefield.The
computernamefieldiswhereyouspecifythenamethattheSASeriesSSLVPN
ApplianceusestojointhespecifiedActiveDirectorydomainasacomputer.Otherwise,
leavethedefaultidentifierwhichuniquelyidentifiesyoursystem.
Youmaynotethatthecomputernameispre-filledwithanentryintheformatof
vcNNNNHHHHHHHH,where,inanIVSsystem,theNNNNistheIVSID(assumingyou
haveanIVSlicense)andtheHHHHHHHHisahexrepresentationoftheIPaddressof
theSASeriesAppliance.Auniquename,eithertheoneprovidedbydefaultoroneof
yourownchoosing,youcanmoreeasilyidentifyyoursystemsintheActiveDirectory.
Inanon-IVSsystem,thefirstsixcharactersofthenamewillbe‘vc0000’because
thereisnoIVSIDtodisplay.Forexample,thenamecouldbesomethinglike
‘vc0000a1018dF2’foranon-IVSsystem.
InaclusteredenvironmentwiththesameADauthenticationserver,thisnameisalso
uniqueamongallclusternodes,andtheSASeriesAppliancedisplaysallofthe
identifiersforallattachedclusternodes.
9.
SelecttheAllowdomaintobespecifiedaspartofusernamecheckboxtoallow
userstosigninbyenteringadomainnameintheUsernamefieldintheformat:
domain\username
Copyright©2012,JuniperNetworks,Inc.
150
JunosPulseSecureAccessServiceAdministrationGuide
10.
SelecttheAllowtrusteddomainscheckboxtogetgroupinformationfromalltrusted
domainswithinaforest.
11.
SelecttheDomainControllerisaWindows2008servercheckboxifthebackend
domaincontrollerisaWindows2008server.TheWindows2008serverhasseveral
enhancementstotheActiveDirectoryServer,whichisnowcalledActiveDirectory
DomainServices.
12.
ForAdminUsernameandAdminPassword,enteranadministratorusernameand
passwordfortheADorNTserver.Makesuretheadministratoryouspecifyisadomain
administratorinthesamedomainastheADorNTserver.Donotincludeadomain
namewiththeserveradministratorusernameintheAdminUsernamefield.
13.
UnderAuthenticationProtocol,specifywhichprotocoltheSASeriesSSLVPN
Applianceshoulduseduringauthentication.
14.
UnderKerberosRealmName:
SelectUseLDAPtogetKerberosrealmnameifyouwanttheSASeriesSSLVPN
AppliancetoretrievetheKerberosrealmnamefromtheActiveDirectoryserver
usingthespecifiedadministratorcredentials.
EntertheKerberosrealmnameintheSpecifyKerberosrealmnamefieldifyouknow
therealmname.
15.
ClickTestConfigurationtoverifytheActiveDirectoryserverconfigurationsettings,
suchasdothespecifieddomainexists,arethespecifiedcontrollersActiveDirectory
domaincontrollers,doestheselectedauthenticationprotocolwork,andsoforth.
(optional)
16.
ClickSaveChanges.Ifyouarecreatingtheserverinstanceforthefirsttime,the
SettingsandUserstabsappear.Afteryousavechanges,theSASeriesSSLVPN
Appliancemaskstheadministratorpasswordusingfiveasteriskcharacters,regardless
ofthepasswordlength.
Youcanmonitoranddeletethesessionsofuserswhoarecurrentlysignedinthroughthe
serverthroughtheSystem>Status>ActiveUserspage.
TheadminconsoleprovideslastaccessstatisticsforeachuseraccountonvariousUsers
tabsthroughouttheconsole,underasetofcolumnstitledLastSign-inStatistic.The
statisticsreportedincludethelastsuccessfulsign-indateandtimeforeachuser,the
user’sIPaddress,andtheagentorbrowsertypeandversion.
Related
Documentation
AboutBasic,NTLMandKerberosResourcesonpage435
UsingActiveDirectoryorNTDomainsonpage149
Multi-DomainUserAuthentication
TheSASeriesSSLVPNApplianceallowsformulti-domainActiveDirectoryandWindows
NTauthentication.TheSASeriesSSLVPNApplianceauthenticatesusersinthedomain
youconfigureontheAuthentication>Auth.Servers>NewActiveDirectory/Windows
151
Copyright©2012,JuniperNetworks,Inc.
Chapter8:AuthenticationandDirectoryServers
NTpage,usersinchilddomains,andusersinalldomainstrustedbytheconfigured
domain.
AfteryouspecifytheaddressofadomaincontrollerandadefaultdomainintheSA
SeriesActiveDirectoryserverconfiguration,usersinthedefaultdomainauthenticateto
theSASeriesSSLVPNApplianceusingeitherjusttheirusername,orusingthedefault
domainplususernameintheformatdefaultdomain\username.
Whenyouenabletrusteddomainauthentication,usersintrustedorchilddomains
authenticatetotheSASeriesSSLVPNApplianceusingthenameofthetrustedorchild
domainplustheusernameintheformattrusteddomain\username.Notethatenabling
trusteddomainauthenticationaddstotheserver’sresponsetime.
Windows2000andWindows2003Multi-DomainAuthentication
TheSASeriesSSLVPNAppliancesupportsKerberos-basedActiveDirectory
authenticationwithWindows2000andWindows2003domaincontrollers.Whenauser
logsintotheSASeriesSSLVPNAppliance,theSASeriesSSLVPNApplianceperforms
KerberosauthenticationandattemptstofetchtheKerberosrealmnameforthedomain
controller,aswellasallchildandtrustedrealms,usingLDAPcalls.
YoucanalternatelyspecifytheKerberosrealmnamewhenconfiguringanActiveDirectory
authenticationserver,butwedonotrecommendthismethodfortworeasons:
Youcannotspecifymorethanonerealmname.TheSASeriesSSLVPNAppliance
cannotthenauthenticateagainstchildortrustedrealmsoftherealmyouspecify.
Ifyoumisspelltherealmname,theSASeriesSSLVPNAppliancecannotauthenticate
usersagainsttheproperrealm.
WindowsNT4Multi-DomainAuthentication
TheSASeriesSSLVPNAppliancedoesnotsupportKerberos-basedauthenticationin
WindowsNT4domaincontrollers.InsteadofKerberosauthentication,theSASeriesSSL
VPNApplianceusesNTLMauthentication.
NOTE:
Foruserauthentication,theSASeriesSSLVPNAppliancejoinsthedefault
domaincontrollerserverusingthemachinenameintheformatSecure
Access-IPaddress.
IftheDNSconfigurationontheWindowsNT4domaincontrollerchanges,
makesurethattheSASeriesSSLVPNAppliancecanstillresolvenames
(childandtrusteddomains)usingeitherWINS,DNS,ortheHostsfile,that
wereabletoresolvethenamespriortotheconfigurationchange.
NTUserNormalization
Tosupportmulti-domainauthentication,theSASeriesSSLVPNApplianceuses
“normalized”NTcredentialswhencontactinganActiveDirectoryorNT4domaincontroller
Copyright©2012,JuniperNetworks,Inc.
152
JunosPulseSecureAccessServiceAdministrationGuide
forauthentication.NormalizedNTcredentialsincludeboththedomainnameandthe
username:domain\username.RegardlessofhowtheusersignsintotheSASeriesSSL
VPNAppliance,eitherusingjustausernameorusingthedomain\usernameformat,the
SASeriesSSLVPNAppliancealwaystreatstheusernameinthedomain\username
format.
Whenauserattemptstoauthenticateusingonlytheirusername,theSASeriesSSLVPN
AppliancealwaysnormalizestheirNTcredentialsasdefaultdomain\username.
Authenticationsucceedsonlyiftheuserisamemberofthedefaultdomain.
ForauserwhosignstotheSASeriesSSLVPNApplianceusingthedomain\username
format,theSASeriesSSLVPNAppliancealwaysattemptstoauthenticatetheuseras
membersofthedomaintheuserspecifies.Authenticationsucceedsonlyifthe
user-specifieddomainisatrustedorchilddomainofthedefaultdomain.Iftheuser
specifiesaninvalidoruntrusteddomain,authenticationfails.
Twovariables,<NTUser>and<NTDomain>,allowyoutoindividuallyrefertodomain
andNTusernamevalues.TheSASeriesSSLVPNAppliancepopulatesthesetwovariables
withthedomainandNTusernameinformation.
Whenusingpre-existingrolemappingrulesorwritinganewrolemappingruleforActive
DirectoryauthenticationwhereUSER=someusername,theSASeriesSSLVPNAppliance
treatsthisrulesemanticallyasNTUser=someusernameANDNTDomain=defaultdomain.
ThisallowstheSASeriesSSLVPNAppliancetoworkseamlesslywithpreexistingrole
mappingrules.
Related
Documentation
UsingActiveDirectoryorNTDomainsonpage149
DefininganActiveDirectoryorWindowsNTDomainServerInstanceonpage150
UsingtheKerberosDebuggingTool
UsetheMaintenance>Troubleshooting>ToolsKerberoswindowintheadminconsole
toinspecttheKerberosticketcache,probetheKerberosinfrastructure,andsoforth.For
example,JuniperNetworksTechnicalSupportmayaskyoutousethiswindowtohelp
debugKerberos-relatedproblems.YoucanalsoperformaquickcheckonKerberos
beforesettinguptheKerberosrealms,credentialsandpolicies.
TheKerberoswindowprovidesyouwiththefollowingoptions:
ClearAllTickets—RemovesallticketsassociatedwiththespecifiedSASeriesusername
andrealm.Thisactionensuresthatanactiveticketdoesnotremainonacomputer
whenotherusersmighthaveaccesstoit.Youmustspecifyanaccount.Youcannot
clearallticketsforallusers.
ProbeKerberosDNSSetup—CheckstheDNSinfrastructureforvalidityoftheKerberos
realmsanddefinedcredentials.YoumustsupplytheKerberosrealmandsite.
VerifyCredential—VerifiestheKerberosticketisvalid.Forexample,ifyouuseKerberos
toverifytheusernameandpasswordprovidedbytheuser,thisoptionverifiesthe
153
Copyright©2012,JuniperNetworks,Inc.
Chapter8:AuthenticationandDirectoryServers
credentialsitobtainstomakesuretheybelongtoatrustedKDBsite.TheServerRealm
andServerKDCfieldsareoptional.
VerifyConstrainedDelegationCredential—VerifiestheConstrainedDelegationticket
isvalid.TheServerRealmandServerKDCfieldsarereservedforfutureuse.Anydata
enteredinthesefieldsareignored.
Related
Documentation
AboutBasic,NTLMandKerberosResourcesonpage435
ActiveDirectoryandNTGroupLookupSupport
TheSASeriesSSLVPNAppliancesupportsusergrouplookupinDomainLocal,Domain
Global,andUniversalgroupsintheActiveDirectoryforest,andDomainLocal,andDomain
GlobalgroupsforNT4servers.
FortheNT/ADgrouplookuptowork,theSASeriesSSLVPNAppliancefirsttriestojoin
thedomainusingthedefaultcomputername.Forthisoperationtosucceed,youmust
specifyvaliddomainadministratorcredentialsintheActiveDirectoryserverconfiguration
ontheSASeriesSSLVPNAppliance.
ActiveDirectoryLookupRequirements
TheSASeriesSSLVPNAppliancesupportsusergrouplookupinDomainLocal,Domain
Global,andUniversalgroupsinthedefaultdomain,childdomains,andalltrusteddomains.
TheSASeriesSSLVPNApplianceobtainsgroupmembershipusingoneofthreemethods
thathavedifferentcapabilities:
GroupinformationinUser’sSecurityContext—Returnsinformationaboutauser’s
DomainGlobalgroups.
GroupinformationobtainedusingLDAPsearchcalls—Returnsinformationaboutthe
user’sDomainGlobalgroups,andinformationabouttheuser’sUniversalgroupsifthe
SASeriesSSLVPNAppliancequeriestheGlobalCatalogServer.
GroupinformationusingnativeRPCcalls—Returnsinformationabouttheuser’s
DomainLocalGroup.
Withrespecttorolemappingrules,theSASeriesSSLVPNApplianceattemptsgroup
lookupinthefollowingorder:
TheSASeriesSSLVPNAppliancechecksforallDomainGlobalgroupsusingtheuser’s
securitycontext.
IftheSASeriesSSLVPNAppliancehasnotfoundthattheuserisamemberofsome
ofthegroupsreferencedintherolemappingrules,theSASeriesSSLVPNAppliance
performsanLDAPquerytodeterminetheuser’sgroupmembership.
IftheSASeriesSSLVPNAppliancehasnotfoundthattheuserisamemberofsome
ofthegroupsreferencedintherolemappingrules,theSASeriesSSLVPNAppliance
performsanRPClookuptodeterminetheuser’sDomainLocalgroupmembership.
Copyright©2012,JuniperNetworks,Inc.
154
JunosPulseSecureAccessServiceAdministrationGuide
Documents you may be interested
Documents you may be interested