Alternative credential mapping / solution instead of the now EOL UAG

Hi,

We currently use UAG to provide access to some internal websites (such as SharePoint etc.) and for RDS access, today we use a OTP solution, where the users log in with a non AD user/pincode, then enter a OTP token.

For websites this is working great, UAG provides kerberos tickets for the internal web servers, so the users are authenticated by their actual Active Directory user, even though, they have never entered their Active Directory Username/Password.

Right now we are having a huge problem trying to find an alternative way / product from MS or 3rd party, that can do the same.

We don't want our users to log in with their Active Directory user/pass, as we require smartcards for interactive logins for our end users, so all their passwords are completely randomized without the end user knowing what they are / certificates are used for MDM/network access etc.

So we are not looking for any 2 factor solution that adds additional layers on top of their actual Active Directory Username/Password, we want to get rid of the end users having to know their Active Directory password.

This is all working great with UAG today, but if anyone know of a similar solution that isn't EOL please give me a hint, bonus points if it would work with RDS, something that today, even when using UAG requires entering AD credentials.


  • Edited by MIJDK Thursday, April 09, 2015 12:37 PM
April 9th, 2015 12:29pm

Hello There,

Agree with you, UAG is such a great product and however MS has decided to discontinue which is a very bad news for all of us.!

Anyways back to point, still we have a "Solution" from Microsoft!

I am not really sure, whats the authentication repository you have it today. Recently with Windows Server 10 Technical Preview, we have some additional functionalities in ADFS, so that you can have your users either in AD/LDAP/SQL DB or so on - since its at Preview level, you might have to really wait for some time.

https://technet.microsoft.com/en-in/library/hh831502.aspx#BKMK_preview

So you might deploy WAP+ADFS and have the users authenticated by ADFS against non-AD/SQL and configure your internal applications to use Claims Based Authetication - and add them as "Relying Party"

If you have legacy internal applications, you can add them as NON - Claims aware relying party and using Claim rules, you should be able to do a SSO as well.

Also you can consider "Configuring Alternate Login ID" as well.

https://technet.microsoft.com/en-us/library/dn659436.aspx

Please let me know, how it goes.

Free Windows Admin Tool Kit Click here and download it now
April 17th, 2015 9:44am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics