Page 1 of 1
SSTP with User Principal Name login
Posted: Mon Nov 03, 2014 8:57 pm
by viniciusferrao
Hello guys,
I started using SoftEther to remove our legacy PPTP service and I'm loving the software, it's really a masterpiece.
But, I was unable to authenticate SSTP users using it's UPN or Email Address. It appears to work with L2TP connection, but fails with SSTP. Using a Windows 7 Client, and following the Wizard I cannot login in the service typing
username@domain.com; only username is accepted.
There's a way to change how SoftEther works to accept this kind of login? Using NT Domain Authentication, how this is done? Using the sAMAccountName?
Thanks in advance,
VinÃcius.
Re: SSTP with User Principal Name login
Posted: Wed Nov 19, 2014 8:56 am
by cedar
SoftEther VPN PPP stack recognizes the string after last '@' of the user name as the virtual hub name.
If you want to use '@' in the user name, you should append '@hubname' to the user name.
Re: SSTP with User Principal Name login
Posted: Mon Dec 01, 2014 3:50 pm
by viniciusferrao
I'm aware of the behaviour cedar, but I would like to know how to circumvent this or even request a feature to the team developing SoftEther.
I don't know the internals of SoftEther, and I would like to authenticate our users using it UPN and not the sAMAccountName. The sAMAccountName is dated today, and using the UPN is easier to keep the infrastructure.
In our example we have multiple domains using different UPN's but the sAMAccountName is not consistent due to different users with the same name, as example:
john@example.com
john@subdomain.example.com
So using UPN solves this issues.
Thanks in advance,
VinÃcius.
Re: SSTP with User Principal Name login
Posted: Tue Mar 24, 2015 6:17 am
by viniciusferrao
Sorry for "raising" the thread, but there's a way we can request a new feature?
I'm still interested in some way to achieve this. In a very large domain it's a common sense to have a lot of users with different user principal names.
Re: SSTP with User Principal Name login
Posted: Tue Mar 24, 2015 8:52 am
by kosztyua
As a workaround, why don't you create HUBs with the specific principal names? Does SE crop the @hubname part when forwarding for authentication? If not, thats not a bad solution.
Re: SSTP with User Principal Name login
Posted: Tue Mar 24, 2015 6:57 pm
by viniciusferrao
Hello kosztyua,
The major problem is that in our AD domain only the users from the "root" domain (example.com) have the sAMAccountName equal to the beggining of the mail address. So the other users have a different sAMAccountName and this would difficult the login.
I don't know if I was clear enough but the situation is something like this:
UPN and Mail Address:
user@example.com
sAMAccountName: EXAMPLE\user
That's the common case, but some users are using this pattern:
UPN and Mail Address:
user@subdomain.example.com
sAMAccountName: EXAMPLE\<Number equivalent to Employee ID>
And this is the problem...
I'm doing some tests at this moment, perhaps the problem wasn't on SoftEther, but on the Windows side with the native VPN agent. I've tried to login in a OS X machine using L2TP+IPSec and the parser appeared to be right. With double @ on the address the parser worked, so things like this:
username@example.com@VPNHUBNAME worked.
I'll do more tests and repost here the results.
Thanks in advance,