Problem using setrealm

Greetings,
I have a device that can’t send the realm as part of its authentication request.
I can’t make that user a member of the default realm, so I was trying to use an authorization policy to change the realm.
However, no matter what setting I try, I can’t seem to get the setrealm policy to function.
I continually get "ERR905: The user cannot be found in any resolver in this realm!"
I have used NTRADPING for testing and get the same result when I use /validate/check
If I specify the realm (username@myrealm), the user is authenticated without difficulty.

Currently the only policy in force on my server is an authorization scope policy with a single setting setrealm=myrealm.

I have tried specifying the realm in the policy as myrealm, and mydefaultrealm. I have added and removed the resolver that contains the specific user from the policy. I have added and removed the client IP address from the policy. I have added and removed the username of the user attempting to authenticate from the policy.
I cannot get the setrealm policy to change the realm, in every case I receive the error: “ERR905: The user cannot be found in any resolver in this realm!”

Any help you can offer would be greatly appreciated.

Why?

The setrealm will only work if a user matches! So the user does not match and this is why the policy is not executed.

But you could use the mangle policy to change the username. Match the policy for this very user and change the username to “user@realrealm”.

I tried this with a user who exists in both realms.
I created a policy that applies only to that user and has no other realm or resolver limitations.
It contains a single setrealm command.
When I log that user in, the audit entry says he is logging into the default realm and the information that is returned also indicates the user is part of the default realm rather than the other realm.
I will try the mangle policy option.

Thank you!
The mangle option works for what I want to do.

Still confused why setrealm did not…

1 Like