How to delegate credentials sending only the username to an internal webserver using TMG 2010

  • Article

imageSergio Medina here, and today I want to talk about a question we receive every now and then and explain what the solution is just in case some of you run into a similar issue. You could hit this issue when publishing an internal webserver that accepts only the username as a valid format. For example, when your web server is configured this way, if you try to log in directly to it using ‘DOMAIN\user’ as the format for the username you receive an error, however if you only include the ‘user’ part of the name in the user field, and provide a valid password of course, you log in successfully.

So let’s say you have an internal web server configured this way and you just configured your new web publishing rule in a Forefront Threat Management Gateway 2010 (TMG 2010) server/array. You used Form Based Authentication (FBA) as the authentication method in the web listener and HTTP Basic delegation in the web publishing rule.

Unfortunately, when you try to test your new publishing rule you find that it is not working as expected. If you analyze network traces between the TMG 2010 server and the webserver you discover that TMG 2010 is adding the NetBIOS domain name as part of the user name value:

clip_image001

Now we see the cause of the problem:

· The user introduces his/her username in the TMG form, as ‘user’
· TMG 2010 adds the NetBIOS domain name, sending the authentication in the format ‘DOMAIN\user’
· The webserver only accepts ‘user’ as a valid format so the request fails

So what could we do now?

a) Change webserver behavior, accepting also ‘DOMAIN\user’.

or

b) Change TMG behavior, sending only the username introduced by the user.

Solution a) is out of the scope of this blog article, so let’s see how to achieve solution b).

The trick here is to change the value of StripDomainFromCredentials, one of the internal properties of the web publishing rule. This property is not accessible using the Forefront TMG Management console so we need to change this is by using COM objects.

NOTE TheIFPCWebPublishingProperties2::StripDomainFromCredentials Property is documented here:http://msdn.microsoft.com/en-us/library/ff827099(v=vs.85).aspx

So with a simple script we could change this property for any web publishing rule. Here are the steps:

1. Copy the following lines into a new file named StripDomain.vbs on the TMG 2010 server:

''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
' Microsoft Customer Technical Support
' Script for enabling StripDomainFromCredentials on a rule in TMG 2010
' THIS CODE IS MADE AVAILABLE AS IS, WITHOUT WARRANTY OF ANY KIND. THE ENTIRE
' RISK OF THE USE OR THE RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE
' USER. USE AND REDISTRIBUTION OF THIS CODE, WITH OR WITHOUT MODIFICATION, IS
' HEREBY PERMITTED.
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
Option Explicit
Dim WebPublishingRuleName, newStripDomainFromCredentials
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
' SET YOUR VALUES HERE
' Rule name to change
WebPublishingRuleName = "Rule name"
' Set here custom values
newStripDomainFromCredentials = True
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
' Begin
Dim Root, Array, Rules, Rule, intCompare
Set Root = CreateObject("FPC.Root")
Set Array = Root.GetContainingArray
Set Rules = Array.ArrayPolicy.PolicyRules
''''''''''''''''''''''''''''''''''
' Look for the WebListener
For Each Rule in Rules
Wscript.Echo " Comparing Rule name |" & WebPublishingRuleName & "| with |" & Rule.Name & "|"
intCompare = StrComp(WebPublishingRuleName, Rule.Name, vbTextCompare)
If intCompare = 0 then
Exit For
End If
Next
Wscript.Echo
Wscript.Echo "Found Rule with description: |" & Rule.Description & "|"
''''''''''''''''''''''''''''''''''
' Show values
Wscript.Echo
Wscript.Echo "***** CURRENT VALUES: "
Wscript.Echo "** StripDomainFromCredentials = |" & Rule.WebPublishingProperties.StripDomainFromCredentials & "|"
Wscript.Echo "***** NEW VALUES: "
Wscript.Echo "** StripDomainFromCredentials = |" & newStripDomainFromCredentials & "|"
''''''''''''''''''''''''''''''''''
' Warning and ask to continue
Dim strMessage
WScript.Echo ' newline
Wscript.Echo "Please check if the previous information is correct and you want to apply the changes"
strMessage = "Press any key to continue or Ctrl+C to cancel"
WScript.Echo ' newline
WScript.StdOut.Write strMessage
Do While Not WScript.StdIn.AtEndOfLine
Input = WScript.StdIn.Read(1)
Loop
''''''''''''''''''''''''''''''''''
' Set new values
Rule.WebPublishingProperties.StripDomainFromCredentials = newStripDomainFromCredentials
Wscript.Echo "***** CURRENT VALUES: "
Wscript.Echo "** StripDomainFromCredentials = |" & Rule.WebPublishingProperties.StripDomainFromCredentials & "|"
Rule.Save
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

2. Modify the script, changing the value WebPublishingRuleName to the name of the rule you want to modify.

3. Open a command prompt with elevated privileges (Run as Administrator)

4. Run the script using: cscript /nologo StripDomain.vbs

5. Follow the steps in the script.

6. In an Enterprise environment, wait until the configuration changes are applied (Monitoring > Configuration > all servers in the array with Synced Status)

After this, you should see the TMG 2010 server sending only the username, thus resolving our issue:

clip_image004

If you need to undo the change, just edit the script, change the following variable to False and execute it again:

newStripDomainFromCredentials = False

One last thing to mention is that this default behavior has changed from ISA 2006 to TMG 2010 so you might have published your webserver successfully using ISA 2006 but found this new behavior when using TMG 2010.

Hope this helps,

Author: Sergio Medina | Senior Support Engineer | Microsoft CSS Forefront Edge Team

Technical Reviewer: Ashish Kapila | Support Escalation Engineer | Microsoft CSS Forefront Edge Team

Get the latest System Center news on Facebook and Twitter :

clip_image001 clip_image002

System Center All Up: http://blogs.technet.com/b/systemcenter/
System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/
System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/
System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/

App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv

The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/