Preferred Realm and Role for Ivanti Secure Access Client Machine Authentication

When a Ivanti Secure Access Client Connection is configured to use machine authentication, any prompts that occur during the login process cause the connection to fail. For example, if the Ivanti server authentication policy allows a user to select a realm or a role during the login process, Ivanti Secure Access Client presents a dialog box to the user and prompts for the realm or role selection. To avoid failed connections caused by prompts during machine authentication, you can specify a preferred role and realm for a Ivanti Secure Access Client connection.

For a Ivanti Secure Access Client connection that is used for machine authentication, you do not need to specify the preferred role if either of the following conditions is true:

•Users are mapped to only one role.

•Users are mapped to more than one role, but the realm's role mapping properties are set to merge settings for all assigned roles.

For a Ivanti Secure Access Client connection that is used for machine authentication, you must specify the preferred realm if the authentication sign-in policy allows the user to select a realm. If that realm maps to only one role, you do not need to specify the role.

For a Ivanti Secure Access Client connection that is used for machine authentication, you must specify the preferred role if either of the following conditions is true:

•The realm that the user connects to maps to more than one role and the realm's role mapping properties are set to require that the user must select a role. The preferred role set must be the name of a role assigned in that realm.

•The realm that the user connects to maps to more than one role, and the realm's role mapping properties are defined by role mapping rules. You specify the preferred role by specifying the name of a rule that assigns the role set. Figure shows a role mapping rule with the rule name highlighted.

To identify the connection as a machine authentication connection, you specify how the connection is established using one of the configurations shown in figure below and figure .

This option uses the machine credentials defined in Active Directory for the machine login process and uses the same credentials for user login. When you select this option, the Realm and Role Set Preferences settings enable you to specify the following options:

•Preferred Machine Realm: Type the realm name that maps to the role you want to assign.

•Preferred Machine Role Set: Type the name of the role. The role must be one that is identified in the realm's role mapping properties. Alternatively, you can specify the name of a role mapping rule that assigns the role set.

When you use machine credentials for authentication and no user credentials, Ivanti Secure Access Client cannot perform user based tasks. The following tasks can be run only when the user is logged in:

- Run session scripts
- Detect or modify proxy settings
- Run automatic Ivanti Secure Access Client upgrade
- Install or upgrade Ivanti Secure Access Client components

This option uses the Active Directory machine credentials for the machine login process. When machine login is complete, Ivanti Secure Access Client drops that connection and then uses the user credentials for user login. When you select this option, the Realm and Role Set Preferences enable you to specify the following options:

•Preferred Machine Realm: Type the realm name that maps to the role you want to assign.

•Preferred Machine Role Set: Type the name of the role. The role must be one that is identified in the realm's role mapping properties. Alternatively, you can specify the name of a role mapping rule that assigns the role set.

•Preferred User Realm: Type the realm name that maps to the role you want to assign.

•Preferred User Role Set: Type the name of the role. The role must be one that is identified in the realm's role mapping properties. Alternatively, you can specify the name of a role mapping rule that assigns the role set.