Create a Post
Showing results for 
Search instead for 
Did you mean: 

Identity Detection - Best option?

We have a unique environment, and are having troubles identifying the best way to enforce role based access. Here are the problems I'm seeing with each Identity Awareness source:

Browser-Based: We don't want users to do browser based authentication every login.

AD Query: Assume single user host causes and RDP casuses RDP session account to override current login, and service account exemption isn't feasible for our structure.

Identity Agent: Doesn't support fast user switching

Terminal Server Agent - Doesn't support windows 10 Secureboot

Radius Accounting - We don't have radius auth configured for wired users yet.

Identity Collector - Doesn't support 2003 domain controllers (yes, I know, we are trying to upgrade)

Identity Web API - we would configure with Aruba Clearpass, but again isn't configured for wired users.

User Directory - Can it do user group detection, and handle multi user hosts? I think this is just for configuring LDAP accounts

I'm in quite a pickle on how to enforce access. Our previous TMG 2010 gateway used a proxy client to enforce access.

5 Replies

Hi David,

Interesting issues indeed. What are the key requirements you are trying to achieve? 

For example ..

- All users must be identified regardless of what machine they are on 

- Identify users from Windows 10 machines with Fast User Switching

- access from Windows Server 2016 

- number of domain controllers

- etc....




Hi Mark,

Here are the requirements I'm trying to meet:

Support windows xp, 7, 8, 10

Support fast user switching

Identify current logged in user for any machine, and their group memberships for access enforcement.

Current active user session not overriden when initiating RDP with a different account

Supports the following domain controllers: windows server 2003 and 2008r2 (3x 2003, 2x2008r2)

I think this covers what we need.

Thank you,



Thanks David.

Based on what you need to achieve and the secure boot limitation, you may need to utilise more than one method. For me to meet your requirements I would recommend the below. 

  1. For any machine where Fast user Switching is not used, deploy the identity agent as normal. 
  2. For machines that do need Fast User Switching I would configure the captive portal method with Kerberos SSO
    1. To give the best possible end user experience, you could implement a login script that would run upon user login and direct users to the portal. Because you have SSO enabled it should just log the user straight in.

Slightly outside the scope of this forum, but I would also recommend upgrading your DC's to Windows Server 2016. As even with the 2008 R2 the support time is limited from Microsoft - This would then allow the use of the identity collector for your environment. 




Thanks Mark,

I'll trial the captive portal with SSO, and set up a login script, see what the impact from that will be. I know our team shy's away from captive portal, but if a demo goes well it may sway opinions.

We'll be assuming all computers require fast user switching, our domain structure isn't configured in a way to easily deploy nor determine which machines require it. (plus 2000+ endpoints, industrial environment)

I definitely agree on the DC upgrades, I would like to use the IDC if not for our old domain controllers. We have a project underway for that, but it's an intimidating task for that team for varying reasons.


No problems David. 

I'll be honest, I wouldn't normally go for Captive Portals on machines that we can control centrally and for Large environments would go with the Identity Agent. But in your situation I think it may work well. 

Let us know how you get on with the demo and what the outcome turns out to be. Smiley Happy