On 07/17/2014 04:44 AM, jacmarpet wrote:
> We have developed a forgot password web application, which enables users
> to choose from 3 different types of password change. Via the UA, which
> redirects the user to the UA forgot password site. A SMS options, with
> an SMS passphrase sent to the users phone, and a third, more complex
> one, which incorporates the official Danish user authentication method
> for public services. Now, what I would like to do, is have the Forgot
> password link, which the Client Login Extensions module adds to client
> pc's Windows login screen, redirect to my web application. The user then
> has the 3 choises. But if I click for example, the UA link, I get the
> "Access is restricted to your target server". I guess I could install

Yes; the CLE security restrictions prevent changing servers, among other
things, so that a user cannot take advantage of a flaw on a target page to
start using the web browser without restrictions all over the Internet.

> the web application on the UA server which would solve it, but is there
> any other way of getting around that issue? I also think the third
> options would trigger this problem. It uses the Access Manager to
> authenticate the user, and I think it does an actual redirect to the
> Identity Server, so that would trigger the error aswell. Also, it seems
> like all CSS styling dissapears in the restricted IE window. Everything
> is just plan white background and black text. Any way to fix that?

Since you have NetIQ/Novell Access Manager (NAM) already perhaps you could
use it to show everything as being on the NAM server itself by having NAM
retrieve all of the pages either from the UA or from the public
authentication services option. You may need to do a lot of forwarding of
data for the client to make that works, but I would imagine it's possible
so that, in the end, the CLE's browser never touches any system other than
your own.

Taking a step back from the CLE and considering the availability of mobile
devices, it may be easier/faster/simpler to point your users to the
outside services to be accessed via their phones or something. This would
not always work, but if the CLE restrictions get in the way too much it
may provide an alternative.

Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...