APM - Is it possible to have a login page that authenticates with AD and LocalDB?

How did you define the branch rule named "LocalDB Auth" from the Logon Page?

Hi,

 

What is working and what is not???

 

Are you sure branches expression of Logon page are right? did you create local DB instance? did you create users in this instance?

 

If you think the problem is Local DB auth, create a new Policy and configure Logon + LocalDB Auth only to validate the problem is not from another config.

 

Auth against localDB on failure of AD auth perhaps? Or vice-versa depending on whether there's any overlap and scalability of number of local or AD auths attempted/failed?

 

I too am not sure how you've got the Logon page configured for 'AD Auth' and 'LocalDB Auth' branches...

 

H

 

Hi all,

 

Thanks for your quick responses. Sorry I didn't include the Login Page details! It's the default Login Page configuration, and I just added a second branch rule to try to add on the LocalDB authentication:

 

I did create a LocalDB, along with a local user account. I'll have to try to configure a test setup to verify that the LocalDB account works. AD authentication does work. I'll do a bit of testing. Looking at the above, do you think that the LocalDB authentication should come as a fallback to the main login page?

 

Here's the full picture of the logic tree:

 

Thanks again for your help.

 

OK, I think I understand the confusion here. APM, does not "fall back to a previous branch" in the case of failure. It only moves forward. I'm actually surprised that AD auth even works because you have not process AD auth yet for the expression "Active Directory Auth has Passed". You need to use branch rules for the information that you have at hand. I expect that would would need to swap LocalDB auth to the fallback branch of AD Auth to achieve your expected outcome. You can than also use a single fallback branch off the logon page. The logon page can't really fail since it only displays a page to the user. You would use branch rules on the logon page if you wanted to make a preemptive decision for AD/LocalDB based on the userid that was entered.

 

I hope this clears up the confusion.

 

your configuration is wrong...

 

The branch expression must be based on information you have --> username.

 

the two first branches will never match because AD Auth and Local DB Auth are not yet evaluated...

 

you must create expression with username. like expr { [mcget {session.logon.last.username}] starts_with "ext-" } linked to LocalDB.

 

The fallback branch linked to AD Auth..

 

with this configuration, create local DB users with "ext-" prefix

 

or if you want a true fallback, disable the branch on the logon page and then decide to either check AD first with the appropiate steps needed and on the the AD Auth action set up the check for local DB on the fallback branch there. vice versa if you want to check for local DB first.

 

Hope that helps :)