Forum Discussion

llewdis_118871's avatar
llewdis_118871
Icon for Nimbostratus rankNimbostratus
Mar 05, 2013

default session variables and domain splitting

In my environment I have multiple AD forests that I need to authenticate users against for access to either Exchange 2007 or Exchange 2010. When attempting to login, the user credentials that are being passed aren't working for logon to the domain.

 

On the logon page I request the following format for imput:

 

Domain\UserID

 

I am doing this so that I can then use the following expression to determine the AD resource to authenticate against:

 

Expression: expr { [mcget {session.logon.last.username}] contains "na.corp"}

 

The failure comes from the following issue:

 

'na.corp\\userID@NA.CORP'

 

What I am trying to do is split the input (but retain the session.logon.last.username for SSO) for AD authentication. Does anyone know the default behavior of split in the APM? Is there documentation on what it returns and how?

 

I have started, but I am expecting the following split to generate two "fields."

 

session.custom.userID = [split [mcget {session.logon.last.username}] "\"]

 

What I really want is to have the two variables returned to two custom session variables.

 

I would use the default splitting from the logon page, but I have not been able to find what variable the domain gets stuck into if you do that.

 

 

Please any help is greatly appreciated.

 

 

 

APM
app sec
security

2 Replies

Sort By
  • Peter_Baumann_5's avatar
    Peter_Baumann_5
    Icon for Nimbostratus rankNimbostratus
    Nov 12, 2013
    Hi llewdis, I dont know if it helps but in a troubleshooting session I just did I figured out the following variables: session.logon.last.domain = Only the domain name of the login session.logon.last.logonname = uid@domainname session.logon.last.username = Only uid The above is when you select "Split domain from full Username" in the Logon Box. Hope it helps... Best regards, Peter
  • David_123856's avatar
    David_123856
    Icon for Nimbostratus rankNimbostratus
    Nov 12, 2013

    Peter's answer is right on the money from what I've seen for the three variables in the split, although sometimes you will get a logonname of domainname\uid - its really just whats typed in the box.

    The branch rule expression I use to determine forests is like the below (for one example branch) - where the split option is on in the logon box. The last one searches for the forest DNS suffix and the || give you or options

    expr {
    [string tolower [mcget {session.last.logon.domain}]] == "netbios1"
    ||
    [string tolower [mcget {session.last.logon.domain}]] == "netbios2"
    ||
    [string first -nocase ".forestdns.com" [mcget {session.last.logon.domain}]] >= 0
}