Yes but problem is when I logon to Windows it trys to take those creds and send it to Portal, which causes auth errors in LOG. After this I can get in. I want to prevent the first auth error when logging into the PC
So.. to confirm... if you just change the portal config to on demand... does it work ok..
also... are you sure you have sso turned off in portal conf and save password to no.
Are you using the same auth profile for both portal and gateway? I suspect what is happening is that you are trying to do SSO/Authentication twice with the same OTP, so authenticating once against the portal and again against the gateway with the same OTP. Most OTP operators make it so that you can't use the same OTP twice, so your authentication is failing on the second go.
The way to get around this is to use two different authentication profiles, one for the portal and one for the gateway. The portal authentication will be set as your standard login with username and password and your gateway config will have the auth profile set to use the OTP login.
This way you will auth once to the portal with username/password, then you'll need to authenticate again against the gateway and thus be prompted for your OTP code.
You can combine this with cookie authentication for the portal so after a first successful login to the portal this authentication gets cached and only a single authetncation using the OTP is required.
Hope this helps,
Thanks for the reply. Can I use SSO for portal and use OTP for Gateway when using user-logon? Would SSO try to send creds to to gateway also or would SSO send creds to portal then promote user for OTP for gateway? What if I only enable OTP, user-logon and disable SSO. After user logs on would it promote them for their OTP without them opening GP client?
SSO will try to authenticate against both portal and gateway. So you'll either need to keep SSO on and live with the error message of the 1st auth against the gateway or disable it and enter the username and password on the login screen and GP after login.
Personally I think the first option is the best as it is more seamless to users, they will log in on the login window with their username and password and then be prompted for the OTP by GP, they won't see that it has failed the 1st gateway authentication.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!