Thanks for replying. Yes, while the "Enforce 2-factor and Windows user name matching" was not checked I dont think that setting really prevents the 2nd login-prompt. I assume its making sure the 1st 2-factor login prompt and the 2nd Windows login prompt have the same usernames. Since we are using Symantec VIP, the username ARE the same. It just sets the username for the 2nd prompt(Windows)

It also looks like the setting that might prevent the 2nd login prompt is "Use the same username and password for RADIUS and Windows authentication". With this set currently it just throws a unknown user name or bad password message on the 2nd login screen because its not setup on the backend servers. I will check with the team that manages Symantec VIP product to see if this is an option.

Yes of course you are right, copied the wrong string for some strange reason...

I hope it got you moving in the right direction anyway! 😉

// Linjo

twrangham wrote:

It also looks like the setting that might prevent the 2nd login prompt is "Use the same username and password for RADIUS and Windows authentication". ...

This option means that View Connection Server will use the RADIUS passcode as the AD password in cases where they are the same. In this case it avoids the second (AD password) prompt. In your case the RADIUS passcode and AD password are not the same as the former also contains the VIP code. If the RADIUS server is capable of passing the password back to View Connection Server (by truncating the right number of digits from the RADIUS passcode) then there would be a way, but I think this is unlikely.

Mark

Thanks for the information. While I am still confused as to how the RADIUS passcode being the same as an AD password would actually be 2 factor authentication, after contacting Symantec and getting this escalated... its not supported. The actual response was:

"As Symantec VIP OTP is based on HMAC-SHA1 algorithm and support TOTP and HOTP and is different from MS password authentication method which doesn’t provide strong security, “Use the same username and password for RADIUS and Windows authentication” can’t be applied in this integration."

Bummer. I think some enhancements in this area might be nice down the road to prevent user confusion.

twrangham wrote:

Thanks for the information. While I am still confused as to how the RADIUS passcode being the same as an AD password would actually be 2 factor authentication ...

It's for cases where the RADIUS vendor needs the AD password in order to trigger two-factor authentication. e.g. the user enters their AD password to start with and that triggers sending an SMS text message containing a code to their cellphone. The user enters this code and then can skip the next AD password prompt.

It's two-factor because it is based on something they know (the password) and something they have (their cellphone) and is therefore stronger than just a password.

Mark