This message was deleted.
# _generals
Slackbot
02/02/2024, 12:32 PMThis message was deleted.
👀 1
m
Mike Streetz (O_P)
02/02/2024, 10:24 PMYou might be better off doig it without a PRT. You can present the FAS cert using CBA and Entra to SSO to Office 365/microsoft
Mike Streetz (O_P)
02/02/2024, 10:28 PMMike Streetz (O_P)
02/02/2024, 10:28 PMI’m doing that with a client that uses Duo and Azure AD
👀 1
d
DJ Eshelman
03/22/2024, 4:19 PMI have an ongoing... discussion... with some folks about the "Allow in-session use" for FAS. Some... folks... are claiming it is a security risk and shouldn't be enabled.
I always thought it was needed in these contexts. Glad to have come across this discussion and I'm curious about your results, @Jeff Riechers
m
Mike Streetz (O_P)
03/22/2024, 4:21 PMNot sure how it’s a security risk
Mike Streetz (O_P)
03/22/2024, 5:16 PMit’s basically just allowing you to do smartcard/certificate logon to other sites without having to generate a new cert for that
d
DJ Eshelman
03/22/2024, 5:19 PMI don't see it as a risk either but you know how people are...
m
Mike Streetz (O_P)
03/22/2024, 5:19 PMit’s not like you can take that cert and then log into anything with it, it’s only valid for logon to the machine it is on.
this 1
Mike Streetz (O_P)
03/22/2024, 5:19 PMthe real risk is access to the FAS servers themselves
d
DJ Eshelman
03/22/2024, 5:19 PMWhich this would not grant ;)
m
Mike Streetz (O_P)
03/22/2024, 5:21 PMright. I have this enabled for a few clients now, it works pretty well unless you are doing multi domain stuff with Entra and don’t have all your domain suffixes in local AD too
Mike Streetz (O_P)
03/22/2024, 5:22 PMIn those cases you need to modify the template to include the email address, but sometimes even that isn’t enough
Mike Streetz (O_P)
03/22/2024, 5:22 PMclients really should fix users upns, but you know how it be
2 Views