Somehow the mandate option in Deepnet IIS solution doesn't work on ActiveSync protection. Once you add the deepnet protection on ActiveSync node, then each mobile device which synchronizes with Exchange server will need two-factor authentication, no matter you check on/off the mandate option.
In testing phase, It's quite likely that you want one or two devices to be protected with Deepnet 2-factor authentication while the others still work with the original one factor(Windows username/password).
Well, how to achieve this purpose? Here it is the workaround.
After assigning the event filter(see the related user guide from Deepnet), edit its content. The following python script will function as non-mandate option on deepnet ActiveSync protection.
"""
This is a trigger script used by DAS
# return integer:
# zero: continue trigger chain
# nonzero: quit chain
# return boolean
# False: continue trigger chain
# True: quit chain
# return dictionary
# dict['noContinue']
# dict['noLog']
# dict['newReturnVal']
#
"""
#import socket
import sys
import java.util.Hashtable
def Log(msg):
return
# HOST = '192.168.111.168' # The remote host
# PORT = 7000 # The same port as used by the server
# s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# s.connect((HOST, PORT))
# s.send(str(msg) +'\r\n')
# s.close()
class Trigger:
def __init__(self):
pass
def execute(self, *args, **dict):
try:
if filter_context is None:
return 0
except:
return 0
Log('------------------------')
#Log(filter_context['DasAPI'].hello()[0])
Log(filter_context['appID'])
Log(filter_context['resultCode'])
for i in filter_context.keys():
#Log(i)
#Log(filter_context[i])
Log(i + ': ' + str(filter_context[i]))
if not filter_context.containsKey('method'):
return 0
if filter_context['method'].lower()!='devicepass':
return 0
Log('DevicePass found')
# if user account not found, try to import it from LDAP
if filter_context['resultCode']=='E-USERID-NOT-FOUND' or filter_context['resultCode']=='E-LOGINNAME-NOT-FOUND':
# bRet = self.importAccount()
# if bRet==True:
# bRet = self.createToken()
# if bRet==True:
# return self.changeReturn('E-TOKEN-INACTIVE')
return self.changeReturn('TRUE')
if filter_context['resultCode']=='E-TOKEN-NOT-FOUND' or filter_context['resultCode']=='E-METHOD-NOT-FOUND':
bRet = self.createToken()
if bRet==True:
return self.changeReturn('E-TOKEN-INACTIVE')
return 0
def importAccount(self):
try:
result = filter_context['DasAPI'].importAccount(
filter_context['appID'], filter_context['loginName'])
Log( 'importAccount: ' + str(result) )
if result[0]=='OK':
self.newUserID = str(result[1])
return True
return False
except:
Log(sys.exc_info()[0])
return False
def createToken(self):
try:
tokenInfo = java.util.Hashtable()
tokenInfo['credential'] = filter_context['credential']
tokenInfo['method'] = filter_context['method']
tokenInfo['description'] = 'created by trigger'
userID = filter_context['userID']
if userID=='':
userID = self.newUserID
result = filter_context['DasAPI'].createToken(
filter_context['appID'],
userID, tokenInfo, False)
Log( 'createToken: ' + str(result) )
if result[0]=='OK':
return True
return False
except:
Log(sys.exc_info()[0])
return False;
def changeReturn(self, val):
r={'newReturnVal':val}
return r
def main():
trigger = Trigger()
return trigger.execute()
if __name__ == '__main__':
main()
If you compare it with the original python script, you will see the difference.
#original
if filter_context['resultCode']=='E-USERID-NOT-FOUND' or filter_context['resultCode']=='E-LOGINNAME-NOT-FOUND':
bRet = self.importAccount()
if bRet==True:
bRet = self.createToken()
if bRet==True:
return self.changeReturn('E-TOKEN-INACTIVE')
return 0
#new
if filter_context['resultCode']=='E-USERID-NOT-FOUND' or filter_context['resultCode']=='E-LOGINNAME-NOT-FOUND':
# bRet = self.importAccount()
# if bRet==True:
# bRet = self.createToken()
# if bRet==True:
# return self.changeReturn('E-TOKEN-INACTIVE')
return self.changeReturn('TRUE')
No comments:
Post a Comment