A recent project raised an interesting point on the integration of token base authentication service with NetScaler AGEE and AG. Due to the nature design of two factors authentication, users are required to enter AD’s username and password, Token’s PIN+PASSCODE. This may create hassles for users who are not tech-savey. So what if we want to simplify user’s logon experience and at same time maintain a highest security standard as possible?
We all know there won’t be a problem when we implement two factors authentication on AGEE, since both Radius and LDAP authentication policies were processed separately, one authenticate against Radius Server (IDENTIKEY in VASCO’s case) and the other authenticate against Microsoft’s Active Directory. Even if we use the ICA-proxy mode on AGEE to achieve SSO with Web Interface is totally do-able. But if we want to simplify the log-on process by requiring users to enter only username and VASO ‘s PING+PASSCODE (which means only one Radius authentication policy is present on AGEE), this will cause SSO to fail because the credential forward to backend Web Interface for second authentication will be rejected. Why? Due to the “One-Time-Password” generated by our token can only be authenticated once.
Thanks to VASCO’s clever workaround which had made SSO with only TOKEN authenciation possible!
If anyone is interested please read through the following deployment guide published by VASCO